misp-circl-feed/feeds/circl/misp/1edd5ee1-7c91-4233-840a-6c419d6afc62.json

1589 lines
No EOL
85 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2021-02-20",
"extends_uuid": "",
"info": "OSINT - IronNetInjector: Turla\u2019s New Malware Loading Tool",
"publish_timestamp": "1613840000",
"published": true,
"threat_level_id": "2",
"timestamp": "1613811965",
"uuid": "1edd5ee1-7c91-4233-840a-6c419d6afc62",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": "0",
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613811034",
"to_ids": true,
"type": "pdb",
"uuid": "191d97b2-d7ea-49cb-a19a-2f560bc94b3b",
"value": "%USERPROFILE%\\source\\repos\\c4\\agent\\build\\_tools\\agent\\_dll\\_to\\_Python\\_loader\\NetInjector\\NetInjector\\obj\\Release\\NetInjector.pdb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "d9c8070f-ea2b-47e8-ae78-30a1f85a788c",
"value": "a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "f4642726-7d3a-4f77-ac23-59c220678eb0",
"value": "63d7695dabefb97aa30cbe522647c95395b44321e1a3b08b8028e4000d1be15e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "7218aec5-416f-438e-936a-1ba1f92ab346",
"value": "b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "25def1c1-4edf-46dd-b831-d21ae46b1a48",
"value": "3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "3e136590-6d34-418c-9896-78defc1c3f1c",
"value": "a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "8c99b060-e98f-4903-a660-9b179da4f06b",
"value": "c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "103f647f-76fc-4698-8193-2c29df55f26e",
"value": "c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "00f2f454-0978-43f9-9dd8-55d407f1c190",
"value": "82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "8389a593-98d2-4ae2-ae3a-3efbe519672a",
"value": "ba17af72a9d90822eed447b8526fb68963f0cde78df07c16902dc5a0c44536c4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "c803c285-7b5e-41a2-8039-4cf867cc0cd3",
"value": "8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "eeeffb3a-b92e-43d8-a954-60e99fd478d4",
"value": "18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "490b1de9-53aa-4776-81fb-3ddd8f226dbf",
"value": "a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "61288f48-9193-4986-942d-8186dc5832c3",
"value": "c430ebab4bf827303bc4ad95d40eecc7988bdc17cc139c8f88466bc536755d4e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "c01c2b14-2df0-48be-a8b9-151d1eb6cabb",
"value": "b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "ee49fa56-c0d1-4cf6-bd09-2a7c41e82812",
"value": "b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613811114",
"to_ids": true,
"type": "pdb",
"uuid": "1af7dfc6-d905-4932-aa29-6e8b580c1419",
"value": "F:\\Dev\\NetInjector\\bin\\Release\\NetBootstrapper\\_Win32.pdb"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1613811020",
"to_ids": true,
"type": "pdb",
"uuid": "f77b67e3-040f-43c6-b27f-7b3adb17acbc",
"value": "F:\\Dev\\NetInjector\\bin\\Release\\NetBootstrapper\\_x64.pdb"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "2",
"timestamp": "1613810873",
"uuid": "b380f86c-fab0-4725-9f44-75c0066c3443",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1613810873",
"to_ids": false,
"type": "link",
"uuid": "4f7c4a75-b3d0-4141-a0d5-1ab8216f1ff7",
"value": "https://unit42.paloaltonetworks.com/ironnetinjector/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1613810873",
"to_ids": false,
"type": "text",
"uuid": "5e9d4958-9976-4f9d-a7e6-25b1268356d3",
"value": "In recent years, more and more ready-made malware is released on software development hosting sites available for everybody to use \u2013 including threat actors. This not only saves the bad guys development time, but also makes it much easier for them to find new ideas to prevent detection of their malware.\r\n\r\nUnit 42 researchers have found several malicious IronPython scripts whose purpose is to load and run Turla\u2019s malware tools on a victim\u2019s system. The use of IronPython for malicious purposes isn\u2019t new, but the way Turla uses it is new. The overall method is known as Bring Your Own Interpreter (BYOI). It describes the use of an interpreter, not present on a system by default, to run malicious code of an interpreted programming or scripting language.\r\n\r\nThe first malicious IronPython scripts of the tool we describe here were discovered last year by a security researcher from FireEye. At the beginning of this year, another security researcher from Dragos pointed out some new scripts of the same threat actor uploaded to VirusTotal from two different submitters. We found that one of the submitters also uploaded two other samples, which are most likely embedded payloads of one of the IronPython scripts. These samples helped us to understand how this tool works, what malware it loads and which threat actor uses it.\r\n\r\nWhile the IronPython scripts are only the first part of the tool, the main task of loading malware is done by an embedded process injector. We dubbed this toolchain IronNetInjector, the blend of IronPython and the injector\u2019s internal project name NetInjector. In this blog, we describe the IronPython scripts and how they\u2019re used to load one or more payloads with the help of an injector.\r\n\r\nPalo Alto Networks customers are protected from this threat through WildFire and Cortex XDR. AutoFocus customers can investigate this activity with the tag \u201cIronNetInjector\u201d."
