ioc[.]one - OSINT Cyber Threat Intelligence Database

SUNSPOT Malware: A Technical Analysis | CrowdStrike

Tags

cmtmf-attack-pattern:	Masquerading
attack-pattern:	Data Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Msbuild - T1127.001 Python - T1059.006 Scheduled Task - T1053.005 Software - T1592.002 Masquerading - T1036 Scheduled Task - T1053 Masquerading

Show in Graph

Common Information

Type	Value
UUID	85c38dea-0464-46e4-8d3c-16b16cbd3457
Fingerprint	bc00a81926173490
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 7, 2024, midnight
Added to db	Nov. 12, 2024, 11:53 a.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	SUNSPOT: An Implant in the Build Process
Title	SUNSPOT Malware: A Technical Analysis \| CrowdStrike
Detected Hints/Tags/Attributes	44/2/18

Source URLs

	Redirection	Url
Details	Source	https://www.crowdstrike.com/en-us/blog/sunspot-malware-technical-analysis/

URL Provider

Details	Provider	Source level domain
Details	crowdstrike.com	www.crowdstrike.com

Attributes

Details	Type	#Events	CTI	Value
Details	File	2		taskhostsvc.exe
Details	File	26		taskhostw.exe
Details	File	2		c:\windows\temp\vmware-vmdmp.log
Details	File	4		'msbuild.exe
Details	File	29		orion.core
Details	File	1		inventorymanager.cs
Details	File	149		msbuild.exe
Details	File	1		inventorymanager.bk
Details	File	1		inventorymanager.tmp
Details	File	1		orionimprovementbusinesslayer.zip
Details	File	1		orionimprovementbusinesslayer.config
Details	File	4		orionimprovementbusinesslayer.ini
Details	File	1		ostsvc.exe
Details	md5	1		5f40b59ee2a9ac94ddb6ab9e3bd776ca
Details	sha256	3		c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168
Details	sha256	2		0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389
Details	Yara rule	1		rule CrowdStrike_SUNSPOT_01 : artifact stellarparticle sunspot { meta: copyright = "(c) 2021 CrowdStrike Inc." description = "Detects RC4 and AES key encryption material in SUNSPOT" version = "202101081448" last_modified = "2021-01-08" actor = "StellarParticle" malware_family = "SUNSPOT" strings: $key = { FC F3 2A 83 E5 F6 D0 24 A6 BF CE 88 30 C2 48 E7 } $iv = { 81 8C 85 49 B9 00 06 78 0B E9 63 60 26 64 B2 DA } condition: all of them and filesize < 32MB }
Details	Yara rule	1		rule CrowdStrike_SUNSPOT_02 : artifact stellarparticle sunspot { meta: copyright = "(c) 2021 CrowdStrike Inc." description = "Detects mutex names in SUNSPOT" version = "202101081448" last_modified = "2021-01-08" actor = "StellarParticle" malware_family = "SUNSPOT" strings: $mutex_01 = "{12d61a41-4b74-7610-a4d8-3028d2f56395}" ascii wide $mutex_02 = "{56331e4d-76a3-0390-a7ee-567adf5836b7}" ascii wide condition: any of them and filesize < 10MB }