564 lines
No EOL
19 KiB
JSON
564 lines
No EOL
19 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2018-06-08",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - PLEAD Downloader Used by BlackTech",
|
|
"publish_timestamp": "1528904315",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1528891759",
|
|
"uuid": "5b1a247e-2ca0-4132-9210-4b5c950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#3b7500",
|
|
"local": "0",
|
|
"name": "circl:incident-classification=\"malware\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#440055",
|
|
"local": "0",
|
|
"name": "ms-caro-malware:malware-type=\"RemoteAccess\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"PLEAD Downloader\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1528440980",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5b1a2875-c1a4-4f26-bd0e-4114950d210f",
|
|
"value": "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1528440988",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b1a288c-3f38-4fe7-ae67-4bf8950d210f",
|
|
"value": "In a past article, we introduced TSCookie, malware which seems to be used by BlackTech[1]. It has been revealed that this actor also uses another type of malware \u00e2\u20ac\u0153PLEAD\u00e2\u20ac\u009d. (\u00e2\u20ac\u0153PLEAD\u00e2\u20ac\u009d is referred to both as a name of malware including TSCookie and its attack campaign [2]. In this article, we refer to \u00e2\u20ac\u0153PLEAD\u00e2\u20ac\u009d as a type malware apart from TSCookie.) PLEAD has two kinds \u00e2\u20ac\u201c RAT (Remote Access Tool) and downloader. The RAT operates based on commands that are provided from C&C servers.\u00e3\u20ac\u20ac(Please refer to a blog post from LAC for more information [3].) On the other hand, PLEAD downloader downloads modules and runs it on memory in the same way as TSCookie does.\r\n\r\nThis article presents behaviour of PLEAD downloader in detail.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C Servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1528443752",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5b1a3368-3038-4087-9526-48ad950d210f",
|
|
"value": "em.totalpople.info"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C Servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1528443753",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5b1a3369-e80c-44c4-9aea-4ac3950d210f",
|
|
"value": "office.panasocin.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C Servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1528443754",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5b1a336a-8174-4113-8e83-40b1950d210f",
|
|
"value": "gstrap.jkub.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C Servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1528443755",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5b1a336b-1bac-43b5-a0b3-4d10950d210f",
|
|
"value": "woc.yasonbin.info"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C Servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1528443756",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b1a336c-85bc-4802-b014-4eda950d210f",
|
|
"value": "210.71.209.206"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
|
|
"meta-category": "misc",
|
|
"name": "microblog",
|
|
"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
|
|
"template_version": "4",
|
|
"timestamp": "1528440408",
|
|
"uuid": "5b1a2658-b030-445a-a759-4d35950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "post",
|
|
"timestamp": "1528440408",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b1a2658-cc14-4c7f-8628-4f2d950d210f",
|
|
"value": "New Blog Post: PLEAD Downloader Used by BlackTech ^ST"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "type",
|
|
"timestamp": "1528440408",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b1a2658-532c-44e0-a108-4a3e950d210f",
|
|
"value": "Twitter"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "url",
|
|
"timestamp": "1528440408",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b1a2658-2a94-4db5-8438-4423950d210f",
|
|
"value": "https://mobile.twitter.com/jpcert_en/status/1004964546195279872"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1528440409",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b1a2659-9eb4-47eb-8195-4a47950d210f",
|
|
"value": "https://t.co/keNYZ2kyzs?amp=1"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1528440409",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b1a2659-8ef8-4001-a42a-444c950d210f",
|
|
"value": "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "creation-date",
|
|
"timestamp": "1528440410",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5b1a265a-f408-4e74-ae87-4927950d210f",
|
|
"value": "2018-06-08T07:53:00"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "username",
|
|
"timestamp": "1528440410",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b1a265a-d9d0-486b-8a42-4f6c950d210f",
