adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5870f5e0-ff9c-414f-ad38-46d4950d210f.json

215 lines
No EOL
8.4 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2017-01-07",
"extends_uuid": "",
"info": "OSINT - The curious case of a Sundown EK variant dropping a Cryptocurrency Miner",
"publish_timestamp": "1483798369",
"published": true,
"threat_level_id": "3",
"timestamp": "1483798339",
"uuid": "5870f5e0-ff9c-414f-ad38-46d4950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:exploit-kit=\"Sundown\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798029",
"to_ids": false,
"type": "link",
"uuid": "5870f60d-a3cc-49c4-b039-4cf7950d210f",
"value": "https://blog.malwarebytes.com/cybercrime/2017/01/the-curious-case-of-a-sundown-ek-variant-dropping-a-cryptocurrency-miner/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798061",
"to_ids": false,
"type": "comment",
"uuid": "5870f62d-ce08-476c-9679-487d950d210f",
"value": "We recently encountered an atypical case of Sundown EK in the wild \u00e2\u20ac\u201c usually the landing page is obfuscated, but in this case there was plain JavaScript. The exploit was dropping some malicious payloads that we took for further analysis. It turned out that they are also atypical by many means. In this article, we will describe the details of our investigation."
},
{
"category": "Payload delivery",
"comment": "original sample, dropped by EK (UPX packed)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798091",
"to_ids": true,
"type": "md5",
"uuid": "5870f64b-7e14-4246-8a21-4b78950d210f",
"value": "0f597c738f2e1a58c03a69f66825fa80"
},
{
"category": "Payload delivery",
"comment": "payload (miner) \u00e2\u20ac\u201c UPX packed",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798091",
"to_ids": true,
"type": "md5",
"uuid": "5870f64b-2f3c-46bb-b17e-483b950d210f",
"value": "22e4113fb0a9d136a56988f7a10c46b8"
},
{
"category": "Payload delivery",
"comment": "payload (miner) \u00e2\u20ac\u201c UPX layer removed",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798092",
"to_ids": true,
"type": "md5",
"uuid": "5870f64c-9efc-4747-8a05-4955950d210f",
"value": "9f2c0ae3cb7ae032bd66f025fcb93f03"
},
{
"category": "Attribution",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798145",
"to_ids": true,
"type": "whois-registrant-email",
"uuid": "5870f681-170c-4155-8339-4df7950d210f",
"value": "lovemonero2.worker@hotmail.com"
},
{
"category": "Social network",
"comment": "The name of the user \u00e2\u20ac\u201c LoveMonero \u00e2\u20ac\u201c suggests that this application is not used to mine Bitcoins, but another cryptocurrency \u00e2\u20ac\u201c Monero. This choice makes sense, because the pool of bitcoins is more and more saturated \u00e2\u20ac\u201c and nowadays mining them is much more difficult and resource-consuming than it was in the past, when this currency was still young.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798257",
"to_ids": true,
"type": "github-username",
"uuid": "5870f6f1-e8cc-4c33-ab88-4840950d210f",
"value": "lovemonero"
},
{
"category": "Payload delivery",
"comment": "original sample, dropped by EK (UPX packed) - Xchecked via VT: 0f597c738f2e1a58c03a69f66825fa80",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798270",
"to_ids": true,
"type": "sha256",
"uuid": "5870f6fe-c400-4386-8952-4eec02de0b81",
"value": "3826017cc19f829ccc17893803de42028cd1ebbd99dad24ab9ed984c9dae57b8"
},
{
"category": "Payload delivery",
"comment": "original sample, dropped by EK (UPX packed) - Xchecked via VT: 0f597c738f2e1a58c03a69f66825fa80",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798270",
"to_ids": true,
"type": "sha1",
"uuid": "5870f6ff-8d84-4239-97c4-485302de0b81",
"value": "c18732f554b87ee6d866b9ee7a4d2fb202b1853f"
},
{
"category": "External analysis",
"comment": "original sample, dropped by EK (UPX packed) - Xchecked via VT: 0f597c738f2e1a58c03a69f66825fa80",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798271",
"to_ids": false,
"type": "link",
"uuid": "5870f6ff-374c-470d-9a07-417802de0b81",
"value": "https://www.virustotal.com/file/3826017cc19f829ccc17893803de42028cd1ebbd99dad24ab9ed984c9dae57b8/analysis/1483650552/"
},
{
"category": "Payload delivery",
"comment": "payload (miner) \u00e2\u20ac\u201c UPX packed - Xchecked via VT: 22e4113fb0a9d136a56988f7a10c46b8",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798272",
"to_ids": true,
"type": "sha256",
"uuid": "5870f700-7a9c-4102-a5c1-4f2902de0b81",
"value": "30ba2cbe1202a96258d605d7318d1775d616b4bf3dcabd155b531128464daa2d"
},
{
"category": "Payload delivery",
"comment": "payload (miner) \u00e2\u20ac\u201c UPX packed - Xchecked via VT: 22e4113fb0a9d136a56988f7a10c46b8",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798273",
"to_ids": true,
"type": "sha1",
"uuid": "5870f701-26f0-4fc5-b27f-49ab02de0b81",
"value": "046692b4c5bcceb8ce1cbe551018325f184af453"
},
{
"category": "External analysis",
"comment": "payload (miner) \u00e2\u20ac\u201c UPX packed - Xchecked via VT: 22e4113fb0a9d136a56988f7a10c46b8",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798273",
"to_ids": false,
"type": "link",
"uuid": "5870f701-7850-40e5-9965-4a5702de0b81",
"value": "https://www.virustotal.com/file/30ba2cbe1202a96258d605d7318d1775d616b4bf3dcabd155b531128464daa2d/analysis/1483749344/"
},
{
"category": "Payload delivery",
"comment": "payload (miner) \u00e2\u20ac\u201c UPX layer removed - Xchecked via VT: 9f2c0ae3cb7ae032bd66f025fcb93f03",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798274",
"to_ids": true,
"type": "sha256",
"uuid": "5870f702-ceb8-45fe-b8f0-468d02de0b81",
"value": "541888040a3c01902d646ba13a8d48bdf5d18da917820e1b06075beed205fd55"
},
{
"category": "Payload delivery",
"comment": "payload (miner) \u00e2\u20ac\u201c UPX layer removed - Xchecked via VT: 9f2c0ae3cb7ae032bd66f025fcb93f03",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798275",
"to_ids": true,
"type": "sha1",
"uuid": "5870f703-6b48-4ba7-b8ba-400302de0b81",
"value": "92eda16f5af5c722fd31b735aa7ae45f2a1abe3b"
},
{
"category": "External analysis",
"comment": "payload (miner) \u00e2\u20ac\u201c UPX layer removed - Xchecked via VT: 9f2c0ae3cb7ae032bd66f025fcb93f03",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483798276",
"to_ids": false,
"type": "link",
"uuid": "5870f704-7df0-425d-886f-493c02de0b81",
"value": "https://www.virustotal.com/file/541888040a3c01902d646ba13a8d48bdf5d18da917820e1b06075beed205fd55/analysis/1483676986/"
}
]
}
}
Reference in a new issue View git blame Copy permalink