193 lines
No EOL
7.4 KiB
JSON
193 lines
No EOL
7.4 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-11-10",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Floki Bot and the stealthy dropper",
|
|
"publish_timestamp": "1478813764",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1478812896",
|
|
"uuid": "5824e43f-9370-463b-9681-452b950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#3a7300",
|
|
"local": false,
|
|
"name": "circl:incident-classification=\"malware\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812754",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5824e452-b3a0-4edd-8102-45ff950d210f",
|
|
"value": "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812784",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5824e470-175c-4fc9-b8ca-48f1950d210f",
|
|
"value": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.\r\n\r\nAccording to the advertisements announced on the black market, this bot is capable of making very stealthy injections, evading many mechanisms of detection. We decided to take a look at what are the tricks behind it. It turned out, that although the injection method that the dropper uses is not novel by itself, but it comes with few interesting twists, that are not so commonly used in malware."
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "dropper <- main focus of this analysis",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812844",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5824e4ac-0070-4ea1-b3ec-44c6950d210f",
|
|
"value": "5649e7a200df2fb85ad1fb5a723bef22"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "core module \u00e2\u20ac\u201c bot 32bit",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812845",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5824e4ad-3450-453f-8fa8-4506950d210f",
|
|
"value": "e54d28a24c976348c438f45281d68c54"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "core module \u00e2\u20ac\u201c bot 64bit",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812845",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5824e4ad-fedc-4697-90e7-46f5950d210f",
|
|
"value": "d4c5384da41fd391d16eff60abc21405"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "core module \u00e2\u20ac\u201c bot 64bit - Xchecked via VT: d4c5384da41fd391d16eff60abc21405",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812896",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5824e4e0-9608-4753-8cb8-4eea02de0b81",
|
|
"value": "0522bfea61ab0db154cde9c1217c90547bd46ba1be0fc6a17bfb4b52e8241a63"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "core module \u00e2\u20ac\u201c bot 64bit - Xchecked via VT: d4c5384da41fd391d16eff60abc21405",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812897",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5824e4e1-e038-4976-b573-49df02de0b81",
|
|
"value": "75f47640299fc2b33492c3640128d58ac2dc1463"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "core module \u00e2\u20ac\u201c bot 64bit - Xchecked via VT: d4c5384da41fd391d16eff60abc21405",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812897",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5824e4e1-6e98-430a-aae0-46cb02de0b81",
|
|
"value": "https://www.virustotal.com/file/0522bfea61ab0db154cde9c1217c90547bd46ba1be0fc6a17bfb4b52e8241a63/analysis/1478618112/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "core module \u00e2\u20ac\u201c bot 32bit - Xchecked via VT: e54d28a24c976348c438f45281d68c54",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812898",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5824e4e2-12f4-4f88-bd09-49d302de0b81",
|
|
"value": "5d2ee0440314f7229a126baa152e43473d771591e818f8317275c175fd888f23"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "core module \u00e2\u20ac\u201c bot 32bit - Xchecked via VT: e54d28a24c976348c438f45281d68c54",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812899",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5824e4e3-2ecc-4f5a-9348-46a902de0b81",
|
|
"value": "3cd014e2ebdb8dd679deb70cd1005b0a2b8283e7"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "core module \u00e2\u20ac\u201c bot 32bit - Xchecked via VT: e54d28a24c976348c438f45281d68c54",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812899",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5824e4e3-4e10-4f41-bbf8-4b9002de0b81",
|
|
"value": "https://www.virustotal.com/file/5d2ee0440314f7229a126baa152e43473d771591e818f8317275c175fd888f23/analysis/1478618090/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "dropper <- main focus of this analysis - Xchecked via VT: 5649e7a200df2fb85ad1fb5a723bef22",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812900",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5824e4e4-77c4-4c25-b06e-412402de0b81",
|
|
"value": "5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "dropper <- main focus of this analysis - Xchecked via VT: 5649e7a200df2fb85ad1fb5a723bef22",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812900",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5824e4e4-0ca8-47a7-aeec-4e4102de0b81",
|
|
"value": "b057d20122048001850afeca671fd31dbcdd1c76"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "dropper <- main focus of this analysis - Xchecked via VT: 5649e7a200df2fb85ad1fb5a723bef22",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1478812900",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5824e4e4-5228-4344-8a68-474a02de0b81",
|
|
"value": "https://www.virustotal.com/file/5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e/analysis/1478549521/"
|
|
}
|
|
]
|
|
}
|
|
} |