misp-circl-feed/feeds/circl/misp/5c3c4a6d-15f0-4133-baff-3c2c68f8e8cf.json

{
  "Event": {
    "analysis": "0",
    "date": "2019-01-14",
    "extends_uuid": "",
    "info": "2019-01-10: North Korea Lazarus Targeting REDBANC",
    "publish_timestamp": "1547585139",
    "published": true,
    "threat_level_id": "2",
    "timestamp": "1547585075",
    "uuid": "5c3c4a6d-15f0-4133-baff-3c2c68f8e8cf",
    "Orgc": {
      "name": "VK-Intel",
      "uuid": "5bfa439e-c978-4dcd-b474-73f568f8e8cf"
    },
    "Tag": [
      {
        "colour": "#e0b538",
        "name": "Actor: Lazarus"
      },
      {
        "colour": "#421b85",
        "name": "Ruse: Job Application"
      },
      {
        "colour": "#2133c6",
        "name": "Powershell"
      },
      {
        "colour": "#7a0e9f",
        "name": "PowerRatankba"
      },
      {
        "colour": "#0088cc",
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Trusted Relationship - T1199\""
      },
      {
        "colour": "#0088cc",
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\""
      },
      {
        "colour": "#0088cc",
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scheduled Task - T1053\""
      },
      {
        "colour": "#0088cc",
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Windows Management Instrumentation - T1047\""
      },
      {
        "colour": "#0088cc",
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"New Service - T1050\""
      },
      {
        "colour": "#0088cc",
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Local System - T1005\""
      },
      {
        "colour": "#0088cc",
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\""
      },
      {
        "colour": "#0088cc",
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Encoding - T1132\""
      },
      {
        "colour": "#8aec22",
        "name": "report:5ZvWjgDgRhuD1zVgDT7-cg"
      }
    ],
    "Attribute": [
      {
        "category": "Payload installation",
        "comment": "Malware Hash",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1547455129",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5c3c4a99-8830-4833-81d5-3c3068f8e8cf",
        "value": "f12db45c32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9"
      },
      {
        "category": "Payload installation",
        "comment": "Malware Hash",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1547455129",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5c3c4a99-9a68-4e6c-a9a4-3c3068f8e8cf",
        "value": "0f56ebca33efe0a2755d3b380167e1f5eab4e6180518c03b28d5cffd5b675d26"
      },
      {
        "category": "Network activity",
        "comment": "C2",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1547477647",
        "to_ids": true,
        "type": "url",
        "uuid": "5c3ca28f-cb88-44d1-a7ce-382d68f8e8cf",
        "value": "https://ecombox.store"
      },
      {
        "category": "Payload installation",
        "comment": "apt_possible_lazarus_powerratankba_b",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1547479055",
        "to_ids": true,
        "type": "yara",
        "uuid": "5c3ca80f-b398-47e5-b633-124a0a640c05",
        "value": "rule apt_possible_lazarus_powerratankba_b {\r\n   meta:\r\n      description = \"Detects possible Lazarus PowerRatankba.B from Redbanc\"\r\n      author = \"@VK_Intel\"\r\n      date = \"2019-01-15\"\r\n      hash1 = \"db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471\"\r\n   strings:\r\n      $f0 = \"function EncryptDES\" fullword ascii\r\n      $s0 = \"$ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList\" fullword ascii\r\n      $s1 = \"$respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData;\" fullword ascii\r\n      $s2 = \"$cmdSchedule = 'schtasks /create /tn \\\"ProxyServerUpdater\\\"\" ascii\r\n      $s3 = \"/tr \\\"powershell.exe -ep bypass -windowstyle hidden -file \" ascii\r\n      $s4 = \"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\tmp' + -join \" ascii\r\n      $s5 = \"$cmdResult = cmd.exe /c $cmdInst | Out-String;\" fullword ascii\r\n      $s6 = \"whoami /groups | findstr /c:\\\"S-1-5-32-544\\\"\" fullword ascii\r\n   condition:\r\n      filesize < 500KB and $f0 and 2 of ($s*) \r\n}"
      },
      {
        "category": "Payload installation",
        "comment": "Powershell Agent & PowerRatankba",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1547493833",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5c3ce1c9-39e4-4b59-90e4-5a350a640c05",
        "value": "a1f06d69bd6379e310b10a364d689f21499953fa1118ec699a25072779de5d9b"
      },
      {
        "category": "Payload installation",
        "comment": "Powershell Agent & PowerRatankba",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1547493833",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5c3ce1c9-4d80-470f-9cfc-5a350a640c05",
        "value": "20d94f7d8ee2c4367443a930370d5685789762b1d11794810dc0ac6c626ad78e"
      },
      {
        "category": "Network activity",
        "comment": "URL C2 backup",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1547493895",
        "to_ids": true,
        "type": "url",
        "uuid": "5c3ce207-b7f0-468f-8e5a-5a330a640c05",
        "value": "https://bodyshoppechiropractic.com"
      }
    ]
  }
}