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811963",
"uuid": "b98e2b87-92d7-423a-ab0c-c2b959ed1531",
"ObjectReference": [
{
"comment": "",
"object_uuid": "b98e2b87-92d7-423a-ab0c-c2b959ed1531",
"referenced_uuid": "c344702e-a806-4c8f-b775-73df55233630",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "09806fa8-53a9-464d-857b-73dd70ebe3a5"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "113fce15-61f2-49fa-bfbb-26aaa77a2aad",
"value": "0674e34d0b01e1c71e4666da1f3b589f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "40c270cc-ff02-47d6-8bff-b1657cc680eb",
"value": "0133512142805b89b5a86dfa67a82aaedbbab69c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "3bef1341-4c92-441a-8817-1dc4d148e8eb",
"value": "b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "c344702e-a806-4c8f-b775-73df55233630",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "953df01c-4d2e-450a-afd9-d31ece971d4f",
"value": "2021-02-19T19:36:11+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "bbfdefe0-60e7-4bfc-a6fa-8491930fd0f8",
"value": "https://www.virustotal.com/gui/file/b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040/detection/f-b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040-1613763371"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "c6daa0ea-94a8-4656-88a2-9385e163db80",
"value": "7/59"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "bb6d2897-d966-484f-a16e-ef0d4883382c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "bb6d2897-d966-484f-a16e-ef0d4883382c",
"referenced_uuid": "0999e1c5-edb5-4951-bb60-8439a93b7d1f",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "905906a9-8e41-4f0a-9585-db1c1a31ef05"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "8fc9329d-1f61-4609-abe1-a240a5d0919c",
"value": "48f52e0c7aa72c2ccc5f5fcbd8e1290b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "dfffdfed-59f9-4cf2-95b6-14183d075222",
"value": "347f31769431ad70147e68fbb6bfa1e17fe283e9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "58c2aa6f-202a-4909-9511-3b7f8a18bcd4",
"value": "b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "0999e1c5-edb5-4951-bb60-8439a93b7d1f",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "a72d5d15-a703-44ee-85a8-3944ca8c30ee",
"value": "2021-02-19T18:04:13+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "d35f9f97-e4fd-47fb-bb91-0b848af5ed4c",
"value": "https://www.virustotal.com/gui/file/b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d/detection/f-b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d-1613757853"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "2d866758-093e-4856-bf2a-e758ce033f7c",
"value": "26/59"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "9f5dc2c2-3bfc-4447-b9d6-01d1ece470b1",
"ObjectReference": [
{
"comment": "",
"object_uuid": "9f5dc2c2-3bfc-4447-b9d6-01d1ece470b1",
"referenced_uuid": "b267c9dd-a93a-485d-8669-f183f000e830",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "daf3264d-27a3-4182-b6e3-f3cd4d90da1c"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "2015a9a1-f8c1-4dfd-9aa4-64e72c7e9878",
"value": "f376bc51b1220e5fc520ce60762ac6ce"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "ea85804d-5418-4724-86d9-c439b75f8745",
"value": "3e65b2df40001253ad8d9a3430a597c7b028bae9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "1244faf6-1cb0-4adc-af30-b3bdbbfbb84a",
"value": "a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "b267c9dd-a93a-485d-8669-f183f000e830",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "27d7b061-8f1c-45c8-a1e3-0664f11916e7",
"value": "2021-02-20T03:39:41+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "3370b374-bfa9-433e-b062-6c64666954d1",
"value": "https://www.virustotal.com/gui/file/a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061/detection/f-a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061-1613792381"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "ac3a1514-866c-4895-8133-d003a148510f",
"value": "48/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "fd84b821-3908-4308-82c5-3e80414485c0",
"ObjectReference": [
{
"comment": "",
"object_uuid": "fd84b821-3908-4308-82c5-3e80414485c0",
"referenced_uuid": "8952247a-923b-45d0-aeb2-e205c1471a97",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "0d3bc751-2b79-4cde-9e02-f0a9d1d836c1"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "8ea94f5f-2ad3-4088-b588-a71f6325b7da",
"value": "9446059710c1869fc8aa9f0ef75d82f4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "e23a718e-a396-4b99-a011-908f38fcb11d",
"value": "a91612cadaccc19d101710b0ae77151a7a1b043b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "209aab73-4653-4c6e-bfae-63426de9ba8d",
"value": "8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "8952247a-923b-45d0-aeb2-e205c1471a97",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "a81ae9f3-97d4-4ace-8e64-c8e7e7370af4",
"value": "2021-02-19T18:04:19+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "30a8de8e-8eb2-4ace-855d-e74fcb54608d",
"value": "https://www.virustotal.com/gui/file/8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72/detection/f-8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72-1613757859"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "f099139a-13f7-46ba-918e-0492e4ca4340",
"value": "22/59"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "ed5dc5f9-19a2-4c52-b860-6e397828864c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "ed5dc5f9-19a2-4c52-b860-6e397828864c",
"referenced_uuid": "0628a0ba-1c51-4611-973f-127abfcbd35d",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "17472a77-bafd-4f5e-82ef-9f401e0bcff2"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "70a52887-9a96-451a-8682-984cf6468f65",
"value": "7fcd8d3fde761de1d894dcf87827dde3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "23672d95-c2a4-476e-9e7d-44a0e882e09e",
"value": "f2284d4777d2b5d2faf33844084b94c9552d5294"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "b94364d4-c6e1-4444-842a-6edfdef13d0b",
"value": "a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "0628a0ba-1c51-4611-973f-127abfcbd35d",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "67b46cdc-27d2-4d07-9be9-e932cbbcde01",
"value": "2021-02-20T03:38:42+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "0091c69d-d04c-4879-aa0c-44616bf64e5a",
