ioc[.]one - OSINT Cyber Threat Intelligence Database

MAR-10271944-3.v1 – North Korean Trojan: BUFFETLINE | CISA

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Software - T1592.002 Vulnerabilities - T1588.006

Show in Graph

Common Information

Type	Value
UUID	70b6cec4-83f4-475e-89ee-bcd92aa70d11
Fingerprint	6e1299d34f709fcb
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 14, 2020, midnight
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Dec. 21, 2024, 4:49 a.m.
Headline	Malware Analysis Report (AR20-045F)
Title	MAR-10271944-3.v1 – North Korean Trojan: BUFFETLINE \| CISA
Detected Hints/Tags/Attributes	42/2/21

Source URLs

	Redirection	Url
Details	Source	https://www.us-cert.gov/ncas/analysis-reports/ar20-045f

URL Provider

Details	Provider	Source level domain
Details	us-cert.gov	www.us-cert.gov

Attributes

Details	Type	#Events	Value
Details	Domain	154	www.us-cert.gov
Details	Domain	26	us-cert.gov
Details	Domain	18	dhs.sgov.gov
Details	Domain	18	dhs.ic.gov
Details	Domain	84	malware.us-cert.gov
Details	Domain	84	ftp.malware.us-cert.gov
Details	Email	17	ncciccustomerservice@us-cert.gov
Details	Email	18	us-cert@dhs.sgov.gov
Details	Email	18	us-cert@dhs.ic.gov
Details	Email	16	soc@us-cert.gov
Details	Email	84	submit@malware.us-cert.gov
Details	File	121	smss.exe
Details	sha256	2	52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695
Details	IPv4	1	107.6.12.135
Details	IPv4	1	210.202.40.35
Details	Url	42	http://www.us-cert.gov/tlp.
Details	Url	21	https://www.us-cert.gov/hiddencobra.
Details	Url	17	https://us-cert.gov/forms/feedback
Details	Url	84	https://malware.us-cert.gov
Details	Yara rule	1	rule encodedHandshakeStrings { meta: author = "CISA trusted 3rd party" incident = "10271944.r3.v1" date = "2019-12-25" category = "Hidden_Cobra" family = "BUFFETLINE" strings: $e1 = { DD 91 4A 1D CB 93 52 0A D0 CB 0A 4C CA D5 08 4B CA 92 4B 1D DE 92 4B 1E D2 8B 5C 14 DE 92 5C } $e2 = { 81 8C 4D 1D D1 8A 52 1D D7 8A 4C 0D 8B C8 01 4C CD 9C 5E 0B DC 97 5E 12 95 CB 4A 48 CF 9C 53 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them }
Details	Yara rule	1	rule polarsslClientHello { meta: author = "CISA trusted 3rd party" incident = "10271944.R3.V1" date = "2019-12-25" category = "Hidden_Cobra" family = "BUFFETLINE" strings: $polarSSL = "fjiejffndxklfsdkfjsaadiepwn" $cliHello = "!Q@W#E$R%T^Y&U*I(O)P" condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them }