Busy Buzzard
Common Information
| Type | Value |
|---|---|
| UUID | 6acc96d3-9127-4a5f-9098-f2536834707f |
| Fingerprint | 0dfdb8a5fb0cc76d03ddf3dc3fa0946d3a9e27d37a7eab01fcc935d97bfe87b4 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 9, 2023, 3:52 p.m. |
| Added to db | Nov. 6, 2024, 11:05 a.m. |
| Last updated | Nov. 6, 2024, 11:08 a.m. |
| Headline | Busy Buzzard |
| Title | Busy Buzzard |
| Detected Hints/Tags/Attributes | 83/3/75 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 46 | jsac.jpcert.or.jp |
|
| Details | Domain | 182 | www.mandiant.com |
|
| Details | Domain | 18 | blog.trendmicro.co.jp |
|
| Details | Domain | 19 | www.pwc.co.uk |
|
| Details | Domain | 4 | www.rare-coisns.com |
|
| Details | Domain | 53 | ncsc.gov.uk |
|
| Details | 22 | ncscinfoleg@ncsc.gov.uk |
||
| Details | File | 1 | 0x2b28af80000.dmp |
|
| Details | File | 1 | 0x2b28b200000.dmp |
|
| Details | File | 1122 | svchost.exe |
|
| Details | File | 1 | 2b28af80000-2b28af92fff.dmp |
|
| Details | File | 1 | 2b28b200000-2b28b202fff.dmp |
|
| Details | File | 1 | 0b182464a2351a9d79c1222bb1fdf35e.dll |
|
| Details | File | 3 | 10000000.dll |
|
| Details | File | 3 | rec.dll |
|
| Details | File | 1 | mylib.dll |
|
| Details | File | 748 | kernel32.dll |
|
| Details | File | 5 | jsac2021_202_niwa-yanagishita_en.pdf |
|
| Details | File | 8 | vmwarehostopen.exe |
|
| Details | File | 1 | cloud-hopper-annex-b-final.pdf |
|
| Details | File | 13 | www.rar |
|
| Details | File | 1206 | index.php |
|
| Details | File | 3 | httpswin32.dll |
|
| Details | File | 3 | tcpcx64.dll |
|
| Details | md5 | 1 | bbc49eac5b7c30708704233416694591 |
|
| Details | md5 | 1 | c5af2332d8f7bdd56ed2ae0091422153 |
|
| Details | md5 | 1 | d40a4f0b426b5500d0e7e331f99c6aca |
|
| Details | md5 | 1 | f11471c0667eb010a319bb4765ed72c7 |
|
| Details | md5 | 1 | c0e649fa591ed6c5746d394cb2de3c72 |
|
| Details | md5 | 1 | 0b182464a2351a9d79c1222bb1fdf35e |
|
| Details | md5 | 3 | 037261d5571813b9640921afac8aafbe |
|
| Details | md5 | 3 | c5994f9fe4f58c38a8d2af3021028310 |
|
| Details | sha1 | 1 | 8fd99d9066020003358aa3e23c9af3d4911ce979 |
|
| Details | sha1 | 1 | f737067d41bc77dc7dd09ecb6eb710619bc2dfde |
|
| Details | sha1 | 1 | 266852db4ad2d293469515820fd5e7c228cd4b3e |
|
| Details | sha1 | 1 | cf6339501de54590f8bbbc3cfb8051b95f6a1a42 |
|
| Details | sha1 | 1 | d2b8f4fe6eedb8b87521772fc823da596f2403b7 |
|
| Details | sha1 | 1 | 6a673508d46c0bbff74ee24384c8bc841c11ea4d |
|
| Details | sha1 | 1 | e74affd6c766156e3fe803917f28da08fe7000ef |
|
| Details | sha1 | 1 | 48152eeb1d74a84ba86b34f419cf1c7a105e41ff |
|
| Details | sha256 | 1 | 41daf4c86e14da87bf2f94b36115a1e7da76d14af0aba0c251bb3e9dbfb40bad |
|