"value": "https://www.virustotal.com/gui/file/a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56/detection/f-a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56-1613792322"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "803cccf0-f675-4664-80b4-f907076d9238",
"value": "47/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "f844e12e-96a5-4275-9a6a-4fb3f6ab5a1e",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f844e12e-96a5-4275-9a6a-4fb3f6ab5a1e",
"referenced_uuid": "ad644c7f-4026-413d-b7fd-c7d9b092715c",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "b4b90211-ad2a-420b-918a-73bd06085094"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "8a55c305-c59c-421c-8695-6edb137982f3",
"value": "1777b81f3f87648b2344ea480bbcba65"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "098e3b1a-00c4-41d0-b6a4-1ad4d05057f8",
"value": "ae76df8def138b6d4c82984f7172ed5bba737e1b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "c1037107-2a6c-4c29-8880-89fdb18538fa",
"value": "c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "ad644c7f-4026-413d-b7fd-c7d9b092715c",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "8b32b042-1ddb-443b-a4a7-0679753f79d1",
"value": "2021-02-20T09:03:32+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "ee58a958-335f-43e6-a69e-cd4a46551abc",
"value": "https://www.virustotal.com/gui/file/c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9/detection/f-c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9-1613811812"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "1ca876a3-9ff0-4392-84df-11ee11f2c491",
"value": "3/69"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "9429ddde-5558-4980-b168-6adae4f881ee",
"ObjectReference": [
{
"comment": "",
"object_uuid": "9429ddde-5558-4980-b168-6adae4f881ee",
"referenced_uuid": "75ee7887-867a-44c9-99fa-c69874e6c3d2",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "8f864090-0997-4822-9827-4fa3418b9445"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "9ee8e1c3-5d9a-4697-9b15-97f93a69263b",
"value": "eff5881b4bf83386e26c451ff7c34a90"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "4be7aca8-1982-472f-b5c2-f778eff9b207",
"value": "d7a18413d8c2b2525a0c90aaa392bdaef377e2ec"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "4efeefd3-d530-49be-a6d7-70a6414fc5e2",
"value": "18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "75ee7887-867a-44c9-99fa-c69874e6c3d2",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "69cb8722-3339-4367-9f5f-19af913184b0",
"value": "2021-02-19T18:13:50+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "b864d0d7-71ef-4c0c-97a2-96d45559960f",
"value": "https://www.virustotal.com/gui/file/18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746/detection/f-18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746-1613758430"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "2e321a84-f066-4515-bc1e-ce0ddd84e98f",
"value": "43/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "f4dd150b-bc46-4ca3-bfd4-6e9bbdf57a75",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f4dd150b-bc46-4ca3-bfd4-6e9bbdf57a75",
"referenced_uuid": "d6e00d51-3e6b-4568-9cec-dd77c1c0de47",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "fd8106da-0f36-4818-8c3f-32a48d2cac1d"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "7f3babc3-9f0b-4041-9317-c5110ec1553a",
"value": "0ebe822e8c7ebb803ae5b6b74601c36f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "35b5a373-675f-48cf-acf3-ba15def8922c",
"value": "86681c0c9b171f1afef5b06104abe8abcf0c992e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "98231e9e-8ba2-4b84-8960-ace7615cdb63",
"value": "3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "d6e00d51-3e6b-4568-9cec-dd77c1c0de47",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "fb9530c3-4758-49cb-a9e9-55a039df9dd8",
"value": "2021-02-19T18:02:33+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "a5e137aa-eb61-4524-9b88-4113cbe136bb",
"value": "https://www.virustotal.com/gui/file/3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6/detection/f-3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6-1613757753"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "324b299c-0c8c-4430-97b2-9fc02b095f97",
"value": "30/60"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "cd640421-1b74-4819-80e6-1c92cf4344e4",
"ObjectReference": [
{
"comment": "",
"object_uuid": "cd640421-1b74-4819-80e6-1c92cf4344e4",
"referenced_uuid": "521e7905-f504-432c-ad34-54b87b7896b3",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "4d60404e-514f-43b7-b55c-ce3d0b35c0d8"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "2acf5157-a4b7-4d73-a8ac-b7b30e3c723d",
"value": "d672139849f9855bfb703fcaec020a2f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "25ffd605-b39e-4230-9bc4-eea7711a34f7",
"value": "7e138c1337a29868fddfa99f52dfe1de38e46c9e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "72717563-3369-40b9-a04c-fa61773d3cfe",
"value": "c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "521e7905-f504-432c-ad34-54b87b7896b3",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "78473fdb-7413-479d-89f9-eaf44270cad9",
"value": "2021-02-19T19:37:27+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "e92bfb2d-804e-46e9-a1db-bea4af8058b4",
"value": "https://www.virustotal.com/gui/file/c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad/detection/f-c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad-1613763447"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "3809e013-1036-475c-b671-47e8a0b84008",
"value": "4/59"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "0c0447cb-deb3-4606-b74e-5d016a305472",
"ObjectReference": [
{
"comment": "",
"object_uuid": "0c0447cb-deb3-4606-b74e-5d016a305472",
"referenced_uuid": "d03967cc-5531-4f85-9fd7-c89057ee0c22",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "64663b63-0c63-4aa3-af31-badc2acc92b7"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "a856cfa0-c225-4225-94be-405cf2cd4f6f",
"value": "b11d85844af9fa84bf84ff746557f0b5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "3ba7094a-54fe-4376-9909-de8888a82a39",
"value": "44efacb89badadb486839165aba4d1ecdf3f047e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "0c942d0f-54f0-4bed-8bea-1d82cf6f21ae",
