121 lines
No EOL
5.5 KiB
JSON
121 lines
No EOL
5.5 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-05-13",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Cyber Heist Attribution",
|
|
"publish_timestamp": "1463141862",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1463141853",
|
|
"uuid": "5735c472-124c-495e-bebd-4bc5950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#6edb00",
|
|
"local": "0",
|
|
"name": "circl:topic=\"finance\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "This sample was uploaded from a user in the US on 4th March 2016",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1463141581",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5735c4cd-b618-4017-99b8-4a42950d210f",
|
|
"value": "c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "msoutc.exe accepts a number of parameters passed with the command line. When executed, it checks if there is another instance of itself already running on a system, by attempting to create a mutex called:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1463141654",
|
|
"to_ids": true,
|
|
"type": "mutex",
|
|
"uuid": "5735c509-257c-4157-841e-4b80950d210f",
|
|
"value": "Global\\FwtSqmSession106839323_S-1-5-20"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1463141669",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5735c525-ea58-426b-ada0-40e4950d210f",
|
|
"value": "%TEMP%\\sysman\\svchost.exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "The malware keeps its logs within an encrypted file wmplog15r.sqm and/or wmplog21t.sqm, located in the same directory. The logged messages are encrypted with a key",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1463141711",
|
|
"to_ids": true,
|
|
"type": "pattern-in-memory",
|
|
"uuid": "5735c53f-2628-432d-9844-4411950d210f",
|
|
"value": "y@s!11yid60u7f!07ou74n001"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "This sample was uploaded from a user in the US on 4th March 2016 - Xchecked via VT: c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1463141827",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5735c5c3-10ec-44bc-8812-4f7b02de0b81",
|
|
"value": "4cf164497c275ae0f86c28d7847b10f5bd302ba12b995646c32cb53d03b7e6b5"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "This sample was uploaded from a user in the US on 4th March 2016 - Xchecked via VT: c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1463141828",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5735c5c4-b084-4bf4-8f30-4dd202de0b81",
|
|
"value": "558b020ce2c80710605ed30678b6fd0c"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "This sample was uploaded from a user in the US on 4th March 2016 - Xchecked via VT: c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1463141828",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5735c5c4-c4fc-4518-a60e-4c1602de0b81",
|
|
"value": "https://www.virustotal.com/file/4cf164497c275ae0f86c28d7847b10f5bd302ba12b995646c32cb53d03b7e6b5/analysis/1463129351/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1463141853",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5735c5dd-e23c-4948-a76b-4764950d210f",
|
|
"value": "Attributing a single cyber-attack is a hard task and often impossible. However, when multiple attacks are conducted over long periods of time, they leave a trail of digital evidence. Piecing this together into a campaign can help investigators to see the bigger picture, and even hint at who may be behind the attacks.\r\n\r\nOur research into malware used on SWIFT based systems running in banks has turned up multiple bespoke tools used by a set of attackers. What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign. This led to the identification of a commercial bank in Vietnam that also appears to have been targeted in a similar fashion using tailored malware, but based off a common code-base.\r\n\r\nIn the bank malware cases we know of, the coders used a unique file wipe-out function. This implementation was so distinctive that it further drew our attention \u00e2\u20ac\u201c and so we began to look for other instances of code which had used the same function. Using disassembled machine opcodes (with masked out dynamic virtual addresses) we generated signatures to scan a large malware corpus.\r\n\r\nOur initial search turned up an additional sample which implemented the same wipe-out function."
|
|
}
|
|
]
|
|
}
|
|
} |