| Details | sha256 | 1 | 6cf6d1a9caee970bcb393a085d1dbb1f01a81fa684f6faf7ddbf0253302e1a4e |
|
| Details | sha256 | 1 | 79024943b61d9c7fe7f8e225f2825ee4fbdeb6dcf2ecdfda3f6414bd6f87bf32 |
|
| Details | sha256 | 1 | bd6992029c879b74b255aeb3549b8da487aff75d3f614832c23b4cd3717a067b |
|
| Details | sha256 | 3 | 83030f299a776114878bcd2ade585d97836ef4ddb6943cb796be2c88bcb83a83 |
|
| Details | sha256 | 1 | 6b52fd7ee1442b4ed2c675f958a42a6c793bfe14a75de0988c4381367284f085 |
|
| Details | sha256 | 1 | 9d6e14cd244f6c49e11d2b47f12116b5848aaed7a6aaa218fb023b33f7c12a3b |
|
| Details | sha256 | 1 | ca9bcf268330a4fffcec025920514e0071651c35895b15b2f1dab8813c8b8e99 |
|
| Details | IPv4 | 1 | 206.189.46.22 |
|
| Details | IPv4 | 8 | 88.198.101.58 |
|
| Details | MITRE ATT&CK Techniques | 120 | T1129 |
|
| Details | MITRE ATT&CK Techniques | 239 | T1106 |
|
| Details | MITRE ATT&CK Techniques | 4 | T1055.009 |
|
| Details | MITRE ATT&CK Techniques | 97 | T1497.001 |
|
| Details | MITRE ATT&CK Techniques | 585 | T1083 |
|
| Details | MITRE ATT&CK Techniques | 1006 | T1082 |
|
| Details | MITRE ATT&CK Techniques | 245 | T1016 |
|
| Details | MITRE ATT&CK Techniques | 86 | T1124 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | MITRE ATT&CK Techniques | 159 | T1095 |
|
| Details | MITRE ATT&CK Techniques | 163 | T1573 |
|
| Details | Url | 1 | http://jsac.jpcert.or.jp/archive/2021/pdf/jsac2021_202_niwa-yanagishita_en.pdf |
|
| Details | Url | 1 | https://www.mandiant.com/resources/precalculated-string-hashes-reverse-engineering-shellcode |
|
| Details | Url | 4 | https://blog.trendmicro.co.jp/archives/29842 |
|
| Details | Url | 1 | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
|
| Details | Url | 1 | https://www.rare-coisns.com/image/look/javascript/index.php |
|
| Details | Yara rule | 1 | rule BusyBuzzard_command_switching_and_ok_response {
meta:
author = "NCSC"
description = "Detects code bytes used by Busy Buzzard to switch
between the different commands, as well as a test for an 'ok' response
from the C2 server"
date = "2022-03-25"
hash1 = "8fd99d9066020003358aa3e23c9af3d4911ce979"
hash2 = "266852db4ad2d293469515820fd5e7c228cd4b3e"
hash3 = "d2b8f4fe6eedb8b87521772fc823da596f2403b7"
hash4 = "6a673508d46c0bbff74ee24384c8bc841c11ea4d"
hash5 = "e74affd6c766156e3fe803917f28da08fe7000ef"
hash6 = "48152eeb1d74a84ba86b34f419cf1c7a105e41ff"
strings:
$tcp = { 3C 64 74 ?? 3C 66 74 ?? 3C 6C 74 ?? 3C 73 75 ?? 8D 57 FB 48 8D 4B 05 E8 }
$http1 = { 3C 64 74 ?? 3C 73 }
$http2 = { 80 3B 6F 75 ?? 80 7B 01 6B 74 }
condition:
$tcp or (all of ($http*))
} |
|
| Details | Yara rule | 1 | rule BusyBuzzard_convert_crc32_to_mutex_name {
meta:
author = "NCSC"
description = "Detects code bytes used by the TCP variant of Busy
Buzzard to convert a CRC32 value to its hex string representation in
reverse-nibble order"
date = "2022-03-25"
hash1 = "8fd99d9066020003358aa3e23c9af3d4911ce979"
hash2 = "266852db4ad2d293469515820fd5e7c228cd4b3e"
hash3 = "d2b8f4fe6eedb8b87521772fc823da596f2403b7"
strings:
$ = { 0F B6 C2 24 0F 3C 09 76 02 04 07 04 30 48 FF C1 C1 EA 04 49 FF C8 88 41 FF 75 E5 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule BusyBuzzard_original_dll_names {
meta:
author = "NCSC"
description = "Detects Busy Buzzard original DLL names embedded
within the binary"
date = "2022-03-25"
hash1 = "8fd99d9066020003358aa3e23c9af3d4911ce979"
hash2 = "266852db4ad2d293469515820fd5e7c228cd4b3e"
hash3 = "6a673508d46c0bbff74ee24384c8bc841c11ea4d"
hash4 = "e74affd6c766156e3fe803917f28da08fe7000ef"
hash5 = "48152eeb1d74a84ba86b34f419cf1c7a105e41ff"
strings:
$ = "httpsWin32.dll\x00"
$ = "tcpcX64.dll\x00"
condition:
any of them
} |
|
| Details | Yara rule | 1 | rule BusyBuzzard_random_rc4_key_generator {
meta:
author = "NCSC"
description = "Detects code bytes used by Busy Buzzard to
generate the randomised RC4 key"
date = "2022-03-25"
hash1 = "8fd99d9066020003358aa3e23c9af3d4911ce979"
hash2 = "266852db4ad2d293469515820fd5e7c228cd4b3e"
hash3 = "d2b8f4fe6eedb8b87521772fc823da596f2403b7"
hash4 = "6a673508d46c0bbff74ee24384c8bc841c11ea4d"
hash5 = "e74affd6c766156e3fe803917f28da08fe7000ef"
hash6 = "48152eeb1d74a84ba86b34f419cf1c7a105e41ff"
strings:
$ = { 99 B9 3E 00 00 00 F7 F9 83 FA 0A 73 05 83 C2 30 EB 0D 83 FA 25 73 05 83 C2 37 EB 03 83 C2 3C 8B 03 88 14 06 46 3B F7 }
$ = { 44 8B D8 B8 43 08 21 84 41 F7 EB 41 03 D3 C1 FA 05 8B CA C1 E9 1F 03 D1 6B D2 3E 44 2B DA 41 83 FB 0A 7D 06 41 83 C3 30 EB 10 41 83 FB 25 7D 06 41 83 C3 37 EB 04 41 83 C3 3C 48 8B 4D 00 48 FF C3 48 FF CE 44 88 5C 0B FF 75 B0 }
condition:
any of them
} |
|
| Details | Yara rule | 1 | rule BusyBuzzard_https_cmd_response_stack_strings {
meta:
author = "NCSC"
description = "Detects command response strings, built on the
stack, used by the HTTPS variant of Busy Buzzard"
date = "2022-03-25"
hash1 = "6a673508d46c0bbff74ee24384c8bc841c11ea4d"
hash2 = "e74affd6c766156e3fe803917f28da08fe7000ef"
hash3 = "48152eeb1d74a84ba86b34f419cf1c7a105e41ff"
strings:
$ = { C7 ( 45 ?? | 85 ?? ?? ?? ?? ) 63 6D 64 3D }
$ = { C7 ( 45 ?? | 85 ?? ?? ?? ?? ) 26 74 79 70 66 C7 ( 45 ?? | 85 ?? ?? ?? ?? ) 65 3D }
$ = { C7 ( 45 ?? | 85 ?? ?? ?? ?? ) 26 72 65 74 66 C7 ( 45 ?? | 85 ?? ?? ?? ?? ) 3D 00 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule BusyBuzzard_plugin_helper_functions {
meta:
author = "NCSC"
description = "Detects code bytes used by Busy Buzzard shellcode
plugin helper functions"
date = "2022-03-25"
hash1 = "f737067d41bc77dc7dd09ecb6eb710619bc2dfde"
hash2 = "cf6339501de54590f8bbbc3cfb8051b95f6a1a42"
strings:
$ = { 56 48 8B F4 48 83 E4 F0 48 83 EC 20 E8 F7 DF FF FF 48 8B E6 5E C3 48 C7 C0 30 00 00 00 65 48 8B 00 48 8B 40 60 48 8B 40 18 48 8B 40 10 48 8B 00 48 8B 00 48 8B 40 30 C3 }
condition:
(all of them) and (filesize < 20KB)
} |
|
| Details | Yara rule | 1 | rule BusyBuzzard_shellcode_loader_x64 {
meta:
author = "NCSC"
description = "Detects code bytes used for resolving function
addresses in the Busy Buzzard shellcode loader"
date = "2022-03-25"
hash1 = "8fd99d9066020003358aa3e23c9af3d4911ce979"
hash2 = "266852db4ad2d293469515820fd5e7c228cd4b3e"
strings:
$ = { 3D 67 65 74 70 }
$ = { 3D 64 64 72 65 }
$ = { C7 45 50 49 73 42 61 }
$ = { C7 45 54 64 52 65 61 }
$ = { C7 45 58 64 50 74 72 }
$ = { C7 45 20 49 6D 61 67 }
$ = { C7 45 24 65 52 76 61 }
$ = { C7 45 28 54 6F 56 61 }
$ = { 48 C7 C0 30 00 00 00 65 48 8B 00 48 8B 40 60 48 8B 40 18 48 8B 40 10 48 8B 00 48 8B 00 48 8B 40 30 C3 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule BusyBuzzard_rsa_public_keys {
meta:
author = "NCSC"
description = "Detects hard-coded RSA public keys used by both
the TCP and HTTPS variants of Busy Buzzard"
date = "2022-03-25"
hash1 = "8fd99d9066020003358aa3e23c9af3d4911ce979"
hash2 = "266852db4ad2d293469515820fd5e7c228cd4b3e"
hash3 = "d2b8f4fe6eedb8b87521772fc823da596f2403b7"
hash4 = "6a673508d46c0bbff74ee24384c8bc841c11ea4d"
hash5 = "e74affd6c766156e3fe803917f28da08fe7000ef"
hash6 = "48152eeb1d74a84ba86b34f419cf1c7a105e41ff"
strings:
$rsa1 = "MIGJAoGBANYrLIbgWsKfJOnWnk/YUJmgFxI5PMK31Rnj7AOR37VM66baxx/6+03/IbT4oe/P
y9YBYUIILhZTcCGOjv/KW+nZoQ4gdkDXexP7kD2YuwEKQZB1WSG3MTPNLCWANvGMrX+Cb/9H3
qJ/mmIYrygcLmzj4E2rSxJfdZ3YaYI1IX/vAgMBAAE=\x00"
$rsa2 = "MIGJAoGBAK7mh7RSMtisKLn+Jfkq9AUlOHqUe4zjTLVC89k+sPux5ZMr9ndtjzdx8bCcSfCQ
temKrR2LY4lRr5cZs3jgwaBbHS2SdCezUuNUdrEEsfWX8BlK13G8djFmmYZqKeQFnUrKZn+uA
0A4nIGPRFKB2fKfBjh4Y5qN2IoyV9Y0e8HHAgMBAAE=\x00"
$rsa3 = "MIGJAoGBALkXcETCNbKRUMlz0Bkl8Mr/Jm1A4VKxdLBlDXCtD/9fCrfSDl2z/JhykFJik787
pT05QuKIsLWZLv2/lqMlDxnKEPEQRDBdm900If27xShcK/qRoSOO8edUD44PphF5cMfK16VMo
N9e3DEVeP4zduCanP4vbFpH3vwaTI1Or1QRAgMBAAE=\x00"
condition:
(1 of ($rsa*))
} |
|
| Details | Yara rule | 1 | import "pe"
rule identify_kernel32_version {
condition:
(uint16(0) == 0x5a4d) and pe.is_dll() and pe.is_64bit() and (pe.export_details[pe.exports_index("GetProcAddress")].offset == pe.rva_to_offset(0x19d70)) and (pe.export_details[pe.exports_index("LoadLibraryA")].offset == pe.rva_to_offset(0x1f560)) and (pe.export_details[pe.exports_index("VirtualAlloc")].offset == pe.rva_to_offset(0x1b220)) and (pe.export_details[pe.exports_index("VirtualFree")].offset == pe.rva_to_offset(0x1b970))
} |