"value": "b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "d03967cc-5531-4f85-9fd7-c89057ee0c22",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "5d7a76b9-f6f8-4e46-95ed-0b198b71976f",
"value": "2021-02-19T18:04:36+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "c1e70c66-59bc-4f40-a8cf-4564237a915d",
"value": "https://www.virustotal.com/gui/file/b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3/detection/f-b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3-1613757876"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "102ea680-2071-42f6-a95e-52d9a87163b0",
"value": "22/58"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811964",
"uuid": "0ad792f3-1b7b-4510-a584-a113276453bc",
"ObjectReference": [
{
"comment": "",
"object_uuid": "0ad792f3-1b7b-4510-a584-a113276453bc",
"referenced_uuid": "98cec741-7605-4ec0-8d35-7a8fa6037977",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "9dae3dcf-b5f8-4bc5-94d1-33862198bb9e"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "fce44e72-82c0-4707-bf3c-dc000ac26bad",
"value": "e46da9ab2096ebb33279a808f5a7ee77"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "56bab591-b146-4fc0-bf53-f8aca7fcda9b",
"value": "ad81f2f00f25cd0e45151d42d63c46db3ae39bed"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "579dfbfe-4194-439b-ab69-555dfbaef643",
"value": "a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811964",
"uuid": "98cec741-7605-4ec0-8d35-7a8fa6037977",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "ca73ed83-05f6-4bad-be26-36e0433048df",
"value": "2021-02-20T09:04:22+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "a4a46491-8771-4a52-8bd6-9bbc4477ae82",
"value": "https://www.virustotal.com/gui/file/a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc/detection/f-a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc-1613811862"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "9158f2ab-9d6c-48a9-b1d3-37e76f1d6c67",
"value": "40/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "22",
"timestamp": "1613811965",
"uuid": "76c0248c-4198-4bea-b5d0-d33e7d28a020",
"ObjectReference": [
{
"comment": "",
"object_uuid": "76c0248c-4198-4bea-b5d0-d33e7d28a020",
"referenced_uuid": "ee307c62-c260-4da8-9d74-ceff7b11ea45",
"relationship_type": "analysed-with",
"timestamp": "1613811965",
"uuid": "677bd01b-6520-46a1-8756-4dbbcac28dc8"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1613810910",
"to_ids": true,
"type": "md5",
"uuid": "0d76897f-f845-4111-b7c0-e3ef91f1b365",
"value": "98ce8c41188fcc1a92d0a23569c3765c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha1",
"uuid": "9de52289-4101-4d81-a4f7-3ecc22536b14",
"value": "2920d5e6c579fce772e5506caf03af65579088bd"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1613810910",
"to_ids": true,
"type": "sha256",
"uuid": "c82f7295-3a96-4c4a-965a-75a342037240",
"value": "82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "3",
"timestamp": "1613811965",
"uuid": "ee307c62-c260-4da8-9d74-ceff7b11ea45",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1613810910",
"to_ids": false,
"type": "datetime",
"uuid": "85f958ed-446d-454f-8b88-4e47a82c063f",
"value": "2021-02-19T18:04:28+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1613810910",
"to_ids": false,
"type": "link",
"uuid": "f10b6f7e-a1ec-4fb5-8f03-16c6e00c9bf9",
"value": "https://www.virustotal.com/gui/file/82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93/detection/f-82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93-1613757868"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1613810910",
"to_ids": false,
"type": "text",
"uuid": "1c366e4f-fd00-453f-9f3b-c6cf51c09e3e",
"value": "18/59"
}
]
}
],
"EventReport": [
{
"name": "Report from - \r\nhttps://unit42.paloaltonetworks.com/ironnetinjector/ (1613810890)",
"content": "html [if IE]> <div class=\"alert alert-warning\"> You are using an <strong>outd@[tag](misp-galaxy:tool=\"at\")ed</strong> browser. Please <a href=\"@[attribute](a96c2f20-d186-4106-8303-f6e4cba88012)\">upgrade your browser</a> to improve your experience. </div> <![endif] \n* Tools\n * ATOMs\n * About Us\n \n By Dominik Reichel \n\n February 19, 2021 @[tag](misp-galaxy:tool=\"at\") 6:00 AM\n\n C@[tag](misp-galaxy:tool=\"at\")egory: Unit 42\n\n Tags: .NET Framework, @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\"), IronNetInjector, Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"), malware, RPC Backdoor, @[tag](Turla)\n\n This post is also available in: \u65e5\u672c\u8a9e (Japanese)\n\n## Executive Summary\n\n In recent years, more and more ready-made malware is released on software development hosting sites available for everybody to use \u2013 including thre@[tag](misp-galaxy:tool=\"at\") actors. This not only saves the bad guys development time, but also makes it much easier for them to find new ideas to prevent detection of their malware.\n\n Unit 42 researchers have found several malicious Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts whose purpose is to load and run @[tag](Turla)\u2019s malware tools on a victim\u2019s system. The use of Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") for malicious purposes isn\u2019t new, but the way @[tag](Turla) uses it *is* new. The overall method is known as Bring Your Own Interpreter (BYOI). It describes the use of an interpreter, not present on a system by default, to run malicious code of an interpreted programming or scripting language.\n\n The first malicious Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts of the tool we describe here were discovered last year by a security researcher from FireEye. At the beginning of this year, another security researcher from Dragos pointed out some new scripts of the same thre@[tag](misp-galaxy:tool=\"at\") actor uploaded to VirusTotal from two different submitters. We found th@[tag](misp-galaxy:tool=\"at\") one of the submitters also uploaded two other samples, which are most likely embedded payloads of one of the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts. These samples helped us to understand how this tool works, wh@[tag](misp-galaxy:tool=\"at\") malware it loads and which thre@[tag](misp-galaxy:tool=\"at\") actor uses it.