Karton Gems 3: Malware extraction with malduck
Tags
| attack-pattern: | Data Model Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Sudo - T1169 |
Common Information
| Type | Value |
|---|---|
| UUID | a9d63179-9714-44fa-b43a-93e14c7f4a7c |
| Fingerprint | 56140e6bed8c02b4 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | May 14, 2021, midnight |
| Added to db | Aug. 31, 2024, 1:42 a.m. |
| Last updated | Nov. 17, 2024, 11:40 p.m. |
| Headline | Social media |
| Title | Karton Gems 3: Malware extraction with malduck |
| Detected Hints/Tags/Attributes | 36/1/17 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://cert.pl/en/posts/2021/05/karton-gems-3-malware-extraction/ |
URL Provider
| Details | Provider | Source level domain |
|---|---|---|
| Details | cert.pl | cert.pl |
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 81 | ✔ | CERT Polska | https://cert.pl/en/rss.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 4128 | github.com |
|
| Details | Domain | 25 | log.info |
|
| Details | Domain | 1 | citadel.py |
|
| Details | File | 1 | citadelmalware.bin |
|
| Details | File | 25 | log.inf |
|
| Details | File | 1 | modules.7z |
|
| Details | File | 1 | citadel.py |
|
| Details | File | 61 | __init__.py |
|
| Details | File | 1 | karton.config |
|
| Details | Github username | 12 | cert-polska |
|
| Details | Github username | 1 | c3rb3ru5d3d53c |
|
| Details | sha256 | 1 | 3a153c52aa82a667091dff9a4b4defb7a6e395c3d0604d7aa18f75ca6a27e77e |
|
| Details | Url | 1 | https://github.com/cert-polska/training-mwdb/raw/main/citadelmalware.bin |
|
| Details | Url | 1 | https://github.com/cert-polska/training-mwdb/raw/main/modules.7z |
|
| Details | Url | 3 | https://github.com/cert-polska/karton-playground.git |
|
| Details | Url | 1 | https://github.com/c3rb3ru5d3d53c/mwcfg-modules. |
|
| Details | Yara rule | 1 | rule citadel {
meta:
author = "mak"
module = "citadel"
strings:
$briankerbs = "Coded by BRIAN KREBS for personal use only. I love my job & wife."
$cit_aes_xor = { 81 30 [4] 0F B6 50 03 0F B6 78 02 81 70 04 [4] 81 70 08 [4] 81 70 0C [4] C1 E2 08 0B D7 }
$cit_salt = { 8A D1 80 E2 07 C0 E9 03 47 83 FF 04 }
$cit_login = { 30 [1-2] 8A 8? [4] 32 }
$cit_getpes = { 68 [2] 00 00 8D ( 84 24 | 85 ) [4] 50 8D ( 85 ?? ?? ?? ?? | 44 24 ?? ) 50 E8 [4] B8 [2] 00 00 50 68 }
$cit_base_off = { 5? 8D 85 [4] E8 [4] 6A 20 68 [4] 8D [2] 50 E8 [4] 8D 85 [4] 50 }
condition:
3 of them
} |