355 lines
No EOL
12 KiB
JSON
355 lines
No EOL
12 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-09-27",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Experts analyzed an Advanced \"all in memory\" CryptoWorm",
|
|
"publish_timestamp": "1518771036",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1516071630",
|
|
"uuid": "5a54ca42-e9a0-4d71-a9e6-4f9b950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1516008849",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a54ca53-f374-44ba-9475-455f950d210f",
|
|
"value": "http://securityaffairs.co/wordpress/63488/malware/advanced-memory-cryptoworm.html",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1516008850",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5a5c5cdc-dd14-4415-8ce3-4ae3950d210f",
|
|
"value": "Today I want to share a nice Malware analysis having an interesting flow. The \u00e2\u20ac\u0153interesting\u00e2\u20ac\u009d adjective comes from the abilities the given sample owns. Capabilities of exploiting, hard obfuscations and usage of advanced techniques to steal credentials and run commands.\r\n\r\nThe analyzed sample has been provided by a colleague of mine (Alessandro) who received the first stage by eMail. A special thanks to Luca and Edoardo for having recognized XMRig during the last infection stage.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1516008850",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a5c5d76-21e8-42fd-8b34-4d39950d210f",
|
|
"value": "info6.ps1"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1516008850",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5a5c5d76-59e8-46ee-88b7-4240950d210f",
|
|
"value": "http://118.184.48.95:8000/"
|
|
},
|
|
{
|
|
"category": "Financial fraud",
|
|
"comment": "Monero Address",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1516008851",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5a5c5dfd-aaac-4c47-9eff-417d950d210f",
|
|
"value": "46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1516002831",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a5c5e0f-4364-483b-98c3-4fad950d210f",
|
|
"value": "19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1516002831",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a5c5e0f-0dac-46db-b486-4cbb950d210f",
|
|
"value": "038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1516008851",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a5c5e62-827c-4ed3-94d6-4de0950d210f",
|
|
"value": "y1.bat"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1516008854",
|
|
"uuid": "ef15fe55-96db-4f8e-a563-90107aa04fd8",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "ef15fe55-96db-4f8e-a563-90107aa04fd8",
|
|
"referenced_uuid": "f12256d2-41cd-4eb1-bbd1-fb0128573238",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518771036",
|
|
"uuid": "5a5c759a-d860-423d-b8e8-417702de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1516008852",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a5c7594-c11c-4a83-bf8d-42f702de0b81",
|
|
"value": "8da156580747bf9ef8fa4d1c42ee112ab743da69"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1516008852",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a5c7594-fdd4-4116-ba61-4f5e02de0b81",
|
|
"value": "9ac3bdb9378cd1fafbb8e08def738481"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1516008852",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a5c7594-dc68-4253-a790-454802de0b81",
|
|
"value": "038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1516008853",
|
|
"uuid": "f12256d2-41cd-4eb1-bbd1-fb0128573238",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1516008853",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a5c7595-db48-49f6-84da-459f02de0b81",
|
|
"value": "https://www.virustotal.com/file/038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309/analysis/1513112352/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1516008853",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a5c7595-4a78-4b7d-b6d0-422f02de0b81",
|
|
"value": "47/67"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1516008854",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a5c7596-3728-4530-b061-411f02de0b81",
|
|
"value": "2017-12-12T20:59:12"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1516008857",
|
|
"uuid": "d932fbce-6248-4955-bf1c-ddbd669a67b3",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "d932fbce-6248-4955-bf1c-ddbd669a67b3",
|
|
"referenced_uuid": "c46c80e3-a03a-497f-87ee-816333479203",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518771036",
|
|
"uuid": "5a5c759a-3aac-478c-874d-482902de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1516008854",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a5c7596-2d24-46fd-b61a-488802de0b81",
|
|
"value": "686761aff5e4efedbc5b2931c0f214d8ba7b9463"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1516008854",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a5c7596-ffec-4371-921c-4b1302de0b81",
|
|
"value": "8365158c74008879df00a9d49e61aaea"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1516008855",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a5c7597-0f38-4b34-865c-47fe02de0b81",
|
|
"value": "19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1516008855",
|
|
"uuid": "c46c80e3-a03a-497f-87ee-816333479203",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1516008856",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a5c7598-efc4-400f-9451-4f2502de0b81",
|
|
"value": "https://www.virustotal.com/file/19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc/analysis/1513112312/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1516008857",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a5c7599-bbfc-49f5-bf91-417d02de0b81",
|
|
"value": "30/65"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1516008857",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a5c7599-ce88-4d2a-9ccd-446c02de0b81",
|
|
"value": "2017-12-12T20:58:32"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |