MISP
/
misp-website
mirror of https://github.com/MISP/misp-website
2
0
Fork 0
Code Issues Releases Wiki Activity

galaxy updated

pull/4/head
Alexandre Dulaunoy 2018-03-21 09:36:04 +01:00
parent 7ea06a1c3a
commit d3ef1747b9
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
2 changed files with 4431 additions and 4093 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
galaxy.html
View File

@ -99156,6 +99156,30 @@ The Nautilus service listens for HTTP requests from clients to process
</table> </table>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_gamut_botnet"><a class="anchor" href="#_gamut_botnet"></a><a class="link" href="#_gamut_botnet">Gamut Botnet</a></h3>
<div class="paragraph">
<p>Gamut was found to be downloaded by a Trojan Downloader that arrives as an attachment from a spam email message. The bot installation is quite simple. After the malware binary has been downloaded, it launches itself from its current directory, usually the Windows %Temp% folder and installs itself as a Windows service.
The malware utilizes an anti-VM (virtual machine) trick and terminates itself if it detects that it is running in a virtual machine environment. The bot uses INT 03h trap sporadically in its code, an anti-debugging technique which prevents its code from running within a debugger environment. It can also determine if it is being debugged by using the Kernel32 API - IsDebuggerPresent function.</p>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2796. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.bleepingcomputer.com/news/security/necurs-and-gamut-botnets-account-for-97-percent-of-the-internets-spam-emails/">https://www.bleepingcomputer.com/news/security/necurs-and-gamut-botnets-account-for-97-percent-of-the-internets-spam-emails/</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Gamut-Spambot-Analysis/">https://www.trustwave.com/Resources/SpiderLabs-Blog/Gamut-Spambot-Analysis/</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_coraldeck"><a class="anchor" href="#_coraldeck"></a><a class="link" href="#_coraldeck">CORALDECK</a></h3> <h3 id="_coraldeck"><a class="anchor" href="#_coraldeck"></a><a class="link" href="#_coraldeck">CORALDECK</a></h3>
<div class="paragraph"> <div class="paragraph">
<p>CORALDECK is an exfiltration tool that searches for specified files and exfiltrates them in password protected archives using hardcoded HTTP POST headers. CORALDECK has been observed dropping and using Winrar to exfiltrate data in password protected RAR files as well as WinImage and zip archives</p> <p>CORALDECK is an exfiltration tool that searches for specified files and exfiltrates them in password protected archives using hardcoded HTTP POST headers. CORALDECK has been observed dropping and using Winrar to exfiltrate data in password protected RAR files as well as WinImage and zip archives</p>
@ -99174,7 +99198,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2796. Table References</caption> <caption class="title">Table 2797. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99210,7 +99234,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2797. Table References</caption> <caption class="title">Table 2798. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99240,7 +99264,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2798. Table References</caption> <caption class="title">Table 2799. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99276,7 +99300,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2799. Table References</caption> <caption class="title">Table 2800. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99312,7 +99336,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2800. Table References</caption> <caption class="title">Table 2801. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99342,7 +99366,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2801. Table References</caption> <caption class="title">Table 2802. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99372,7 +99396,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2802. Table References</caption> <caption class="title">Table 2803. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99402,7 +99426,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2803. Table References</caption> <caption class="title">Table 2804. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99432,7 +99456,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2804. Table References</caption> <caption class="title">Table 2805. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99465,7 +99489,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2805. Table References</caption> <caption class="title">Table 2806. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99501,7 +99525,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2806. Table References</caption> <caption class="title">Table 2807. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99531,7 +99555,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2807. Table References</caption> <caption class="title">Table 2808. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99564,7 +99588,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2808. Table References</caption> <caption class="title">Table 2809. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99597,7 +99621,7 @@ The Nautilus service listens for HTTP requests from clients to process
</ul> </ul>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2809. Table References</caption> <caption class="title">Table 2810. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99617,7 +99641,7 @@ The Nautilus service listens for HTTP requests from clients to process
<p>The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary: 'c:\users\wizard\documents\visual studio 2010\Projects\RoyalCli\Release\RoyalCli.pdb' RoyalCli and BS2005 both communicate with the attacker&#8217;s command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2. Due to the nature of the technique, this results in C2 data being cached to disk by the IE process; we&#8217;ll get to this later.</p> <p>The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary: 'c:\users\wizard\documents\visual studio 2010\Projects\RoyalCli\Release\RoyalCli.pdb' RoyalCli and BS2005 both communicate with the attacker&#8217;s command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2. Due to the nature of the technique, this results in C2 data being cached to disk by the IE process; we&#8217;ll get to this later.</p>
</div> </div>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2810. Table References</caption> <caption class="title">Table 2811. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99634,7 +99658,7 @@ The Nautilus service listens for HTTP requests from clients to process
<div class="sect2"> <div class="sect2">
<h3 id="_royaldns"><a class="anchor" href="#_royaldns"></a><a class="link" href="#_royaldns">RoyalDNS</a></h3> <h3 id="_royaldns"><a class="anchor" href="#_royaldns"></a><a class="link" href="#_royaldns">RoyalDNS</a></h3>
<table class="tableblock frame-all grid-all spread"> <table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2811. Table References</caption> <caption class="title">Table 2812. Table References</caption>
<colgroup> <colgroup>
<col style="width: 100%;"> <col style="width: 100%;">
</colgroup> </colgroup>
@ -99653,7 +99677,7 @@ The Nautilus service listens for HTTP requests from clients to process
</div> </div>
<div id="footer"> <div id="footer">
<div id="footer-text"> <div id="footer-text">
Last updated 2018-03-17 21:33:27 CET Last updated 2018-03-21 09:09:10 CET
</div> </div>
</div> </div>
</body> </body>

8466
galaxy.pdf
View File

File diff suppressed because one or more lines are too long