ioc[.]one - OSINT Cyber Threat Intelligence Database

BUGHATCH Malware Analysis — Elastic Security Labs

Tags

cmtmf-attack-pattern:	Command And Scripting Interpreter Process Injection
country:	Cuba
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Asymmetric Cryptography - T1521.002 Asymmetric Cryptography - T1573.002 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 Impersonation - T1656 Local Groups - T1069.001 Malware - T1587.001 Malware - T1588.001 Native Api - T1575 Powershell - T1059.001 Process Injection - T1631 Python - T1059.006 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Windows Command Shell - T1059.003 Tool - T1588.002 Automated Collection - T1119 Command-Line Interface - T1059 Execution Through Api - T1106 Exfiltration Over Command And Control Channel - T1041 Graphical User Interface - T1061 Powershell - T1086 Process Injection - T1055 Rundll32 - T1085 Automated Collection Graphical User Interface

Show in Graph

Common Information

Type	Value
UUID	b2489494-a6c1-4267-b666-1ddecc3a29d2
Fingerprint	adb4bd132da80493
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 9, 2022, midnight
Added to db	Nov. 20, 2023, 12:58 a.m.
Last updated	Nov. 18, 2024, 1:38 a.m.
Headline	BUGHATCH Malware Analysis
Title	BUGHATCH Malware Analysis — Elastic Security Labs
Detected Hints/Tags/Attributes	76/4/17

Source URLs

	Redirection	Url
Details	Source	https://www.elastic.co/security-labs/bughatch-malware-analysis

URL Provider

Details	Provider	Source level domain
Details	elastic.co	www.elastic.co

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	306	✔	Elastic Security Labs	https://www.elastic.co/security-labs/rss/feed.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	File	2127		cmd.exe
Details	File	1122		svchost.exe
Details	File	127		c:\windows\system32\rundll32.exe
Details	File	18		c:\windows\syswow64\rundll32.exe
Details	File	4		agent32.bin
Details	File	4		agent64.bin
Details	File	1260		explorer.exe
Details	File	15		explore.exe
Details	File	1209		powershell.exe
Details	File	2		temp%u.ps1
Details	md5	1		A6E30CCF838569781703C943F18DC3F5
Details	md5	1		9D9AD1251943ECACE81644A7AC320B3C
Details	md5	1		B983B8EB258220628BE2A88CA44286B4
Details	md5	1		39324A58D79FC5B8910CBD9AFBF1A6CB
Details	sha256	1		f1325f8a55164e904a4b183186f44f815693a008a9445d2606215a232658c3cf
Details	sha256	2		b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f
Details	Yara rule	1		rule Windows_Trojan_BUGHATCH { meta: author = "Elastic Security" creation_date = "2022-05-09" last_modified = "2022-06-09" license = "Elastic License v2" os = "Windows" arch = "x86" category_type = "Trojan" family = "BUGHATCH" threat_name = "Windows.Trojan.BUGHATCH" reference_sample = "b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f" strings: $a1 = { 8B 45 ?? 33 D2 B9 A7 00 00 00 F7 F1 85 D2 75 ?? B8 01 00 00 00 EB 33 C0 } $a2 = { 8B 45 ?? 0F B7 48 04 81 F9 64 86 00 00 75 3B 8B 55 ?? 0F B7 42 16 25 00 20 00 00 ?? ?? B8 06 00 00 00 EB ?? } $a3 = { 69 4D 10 FD 43 03 00 81 C1 C3 9E 26 00 89 4D 10 8B 55 FC 8B 45 F8 0F B7 0C 50 8B 55 10 C1 EA 10 81 E2 FF FF 00 00 33 CA 8B 45 FC 8B 55 F8 66 89 0C 42 } $c1 = "-windowstyle hidden -executionpolicy bypass -file" $c2 = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" $c3 = "ReflectiveLoader" $c4 = "\\Sysnative\\" $c5 = "TEMP%u.CMD" $c6 = "TEMP%u.PS1" $c7 = "\\TEMP%d.%s" $c8 = "NtSetContextThread" $c9 = "NtResumeThread" condition: any of ($a) or 6 of ($c) }