270 lines
No EOL
11 KiB
JSON
270 lines
No EOL
11 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-06-12",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Communications of the Bolek Trojan",
|
|
"publish_timestamp": "1465739926",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1465739647",
|
|
"uuid": "575d6784-4218-4756-84f8-49e0950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#3b7500",
|
|
"local": "0",
|
|
"name": "circl:incident-classification=\"malware\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739178",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "575d67aa-fc44-4d26-9f32-4ff4950d210f",
|
|
"value": "A few weeks ago CERT Polska released a short blog post introducing a new malware family now known as Bolek. PhishMe and Dr.Web have since added some additional insight into the family. Browsing through a memory dump of the malware, a Webinjects section sticks out. Webinjects usually imply banking malware, so it seems Bolek picks up where its predecessor, Carberp, leaves off. This post takes a closer look at its command and control (C2) mechanism and what it takes to elicit a configuration file from its C2 servers."
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739191",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "575d67b7-dc10-4016-bca5-48b0950d210f",
|
|
"value": "https://www.arbornetworks.com/blog/asert/communications-bolek-trojan/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "The sample used for reverse engineering",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739260",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "575d67fc-1ee8-4ff0-b7ca-4cb0950d210f",
|
|
"value": "62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the Freetext Import Tool",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739309",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "575d682d-79f4-44b6-a83d-4b69950d210f",
|
|
"value": "mensabuxus.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the Freetext Import Tool",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739310",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "575d682e-d210-4432-aa46-4c44950d210f",
|
|
"value": "ogrthuvwfdcfri5euwg.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the Freetext Import Tool",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739310",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "575d682e-c8f0-4638-8049-4bf4950d210f",
|
|
"value": "ogrthuvfewfdcfri5euwg.com"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "At the time of this research, the C2 servers were down (one of them was a sinkhole already), so a second sample was also used.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739352",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "575d6858-055c-4383-a7ab-4d74950d210f",
|
|
"value": "cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "278028 bytes of binary data. Contains a PE file starting at offset 524.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739424",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "575d68a0-aac0-4130-91e7-4611950d210f",
|
|
"value": "a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "323084 bytes of binary data. Contains a PE file starting at offset 524.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739472",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "575d68d0-9474-464d-ad4f-49ea950d210f",
|
|
"value": "000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "323084 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: 000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739647",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "575d697f-dd88-475d-9f9d-413f02de0b81",
|
|
"value": "d85668e9ba963bb476f7b919d22bbf24bf993835"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "323084 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: 000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739648",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "575d6980-f344-428b-8cfd-405502de0b81",
|
|
"value": "a3de5ad2f5de15f66ca32ac23869fe24"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "323084 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: 000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739648",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "575d6980-3638-4e16-9fb9-4b5402de0b81",
|
|
"value": "https://www.virustotal.com/file/000a09c86232724445353a8d2e2e9c46eef042669a24b3421d8428105856cc12/analysis/1465310991/"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "At the time of this research, the C2 servers were down (one of them was a sinkhole already), so a second sample was also used. - Xchecked via VT: cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739649",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "575d6981-af88-4ab2-900f-4ab702de0b81",
|
|
"value": "a8d843c3ddb881e69a4c9986c37a0ce582639da6"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "At the time of this research, the C2 servers were down (one of them was a sinkhole already), so a second sample was also used. - Xchecked via VT: cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739649",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "575d6981-3da0-415e-8c6e-4f9702de0b81",
|
|
"value": "6f24daf8ef6245563afdd095e27408b5"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "At the time of this research, the C2 servers were down (one of them was a sinkhole already), so a second sample was also used. - Xchecked via VT: cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739650",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "575d6982-a5bc-439d-843f-448202de0b81",
|
|
"value": "https://www.virustotal.com/file/cdbd348df2c1d80c9fea63a6d958095b4188c462d17380131d3508d770d3a875/analysis/1465655808/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "278028 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739650",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "575d6982-a958-452f-a484-44a402de0b81",
|
|
"value": "145c9b79efd10718118ce5c58cf0af2618c9e39c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "278028 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739650",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "575d6982-c768-41c1-99a9-41c302de0b81",
|
|
"value": "3b10ebf43e537f93c4c7ed0c11a2b7db"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "278028 bytes of binary data. Contains a PE file starting at offset 524. - Xchecked via VT: a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739651",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "575d6983-1c8c-44c2-ad87-476d02de0b81",
|
|
"value": "https://www.virustotal.com/file/a0d92950267539d7054843cdbca8976caf7ed4e755d9f9d97622feb6104a4885/analysis/1465310749/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "The sample used for reverse engineering - Xchecked via VT: 62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739651",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "575d6983-b4e0-439c-ba07-4bca02de0b81",
|
|
"value": "ea127bb4e0c58902524e11740e15acd46ea71494"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "The sample used for reverse engineering - Xchecked via VT: 62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739652",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "575d6984-f800-4594-b574-480402de0b81",
|
|
"value": "e89ff40a8832cd27d2aae48ff7cd67d2"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "The sample used for reverse engineering - Xchecked via VT: 62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465739652",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "575d6984-a494-4181-8019-40e802de0b81",
|
|
"value": "https://www.virustotal.com/file/62962da720d478bb3510dabc691db37df546749b440caa45d75d9fbfb69d82f9/analysis/1465505769/"
|
|
}
|
|
]
|
|
}
|
|
} |