\n\n While the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts are only the first part of the tool, the main task of loading malware is done by an embedded process injector. We dubbed this toolchain IronNetInjector, the blend of Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") and the injector\u2019s internal project name NetInjector. In this blog, we describe the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts and how they\u2019re used to load one or more payloads with the help of an injector.\n\n Palo Alto Networks customers are protected from this thre@[tag](misp-galaxy:tool=\"at\") through @[tag](misp-galaxy:malpedia=\"WildFire\") and Cortex XDR. AutoFocus customers can investig@[tag](misp-galaxy:tool=\"at\")e this activity with the tag \u201cIronNetInjector\u201d.\n\n ## Wh@[tag](misp-galaxy:tool=\"at\") Is Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\")?\n\n First, let\u2019s take a look @[tag](misp-galaxy:tool=\"at\") wh@[tag](misp-galaxy:tool=\"at\") Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") is and why it was chosen as a loading vector. In the words of the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") team:\n\n Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") is an open-source implement@[tag](misp-galaxy:tool=\"at\")ion of the @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") programming language which is tightly integr@[tag](misp-galaxy:tool=\"at\")ed with the .NET Framework. Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") can use the .NET Framework and @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") libraries, and other .NET languages can use @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") code just as easily.\n\n And further:\n\n Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\")\u2019s sweet-spot is being able to use the .NET framework APIs directly from @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\").\n\n With Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"), you can use .NET framework APIs directly in your @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") script. It is a @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") interpreter written entirely in C#. Currently, it fully supports @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") 2, while support for @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") 3 is still in development. As one of two official projects formerly developed by Microsoft, the other being IronRuby, it uses the Dynamic Language Runtime (DLR).\n\n Now, it becomes clear why Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") is also @[tag](misp-galaxy:tool=\"at\")tractive for malware authors. You can make use of the .NET framework APIs without having to compile a .NET assembly. Of course, this requires the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") interpreter to also be present on the system, but th@[tag](misp-galaxy:tool=\"at\") can be accomplished in different ways. Also, Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts don\u2019t run with the original @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") interpreter when .NET framework APIs are used in the code. In case of a sandbox th@[tag](misp-galaxy:tool=\"at\") supports @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts, the interpreter would simply crash without any dynamic analysis result. Further, as Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") is written in C# and thus its process contains all the Common Language Runtime (CLR) on execution, one can easily load additional assemblies.\n\n ## IronNetInjector\n\n IronNetInjector is made of an Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") script th@[tag](misp-galaxy:tool=\"at\") contains a .NET injector and one or more payloads. The payloads can be also .NET assemblies (x86/64) or n@[tag](misp-galaxy:tool=\"at\")ive PEs (x86/64). When an Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") script is run, the .NET injector gets loaded, which in turn injects the payload(s) into its own or a remote process.\n\n The key fe@[tag](misp-galaxy:tool=\"at\")ures of the malicious Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts are as follows:\n\n \n * Function and variable names are obfusc@[tag](misp-galaxy:tool=\"at\")ed.\n * Strings are @[tag](encrypted).\n * Contain an @[tag](encrypted) .NET injector and one or more @[tag](encrypted) PE payloads.\n * Take one argument th@[tag](misp-galaxy:tool=\"at\") is the decryption key for the embedded .NET injector and PE payload(s).\n * Embedded .NET injector and payload(s) are encoded with Base64 and @[tag](encrypted) with Rijndael.\n * Log messages are written to %PUBLIC%\\Metad@[tag](misp-galaxy:tool=\"at\")a.d@[tag](misp-galaxy:tool=\"at\")\n * Error messages are written to %PUBLIC%\\Metaclass.d@[tag](misp-galaxy:tool=\"at\")\n \n The following screenshot shows one of the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts decoded:\n\n Figure 1. Decoded Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") script with embedded .NET injector and @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") payload (both shortened). We have found two versions of the .NET injector, a newer variant internally named NetInjector compiled in 2019 and an earlier variant named @[attribute](3b235e92-7b75-4eee-b0f6-c82e39bbb35a) compiled in 2018. The earlier variant is much more limited in functionality compared to the 2019 variant.\n\n Both versions are full-blown PE injection tools able to load a n@[tag](misp-galaxy:tool=\"at\")ive x86/64 payload reflectively into a remote process. This is accomplished via unmanaged functions and the use of PeNet, a publicly available PE parser library written in C#. The decompiled code is self-explan@[tag](misp-galaxy:tool=\"at\")ory as meaningful function, method and variable names are used throughout the code. Additionally, log and error messages are being used extensively.\n\n Most of the code of the 2018 variant is taken from @[tag](misp-galaxy:mitre-enterprise-attack-attack-pattern=\"PowerShell\") Empire\u2019s ReflectivePEInjection script and got transl@[tag](misp-galaxy:tool=\"at\")ed into C#. It\u2019s written in a much more specific manner than the 2019 variant, which is a generically written injection tool. The newer version additionally contains the ability to inject .NET assemblies into unmanaged processes. Also, it can load payloads into its own process space, the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") interpreter process.\n\n The newer injector has the following PDB p@[tag](misp-galaxy:tool=\"at\")h left:\n\n C:\\Users\\Devel\\source\\repos\\c4\\agent\\build\\_tools\\agent\\_dll\\_to\\_@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\")\\_loader\\NetInjector\\NetInjector\\obj\\Release\\NetInjector.pdb\n\n The same submitters who uploaded the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts also submitted other files which are directly rel@[tag](misp-galaxy:tool=\"at\")ed to IronNetInjector. Based on the file sizes and the file sizes of the embedded payloads in the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts, we can make some assumptions about wh@[tag](misp-galaxy:tool=\"at\") the payloads likely are.\n\n The following table shows the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts c@[tag](misp-galaxy:tool=\"at\")egorized by the different VirusTotal submitters. It also shows which other samples uploaded by the same submitter or the other submitters are connected and gives the assumed embedded malware:\n\n **Submitter** **Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") script(s) uploads** **Rel@[tag](misp-galaxy:tool=\"at\")ed samples uploaded by same submitter** **Payload assumptions** 1 \u2022 @[attribute](cd157c15-9222-47ba-92d7-c15be694d2f7) \n \u2022 @[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b) \u2022 Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\")-2.7.7z: Portable Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") version th@[tag](misp-galaxy:tool=\"at\") contains the two Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts and a Windows task XML to start @[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b) \u2022 @[attribute](cd157c15-9222-47ba-92d7-c15be694d2f7): .NET injector (variant 2018) + RPC backdoor variant \n \u2022 @[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b): .NET injector (variant 2019) + @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") variant 2 \u2022 @[attribute](b6b553ce-f2b8-44dc-9cc2-1f3186a7e1bb) \u2013 \u2022 @[attribute](b6b553ce-f2b8-44dc-9cc2-1f3186a7e1bb): .NET injector (variant 2019) + @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") variant 3 \u2022 @[suggestion](10@[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b)) \n \u2022 @[suggestion](120@[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b)) \n \u2022 @[suggestion](220@[attribute](b6b553ce-f2b8-44dc-9cc2-1f3186a7e1bb)) \u2013 \u2022 @[suggestion](10@[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b)): .NET injector (variant 2018) + @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") variant \n \u2022 @[suggestion](120@[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b)): .NET injector (variant 2019) + @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") variant \n \u2022 @[suggestion](220@[attribute](b6b553ce-f2b8-44dc-9cc2-1f3186a7e1bb)): .NET injector (variant 2018) + @[tag](misp-galaxy:sector=\"Unknown\") 4 \u2022 @[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b) \u2022 NetInjector.dll: .NET injector (variant 2019), most likely embedded .NET injector in @[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b) of same submitter \n \u2022 payload.exe: @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") v4 variant (DLL), most likely embedded in @[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b) of same submitter \u2013 5 \u2013 \u2022 part\\_1.d@[tag](misp-galaxy:tool=\"at\")a: .NET injector (variant 2018), most likely embedded in @[attribute](cd157c15-9222-47ba-92d7-c15be694d2f7) of submitter 1 \n \u2022 part\\_2.d@[tag](misp-galaxy:tool=\"at\")a: RPC backdoor variant, most likely embedded in @[attribute](cd157c15-9222-47ba-92d7-c15be694d2f7) of submitter 1 \n \u2022 part\\_3.d@[tag](misp-galaxy:tool=\"at\")a: RPC backdoor variant, most likely embedded in @[attribute](cd157c15-9222-47ba-92d7-c15be694d2f7) of submitter 1 \u2013 *Table 1. C@[tag](misp-galaxy:tool=\"at\")egorized Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") samples according to VirusTotal submitters and their assumed payloads.*\n\n It becomes clear th@[tag](misp-galaxy:tool=\"at\") IronNetInjector is mostly used to load @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\"). In one case, a variant of the RPC backdoor is used and in another a payload th@[tag](misp-galaxy:tool=\"at\") we couldn\u2019t associ@[tag](misp-galaxy:tool=\"at\")e with known malware.\n\n We also couldn\u2019t verify how the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts get run in the first place. One of the submitters uploaded a 7-Zip archive with the contents of the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") MSI file of version @[attribute](babb2d54-f907-4c23-b86c-bf48d05a2010) from 2011. This archive also contains two Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts (see table) and a Windows task XML file named @[attribute](d87b5a9e-126d-448a-84eb-90b06cd0e0b7) with the following content:\n\n Figure 2. Windows task XML file for IronNetInjector. The task is used to start an Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") script with the 64-bit version of the interpreter. As a command line argument, the Rijndael decryption key is passed. However, the key didn\u2019t decrypt on any of the embedded files in the scripts we found. The task\u2019s description is @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\")Upd@[tag](misp-galaxy:tool=\"at\")eSrvc and it runs either on Windows startup when a user logs in or when one of two system events get cre@[tag](misp-galaxy:tool=\"at\")ed:\n\n Figure 3. IronNetInjector task triggers. Depending on the system, the event with ID 8001 belongs to Microsoft Internet Inform@[tag](misp-galaxy:tool=\"at\")ion Services (IIS), Microsoft Exchange @[tag](misp-galaxy:mitre-attack-pattern=\"Server - T1583.004\") or Windows @[tag](misp-galaxy:mitre-attack-pattern=\"Server - T1583.004\") (Source: Netsurion EventTracker). The other event with ID 5324 is likely rel@[tag](misp-galaxy:tool=\"at\")ed to the logoff from Winlogon. Both triggers only happen when these events appear in the Microsoft-Windows-GroupPolicy(/Oper@[tag](misp-galaxy:tool=\"at\")ional) event logs.