176 lines
No EOL
6.9 KiB
JSON
176 lines
No EOL
6.9 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-06-06",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - \u00e2\u20ac\u0153Zusy\u00e2\u20ac\u009d PowerPoint Malware Spreads Without Needing Macros",
|
|
"publish_timestamp": "1496752510",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1496752474",
|
|
"uuid": "5936a055-a640-42e1-9b7c-4676950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"Tinba\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "First-stage JSE payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752448",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5936a072-4bc0-4dc0-937e-4102950d210f",
|
|
"value": "55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Second-stage EXE payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752448",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5936a072-8fb0-44cc-b13a-4ca0950d210f",
|
|
"value": "55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "PowerPoint dropper",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752448",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5936a0af-a840-47a5-8b8b-4b5b950d210f",
|
|
"value": "796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752448",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5936a104-c5ac-470e-adab-b4f9950d210f",
|
|
"value": "A new variant of a malware called \u00e2\u20ac\u0153Zusy\u00e2\u20ac\u009d has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like \u00e2\u20ac\u0153Purchase Order #130527\u00e2\u20ac\u009d and \u00e2\u20ac\u0153Confirmation.\u00e2\u20ac\u009d It\u00e2\u20ac\u2122s interesting because it doesn\u00e2\u20ac\u2122t require the user to enable macros to execute. Most Office malware relies on users activating macros to download some executable payload which does most of the malicious stuff, but this malware uses the external program feature instead."
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "First-stage JSE payload - Xchecked via VT: 55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752450",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5936a142-89dc-4c16-a8fa-16e102de0b81",
|
|
"value": "104919078a6d688e5848ff01b667b4d672b9b447"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "First-stage JSE payload - Xchecked via VT: 55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752450",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5936a142-b1d8-4f54-92b3-16e102de0b81",
|
|
"value": "f5b3d1128731cac04b2dc955c1a41114"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "First-stage JSE payload - Xchecked via VT: 55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752451",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5936a143-846c-4d3f-a468-16e102de0b81",
|
|
"value": "https://www.virustotal.com/file/55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302/analysis/1496733775/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "PowerPoint dropper - Xchecked via VT: 796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752451",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5936a143-fc04-47c6-9d2e-16e102de0b81",
|
|
"value": "07a986e018c999c43e9eab1ceb0338e5d60699a8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "PowerPoint dropper - Xchecked via VT: 796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752452",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5936a144-e26c-4d12-8246-16e102de0b81",
|
|
"value": "3bff3e4fec2b6030c89e792c05f049fc"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "PowerPoint dropper - Xchecked via VT: 796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752452",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5936a144-1b20-49cc-8589-16e102de0b81",
|
|
"value": "https://www.virustotal.com/file/796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921/analysis/1496730542/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Second-stage EXE payload - Xchecked via VT: 55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752453",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5936a145-96f8-4634-9369-16e102de0b81",
|
|
"value": "7633a023852d5a0b625423bffc3bbb14b81c6a0c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Second-stage EXE payload - Xchecked via VT: 55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752453",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5936a145-ebfc-4201-a806-16e102de0b81",
|
|
"value": "13cdbd8c31155610b628423dc2720419"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Second-stage EXE payload - Xchecked via VT: 55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1496752453",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5936a145-f524-400b-8596-16e102de0b81",
|
|
"value": "https://www.virustotal.com/file/55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef/analysis/1496717087/"
|
|
}
|
|
]
|
|
}
|
|
} |