418 lines
No EOL
14 KiB
JSON
418 lines
No EOL
14 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2012-08-14",
|
|
"extends_uuid": "",
|
|
"info": "OSINT Backdoor.Win32.Shiz from Lavasoft",
|
|
"publish_timestamp": "1421404886",
|
|
"published": true,
|
|
"threat_level_id": "4",
|
|
"timestamp": "1421401757",
|
|
"uuid": "54b8caf4-0830-44b3-b460-4662950d210b",
|
|
"Orgc": {
|
|
"name": "CthulhuSPRL.be",
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#33FF00",
|
|
"local": "0",
|
|
"name": "tlp:green",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421396736",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "54b8cb01-a478-435f-9b65-47b5950d210b",
|
|
"value": "http://lavasoft.com/mylavasoft/malware-descriptions/blog/backdoorwin32shiz"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421396750",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "54b8cb0e-1528-417d-b1c9-4053950d210b",
|
|
"value": "Shiz"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421396803",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54b8cb43-763c-48c3-81c5-4254950d210b",
|
|
"value": "e973239500b4fb216182043805453cea9edf8730"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421396860",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "54b8cb6f-001c-4864-b4a3-484d950d210b",
|
|
"value": "%Temp%\\<rnd_digit>.tmp"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421396880",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "54b8cb90-ce44-4091-9163-440d950d210b",
|
|
"value": "%WinDir\\AppPatch\\<rnd_alpha>.exe"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421397510",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "54b8ce06-5244-4c6d-ac48-430d950d210b",
|
|
"value": "The backdoor ends its own execution and deletes its original file if the following processes run on the system:\r\n\r\nHookExplorer.exe\r\nproc_analyzer.exe\r\nsckTool.exe\r\nsniff_hit.exe\r\nsysAnalyzer.exe\r\nidag.exe\r\nollydbg.exe\r\ndumpcap.exe\r\nwireshark.exe\r\navp.exe"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421397525",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "54b8ce15-1390-48b5-b329-49c3950d210b",
|
|
"value": "If the backdoor launches without administrator privileges, it tries to access the administrator account by guessing a password:\r\n\r\nhelp\r\nstone\r\nserver\r\npass\r\nidontknow\r\nadministrator\r\nadmin\r\n666666\r\n111\r\n12345678\r\n1234\r\nsoccer\r\nabc123\r\npassword1\r\nfootball1\r\nfuckyou\r\nmonkey\r\niloveyou1\r\nsuperman1\r\nslipknot1\r\njordan23\r\nprincess1\r\nliverpool1\r\nmonkey1\r\nbaseball1\r\n123abc\r\nqwerty1\r\nblink182\r\nmyspace1\r\npop\r\nuser111\r\n098765\r\nqweryuiopas\r\nqwe\r\nqwer\r\nqwert\r\nqwerty\r\nasdfg\r\nchort\r\nnah\r\nxak\r\nxaep\r\n111111\r\n12345\r\n2013\r\n2007\r\n2207\r\n110\r\n5554\r\n775\r\n354\r\n1982\r\n123\r\npassword\r\n123456"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Internet connectivity check",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421397547",
|
|
"to_ids": false,
|
|
"type": "hostname",
|
|
"uuid": "54b8ce2b-1cd8-4a4d-88c2-4e5a950d210b",
|
|
"value": "www.bing.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Internet connectivity check",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421397548",
|
|
"to_ids": false,
|
|
"type": "hostname",
|
|
"uuid": "54b8ce2c-bef0-45dd-b805-4c9f950d210b",
|
|
"value": "www.microsoft.com"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421397569",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "54b8ce41-6378-492b-813b-caa2950d210b",
|
|
"value": "Installs hooks for following functions:\r\n\r\nDnsapi.dll:\r\nDnsQuery_A\r\nDnsQuery_UTF8\r\nDnsQuery_W\r\nQuery_Main\r\n\r\nuser32.dll:\r\nGetClipboardData\r\nTranslateMessage\r\nGetMessageA\r\nGetMessageW\r\nGetWindowTextA\r\nOpenDesktopA\r\nOpenDesktopW\r\nTrackPopupMenuEx\r\nOpenDesktopW\r\nOpenInputDesktop\r\nSwitchDesktop\r\nGetUpdatedClipboardFormats\r\nCloseClipboard\r\nCountClipboardFormats\r\nEmptyClipboard\r\nGetPriorityClipboardFormat\r\nIsClipboardFormatAvailable\r\nSetClipboardData\r\nFlashWindowEx\r\nFlashWindow\r\nGetCursorPos\r\nSetCursorPos\r\nSetCapture\r\nReleaseCapture\r\nGetCapture\r\nDefWindowProcW\r\nDefWindowProcA\r\nDefDlgProcW\r\nDefDlgProcA\r\nDefFrameProcW\r\nDefWindowProcA\r\nDefMDIChildProcA\r\nCallWindowProcW\r\nCallWindowProcA\r\nPeekMessageW\r\nPeekMessageA\r\n\r\nadvapi32.dll:\r\nCryptEncrypt\r\n\r\nntdll.dll:\r\nNtQuerySystemInformation\r\n\r\nws2_32.dll:\r\nsend\r\nWSASend\r\nWSARecv\r\nrecv\r\ngetaddrinfo\r\ngethostbyname\r\ninet_addr\r\n\r\nkernel32.dll:\r\nCreateFileW\r\nGetFileAttributesW \r\n\r\nCrypt32.dll:\r\nCertVerifyCertificateChainPolicy\r\n\r\nWininet.dll:\r\nHttpSendRequestA\r\nHttpSendRequestW\r\nHttpSendRequestExA\r\nHttpSendRequestExW\r\nInternetQueryDataAvailable\r\nInternetReadFile\r\nInternetReadFileExA\r\nInternetReadFileExW\r\nInternetCloseHandle \r\n\r\nnspr4.dll:\r\nPR_Write\r\nPR_Read\r\nPR_Close\r\nPR_OpenTCPSocket \r\n\r\nsks2xyz.dll:\r\nvb_pfx_import \r\n\r\nFilialRCon.dll:\r\nRCN_R50Buffer\r\n\r\nmespro.dll:\r\nAddPSEPrivateKeyEx\r\nAddSigner"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421398963",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54b8d3b3-f798-4bb8-904b-d90d950d210b",
|
|
"value": "31e855d428195a27077d535e4b0778cd"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421398980",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54b8d3c4-12d4-42ad-8559-4762950d210b",
|
|
"value": "9d1f4902e2eb83feab79175dd89b1912"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399040",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d400-56f4-4318-8431-44ac950d210b",
|
|
"value": "xubifaremin.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399040",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d400-5fbc-4e33-8b8b-40fc950d210b",
|
|
"value": "dixemazufel.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399040",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d400-eba0-49eb-9a1e-49cc950d210b",
|
|
"value": "lyvejujolec.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399040",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d400-5a64-4787-80ff-4d33950d210b",
|
|
"value": "marytymenok.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-98e4-452d-bfe5-4367950d210b",
|
|
"value": "vojacikigep.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-d444-4f3c-b032-4336950d210b",
|
|
"value": "gadufiwabim.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-8a64-4961-9851-4947950d210b",
|
|
"value": "xuxusujenes.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-2f08-481c-a5e0-49f8950d210b",
|
|
"value": "fogeliwokih.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-9a34-43a7-b364-4128950d210b",
|
|
"value": "jewuqyjywyv.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-62c8-41d7-a411-48aa950d210b",
|
|
"value": "masisokemep.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-4178-4b8e-bb3f-47f1950d210b",
|
|
"value": "nofyjikoxex.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-3c0c-4e5e-ad2a-4aa9950d210b",
|
|
"value": "qetoqolusex.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-21c4-40d2-8a72-4b0e950d210b",
|
|
"value": "jepororyrih.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-374c-4667-bb9b-45c9950d210b",
|
|
"value": "rynazuqihoj.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-a238-48d7-90ad-40aa950d210b",
|
|
"value": "dikoniwudim.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399041",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d401-b8d8-4e5e-a9d7-4cac950d210b",
|
|
"value": "kemocujufys.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399042",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d402-18b0-4bcf-a93e-454b950d210b",
|
|
"value": "voniqofolyt.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399042",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d402-9978-43ab-b9c6-464e950d210b",
|
|
"value": "dimutobihom.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399042",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d402-d264-45d2-b5d0-4f04950d210b",
|
|
"value": "makagucyraj.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399042",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d402-7da0-469c-95a7-4bb6950d210b",
|
|
"value": "qebahilojam.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399042",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "54b8d402-4ca8-4cb7-a2ba-4385950d210b",
|
|
"value": "tufecagemyl.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421399085",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "54b8d42d-207c-421a-8b10-4611950d210b",
|
|
"value": "Seem to use a domain generation algorithm"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Emerging Threats free IDS rules available",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1421401757",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "54b8de9d-49a4-4b93-bb52-4662950d210b",
|
|
"value": "http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=shiz&scope=all&web=Main"
|
|
}
|
|
]
|
|
}
|
|
} |