|
|
"value": "@jpcert_en"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLEAD",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1528442218",
|
|
"uuid": "5b1a2d6a-5750-4781-8f5b-4851950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1528442218",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b1a2d6a-fe14-407e-afbd-4841950d210f",
|
|
"value": "bc2c8cc9896cdd5816509f43cb5dca7433198251d754a997a70db7e8ed5cca40"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1528442219",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b1a2d6b-52d0-4e93-89ee-4480950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLEAD",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1528442279",
|
|
"uuid": "5b1a2da7-ed88-444a-89e2-4906950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1528442279",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b1a2da7-3248-4ae5-8beb-4f2c950d210f",
|
|
"value": "a26df4f62ada084a596bf0f603691bc9c02024be98abec4a9872f0ff0085f940"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1528442280",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b1a2da8-8e68-4a0e-a552-4ad8950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLEAD",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1528442988",
|
|
"uuid": "5b1a306c-bd54-4540-a856-45c0950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1528442989",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b1a306d-d98c-4e68-9952-46f1950d210f",
|
|
"value": "2ddb2030ab3373b9438102b541aa4623b7dfee972850dcef05742ecbe8982e22"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1528442990",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b1a306e-df9c-43ab-ab1a-4e7c950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLEAD",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1528443127",
|
|
"uuid": "5b1a30f7-6900-4a9a-bbb4-4302950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1528443128",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b1a30f8-6de8-4f92-acde-48b3950d210f",
|
|
"value": "eec3f761f7eabe9ed569f39e896be24c9bbb8861b15dbde1b3d539505cd9dd8d"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1528443128",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b1a30f8-dee4-417d-a76a-4596950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLEAD Module",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1528443542",
|
|
"uuid": "5b1a3296-49dc-44e9-92a5-49e3950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1528443542",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b1a3296-78fc-4309-9e44-4d49950d210f",
|
|
"value": "23f554cc5bea9d4ccd62b0bbccaa4599f225ebce4ad956a576cc1a9b2a73dc15"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1528443543",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b1a3297-ec90-4006-9f8a-47a3950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1528874969",
|
|
"uuid": "a0d856e3-b418-4bb2-b43d-6d49deb9ad90",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "a0d856e3-b418-4bb2-b43d-6d49deb9ad90",
|
|
"referenced_uuid": "73db3348-942a-4a3d-b49c-2b583a468f0e",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1528874975",
|
|
"uuid": "5b20c7df-73b0-4913-8b78-a44802de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1528874967",
|
|
"uuid": "73db3348-942a-4a3d-b49c-2b583a468f0e",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1528874971",
|
|
"uuid": "4219f752-d15a-432c-a61f-96110776542c",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "4219f752-d15a-432c-a61f-96110776542c",
|
|
"referenced_uuid": "14f64b5c-4b8f-466f-adb7-6ae747ea8d3a",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1528874975",
|
|
"uuid": "5b20c7df-7be0-4c52-b75e-a44802de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1528874969",
|
|
"uuid": "14f64b5c-4b8f-466f-adb7-6ae747ea8d3a",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1528874973",
|
|
"uuid": "b1043de8-cbda-4643-ba40-b859674fcb3b",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "b1043de8-cbda-4643-ba40-b859674fcb3b",
|
|
"referenced_uuid": "94567159-8daf-424a-931c-a92997695b6e",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1528874975",
|
|
"uuid": "5b20c7df-0310-4453-b65c-a44802de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1528874972",
|
|
"uuid": "94567159-8daf-424a-931c-a92997695b6e",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1528874976",
|
|
"uuid": "e31dadf4-722b-4f28-aae2-7970b10d50f7",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "e31dadf4-722b-4f28-aae2-7970b10d50f7",
|
|
"referenced_uuid": "12242c4a-f4d9-444f-abd3-27deff5869a1",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1528874975",
|
|
"uuid": "5b20c7df-67e8-4101-be73-a44802de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1528874974",
|
|
"uuid": "12242c4a-f4d9-444f-abd3-27deff5869a1",
|
|
"Attribute": []
|
|
}
|
|
]
|
|
}
|
|
} |