\n\n When we consider th@[tag](misp-galaxy:tool=\"at\") the files in the 7-Zip archive were all taken from the same directory, we can make some assumptions. The @[tag](misp-galaxy:tool=\"at\")tacker might have used the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") MSI to install the interpreter to C:\\ProgramD@[tag](misp-galaxy:tool=\"at\")a\\Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\")-2.7 on the victim\u2019s system. The Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts and the Windows task XML were placed in the same directory. The task file is then used to cre@[tag](misp-galaxy:tool=\"at\")e a task which in turn starts a script when triggered. However, it\u2019s also possible th@[tag](misp-galaxy:tool=\"at\") the submitter collected the files from different places and just bundled them into an archive for scanning purposes. It\u2019s also unclear why the @[tag](misp-galaxy:tool=\"at\")tacker would use such an old version of Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\").\n\n ## A Brief Walkthrough\n\n Let\u2019s go briefly through the execution flow based on one of the scripts of VirusTotal submitter 4 th@[tag](misp-galaxy:tool=\"at\") contains the 2019 variant of the injector and a @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") variant (SHA256: @[attribute](25def1c1-4edf-46dd-b831-d21ae46b1a48)).\n\n When an Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") script is run, it is loaded into the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") interpreter. In the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") script, the embedded .NET injector (SHA256: @[attribute](d9c8070f-ea2b-47e8-ae78-30a1f85a788c)) and @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") DLL payload (SHA256: @[attribute](3e136590-6d34-418c-9896-78defc1c3f1c)) get decoded and decrypted. This is done with the @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") Base64 module and the RijndaelManaged class from the C# cryptography namespace. The decryption key is passed as an argument to the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") script. The Rijndael initializ@[tag](misp-galaxy:tool=\"at\")ion vector (IV) is stored in the script. Next, the .NET injector gets loaded into the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") process with the help of the @[attribute](d8e38470-7531-4c34-974d-f615fe8d44ab)() method of the C# Reflection namespace. Th@[tag](misp-galaxy:tool=\"at\")\u2019s possible because Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") itself is a .NET assembly and thus its process already contains all the .NET runtime libraries.\n\n After the injector assembly is loaded, the ID of the process where the @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") DLL gets injected is retrieved. In this case, the @[attribute](999ce124-2fe7-4834-8acf-fc1497f51675) was chosen. This routine to get the PID slightly differs in the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts we found. While one script uses the C# method GetProcessesByName() to get the PID, the other scripts run the Windows tool @[attribute](8ed2b574-6028-4df6-95e2-5dde566ec064) with the help of the @[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") @[attribute](3e5454b9-32cf-4a40-aa4e-1206ca7b59f2)() function. The output is then parsed to the targeted process ID with the help of tasklist filters. Also, some scripts filter the PID based on a Windows service name. When the PID is found, an instance of the injector assembly is cre@[tag](misp-galaxy:tool=\"at\")ed and the @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") payload bytes and PID are passed.\n\n Figure 4. PID retrieval function vari@[tag](misp-galaxy:tool=\"at\")ions in the different Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts. Finally, the injector\u2019s public methods Invoke() and InvokeVoid() get called. In the l@[tag](misp-galaxy:tool=\"at\")ter, the exported function name VFEP of the @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") payload gets passed. From this point on, the .NET injector takes control over the further execution.\n\n The .NET injector contains the following namespaces:\n\n \n * DefaultSerializer\n * PeNet\n * @[attribute](b2aa5091-25f2-4748-af53-849ffcc38812)\n * @[attribute](e53deaa0-c43a-4dfc-826e-62d242226037)\n * @[attribute](e53deaa0-c43a-4dfc-826e-62d242226037).MetaD@[tag](misp-galaxy:tool=\"at\")aTables\n * @[attribute](e53deaa0-c43a-4dfc-826e-62d242226037).MetaD@[tag](misp-galaxy:tool=\"at\")aTables.Parsers\n * @[attribute](70b9137a-36b3-4e3c-9ee0-8407c42d4009)\n \n While the PeNet code is copied from the project, the namespace DefaultSerializer contains the injector code and is made of the following classes:\n\n \n * DefaultSerializer: Contains the injector code.\n * NetBootstrapper: Contains 32-/64-bit bootstrappers to load an assembly into an unmanaged process.\n * Win32: Contains the imported unmanaged function declar@[tag](misp-galaxy:tool=\"at\")ions and win32 structures/constants.\n \n The DefaultSerializer class exposes four public methods:\n\n \n * InjectAssembly\n * Invoke\n * InvokeAssemblyMethod\n * InvokeVoid\n \n These methods are used pairwise. The method InjectAssembly is used to inject a .NET assembly into a n@[tag](misp-galaxy:tool=\"at\")ive process (or its own) and InvokeAssemblyMethod to call any chosen method of the injected assembly. The method Invoke is used to inject a n@[tag](misp-galaxy:tool=\"at\")ive PE into a remote process and InvokeVoid to call any exported function of the injected payload.\n\n Figure 5. Decompiled NetInjector code. Depending on the number of arguments passed to DefaultSerializer on cre@[tag](misp-galaxy:tool=\"at\")ion time, the payload is either loaded into its own process or a remote one. In case only the payload bytes are passed, it gets loaded into its own process space. The other options are to also pass the ID or handle of the remote process the payload gets injected to.\n\n In our case, the second option is used with the PID of @[attribute](999ce124-2fe7-4834-8acf-fc1497f51675) to load the @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") payload reflectively into the process.