misp-circl-feed/feeds/circl/misp/5a54ca42-e9a0-4d71-a9e6-4f9b950d210f.json

355 lines
No EOL
12 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2017-09-27",
"extends_uuid": "",
"info": "OSINT - Experts analyzed an Advanced \"all in memory\" CryptoWorm",
"publish_timestamp": "1518771036",
"published": true,
"threat_level_id": "3",
"timestamp": "1516071630",
"uuid": "5a54ca42-e9a0-4d71-a9e6-4f9b950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#00223b",
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008849",
"to_ids": false,
"type": "link",
"uuid": "5a54ca53-f374-44ba-9475-455f950d210f",
"value": "http://securityaffairs.co/wordpress/63488/malware/advanced-memory-cryptoworm.html",
"Tag": [
{
"colour": "#00223b",
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008850",
"to_ids": false,
"type": "comment",
"uuid": "5a5c5cdc-dd14-4415-8ce3-4ae3950d210f",
"value": "Today I want to share a nice Malware analysis having an interesting flow. The \u00e2\u20ac\u0153interesting\u00e2\u20ac\u009d adjective comes from the abilities the given sample owns. Capabilities of exploiting, hard obfuscations and usage of advanced techniques to steal credentials and run commands.\r\n\r\nThe analyzed sample has been provided by a colleague of mine (Alessandro) who received the first stage by eMail. A special thanks to Luca and Edoardo for having recognized XMRig during the last infection stage.",
"Tag": [
{
"colour": "#00223b",
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008850",
"to_ids": true,
"type": "filename",
"uuid": "5a5c5d76-21e8-42fd-8b34-4d39950d210f",
"value": "info6.ps1"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008850",
"to_ids": true,
"type": "url",
"uuid": "5a5c5d76-59e8-46ee-88b7-4240950d210f",
"value": "http://118.184.48.95:8000/"
},
{
"category": "Financial fraud",
"comment": "Monero Address",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008851",
"to_ids": false,
"type": "other",
"uuid": "5a5c5dfd-aaac-4c47-9eff-417d950d210f",
"value": "46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516002831",
"to_ids": true,
"type": "sha256",
"uuid": "5a5c5e0f-4364-483b-98c3-4fad950d210f",
"value": "19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516002831",
"to_ids": true,
"type": "sha256",
"uuid": "5a5c5e0f-0dac-46db-b486-4cbb950d210f",
"value": "038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008851",
"to_ids": true,
"type": "filename",
"uuid": "5a5c5e62-827c-4ed3-94d6-4de0950d210f",
"value": "y1.bat"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1516008854",
"uuid": "ef15fe55-96db-4f8e-a563-90107aa04fd8",
"ObjectReference": [
{
"comment": "",
"object_uuid": "ef15fe55-96db-4f8e-a563-90107aa04fd8",
"referenced_uuid": "f12256d2-41cd-4eb1-bbd1-fb0128573238",
"relationship_type": "analysed-with",
"timestamp": "1518771036",
"uuid": "5a5c759a-d860-423d-b8e8-417702de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1516008852",
"to_ids": true,
"type": "sha1",
"uuid": "5a5c7594-c11c-4a83-bf8d-42f702de0b81",
"value": "8da156580747bf9ef8fa4d1c42ee112ab743da69"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1516008852",
"to_ids": true,
"type": "md5",
"uuid": "5a5c7594-fdd4-4116-ba61-4f5e02de0b81",
"value": "9ac3bdb9378cd1fafbb8e08def738481"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1516008852",
"to_ids": true,
"type": "sha256",
"uuid": "5a5c7594-dc68-4253-a790-454802de0b81",
"value": "038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1516008853",
"uuid": "f12256d2-41cd-4eb1-bbd1-fb0128573238",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1516008853",
"to_ids": false,
"type": "link",
"uuid": "5a5c7595-db48-49f6-84da-459f02de0b81",
"value": "https://www.virustotal.com/file/038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309/analysis/1513112352/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1516008853",
"to_ids": false,
"type": "text",
"uuid": "5a5c7595-4a78-4b7d-b6d0-422f02de0b81",
"value": "47/67"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1516008854",
"to_ids": false,
"type": "datetime",
"uuid": "5a5c7596-3728-4530-b061-411f02de0b81",
"value": "2017-12-12T20:59:12"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1516008857",
"uuid": "d932fbce-6248-4955-bf1c-ddbd669a67b3",
"ObjectReference": [
{
"comment": "",
"object_uuid": "d932fbce-6248-4955-bf1c-ddbd669a67b3",
"referenced_uuid": "c46c80e3-a03a-497f-87ee-816333479203",
"relationship_type": "analysed-with",
"timestamp": "1518771036",
"uuid": "5a5c759a-3aac-478c-874d-482902de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1516008854",
"to_ids": true,
"type": "sha1",
"uuid": "5a5c7596-2d24-46fd-b61a-488802de0b81",
"value": "686761aff5e4efedbc5b2931c0f214d8ba7b9463"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1516008854",
"to_ids": true,
"type": "md5",
"uuid": "5a5c7596-ffec-4371-921c-4b1302de0b81",
"value": "8365158c74008879df00a9d49e61aaea"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1516008855",
"to_ids": true,
"type": "sha256",
"uuid": "5a5c7597-0f38-4b34-865c-47fe02de0b81",
"value": "19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1516008855",
"uuid": "c46c80e3-a03a-497f-87ee-816333479203",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1516008856",
"to_ids": false,
"type": "link",
"uuid": "5a5c7598-efc4-400f-9451-4f2502de0b81",
"value": "https://www.virustotal.com/file/19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc/analysis/1513112312/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1516008857",
"to_ids": false,
"type": "text",
"uuid": "5a5c7599-bbfc-49f5-bf91-417d02de0b81",
"value": "30/65"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1516008857",
"to_ids": false,
"type": "datetime",
"uuid": "5a5c7599-ce88-4d2a-9ccd-446c02de0b81",
"value": "2017-12-12T20:58:32"
}
]
}
]
}
}