\n\n One other interesting aspect of the injector is its ability to load an assembly into an unmanaged process. This needs some prepar@[tag](misp-galaxy:tool=\"at\")ion in the remote process, as you cannot simply load and execute a .NET assembly there if the CLR isn\u2019t present. This is accomplished with a n@[tag](misp-galaxy:tool=\"at\")ive bootstrapper DLL, which gets injected into the remote process and prepares it so a .NET assembly can be injected afterwards.\n\n There are two bootstrappers (x86/64) contained in the NetBootstrapper class, which have the following PDB p@[tag](misp-galaxy:tool=\"at\")hs left:\n\n @[attribute](1af7dfc6-d905-4932-aa29-6e8b580c1419)\n\n @[attribute](f77b67e3-040f-43c6-b27f-7b3adb17acbc)\n\n Just like the injector itself, the bootstrappers contain meaningful function names (exported functions) and useful log messages. It uses the following exported functions:\n\n \n * Bootstrap: Load CLR services into process.\n * GetMethodResult: Get method result from InvokeMethod.\n * InvokeMethod: Call method of injected assembly passed as a parameter.\n * LoadAssembly: Load .NET assembly passed as a parameter.\n * StartClrRuntime: Same as Bootstrap.\n \n These functions are called from the injector to prepare and load a .NET assembly payload from the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") script into a remote process.\n\n In all the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts we found, only the n@[tag](misp-galaxy:tool=\"at\")ive payload to n@[tag](misp-galaxy:tool=\"at\")ive remote process injection option is used.\n\n ## Conclusion\n\n IronNetInjector is another toolset in @[tag](Turla)\u2019s ever-growing arsenal, made of an Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") script and an injector. It\u2019s similar in structure to the previously used in-memory loading mechanism to execute malware with the help of @[tag](misp-galaxy:mitre-enterprise-attack-attack-pattern=\"PowerShell\") scripts. These scripts contain an embedded PE loader to execute an embedded malware payload.\n\n The tool we discussed in this blogpost was likely developed to move away from @[tag](misp-galaxy:mitre-enterprise-attack-attack-pattern=\"PowerShell\") towards .NET. This general trend can be seen in recent years as detection of @[tag](Powershell) based thre@[tag](misp-galaxy:tool=\"at\")s became better, but also due to security mechanisms like AMSI introduced by Microsoft.\n\n The .NET injectors and bootstrappers contain clean code and meaningful function/method/variable names, and they use detailed log/error messages. Only the initial Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts are obfusc@[tag](misp-galaxy:tool=\"at\")ed to prevent easy detection.\n\n There are still some questions we need answers for, such as wh@[tag](misp-galaxy:tool=\"at\") other samples get loaded beside @[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") and the RPC backdoor? How do the Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts get run? And how is the interpreter deployed to a victim\u2019s system?\n\n We will continue to monitor for this malware loading tool to get the missing pieces of the puzzle.\n\n Palo Alto Networks customers are protected from this malware tool. Our thre@[tag](misp-galaxy:tool=\"at\") prevention pl@[tag](misp-galaxy:tool=\"at\")form @[tag](misp-galaxy:malpedia=\"WildFire\") detects it as malicious. Our extended detection and response pl@[tag](misp-galaxy:tool=\"at\")form Cortex XDR can identify and block the malware execution. AutoFocus customers can track the activity with the tag \u201cIronNetInjector\u201d.\n\n ## Indic@[tag](misp-galaxy:tool=\"at\")ors of Compromise\n\n #### **Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\") scripts**\n\n @[attribute](c01c2b14-2df0-48be-a8b9-151d1eb6cabb) (@[attribute](cd157c15-9222-47ba-92d7-c15be694d2f7), submitter 1)\n\n @[attribute](61288f48-9193-4986-942d-8186dc5832c3) (@[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b), submitter 1)\n\n @[attribute](8c99b060-e98f-4903-a660-9b179da4f06b) (@[attribute](b6b553ce-f2b8-44dc-9cc2-1f3186a7e1bb), submitter 2)\n\n @[attribute](c803c285-7b5e-41a2-8039-4cf867cc0cd3) (@[suggestion](10@[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b)), submitter 3)\n\n @[attribute](ee49fa56-c0d1-4cf6-bd09-2a7c41e82812) (@[suggestion](120@[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b)), submitter 3)\n\n @[attribute](7218aec5-416f-438e-936a-1ba1f92ab346) (@[suggestion](220@[attribute](b6b553ce-f2b8-44dc-9cc2-1f3186a7e1bb)), submitter 3)\n\n @[attribute](25def1c1-4edf-46dd-b831-d21ae46b1a48) (@[attribute](6ca179f8-bcd1-4c16-868f-05971ef25a1b), submitter 4)\n\n #### **Injector samples**\n\n @[attribute](d9c8070f-ea2b-47e8-ae78-30a1f85a788c) (2019 variant, submitter 4)\n\n @[attribute](103f647f-76fc-4698-8193-2c29df55f26e) (2018 variant, submitter 5)\n\n #### **Bootstrapper samples**\n\n @[attribute](f4642726-7d3a-4f77-ac23-59c220678eb0)\n\n @[attribute](8389a593-98d2-4ae2-ae3a-3efbe519672a)\n\n #### **Rel@[tag](misp-galaxy:tool=\"at\")ed samples**\n\n @[attribute](00f2f454-0978-43f9-9dd8-55d407f1c190) (Iron@[tag](misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\")-2.7.7z, submitter 1)\n\n @[attribute](3e136590-6d34-418c-9896-78defc1c3f1c) (@[tag](misp-galaxy:mitre-enterprise-attack-malware=\"ComRAT\") v4 variant, submitter 4)\n\n @[attribute](eeeffb3a-b92e-43d8-a954-60e99fd478d4) (RPC backdoor variant, submitter 5)\n\n @[attribute](490b1de9-53aa-4776-81fb-3ddd8f226dbf) (RPC backdoor variant, submitter 5)\n\n \n\n #### Get upd@[tag](misp-galaxy:tool=\"at\")es from \n Palo Alto \n Networks!\n\n Sign up to receive the l@[tag](misp-galaxy:tool=\"at\")est news, cyber thre@[tag](misp-galaxy:tool=\"at\") intelligence and research from us\n\n <form action=\"@[attribute](71c1870e-34b1-4857-ac1b-ed21fd75d2b6)\" method=\"post\" novalid@[tag](misp-galaxy:tool=\"at\")e class=\"subscribe-form py-25\" @[suggestion](name=\"@[attribute](060b07d7-1a4d-4ced-9ad8-e3f34ace7585))\"> <input type=\"hidden\" value=\"818-CZC-273\" name=\"munchkinId\"> Please enter your email address!\n\n Please mark, I'm not a robot!\n\n By submitting this form, you agree to our Terms of Use and acknowledge our Privacy St@[tag](misp-galaxy:tool=\"at\")ement.",
"id": "41",
"event_id": "82503",
"timestamp": "1613810910",
"uuid": "93647699-1a3e-44fa-9bd4-c00725e0fd11",
"deleted": false
}
]
}
}