MAR-10400779-2.v1 – Zimbra 2 | CISA
Tags
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006 |
Common Information
| Type | Value |
|---|---|
| UUID | c827e0dc-847f-45e8-91e9-8463b7de0b99 |
| Fingerprint | 561b9dd34d739bcf |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Sept. 27, 2022, midnight |
| Added to db | Oct. 6, 2022, 10:03 a.m. |
| Last updated | Nov. 17, 2024, 5:57 p.m. |
| Headline | Malware Analysis Report (AR22-270B) |
| Title | MAR-10400779-2.v1 – Zimbra 2 | CISA |
| Detected Hints/Tags/Attributes | 39/2/12 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://us-cert.cisa.gov/ncas/analysis-reports/ar22-270b |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 85 | ✔ | — | https://cisa.gov/uscert/ncas/analysis-reports.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 469 | www.cisa.gov |
|
| Details | Domain | 154 | us-cert.cisa.gov |
|
| Details | Domain | 84 | malware.us-cert.gov |
|
| Details | Domain | 84 | ftp.malware.us-cert.gov |
|
| Details | 84 | submit@malware.us-cert.gov |
||
| Details | File | 2 | formatter_8252022_909am.jsp |
|
| Details | md5 | 3 | 7153cfe57d2df499175aced7e92bcf65 |
|
| Details | sha256 | 3 | ffb0f637776bc4cfcf5a24406ebf48fc21b9dcec68587a010f21b88250bda195 |
|
| Details | Url | 43 | http://www.cisa.gov/tlp. |
|
| Details | Url | 53 | https://us-cert.cisa.gov/forms/feedback |
|
| Details | Url | 84 | https://malware.us-cert.gov |
|
| Details | Yara rule | 3 | rule CISA_10400779_08 : trojan webshell {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10400779"
Date = "2022-08-29"
Last_Modified = "20220908_1400"
Actor = "n/a"
Category = "Trojan Webshell"
Family = "n/a"
Description = "Detects JSP Webshell command execution samples"
MD5 = "7153cfe57d2df499175aced7e92bcf65"
SHA256 = "ffb0f637776bc4cfcf5a24406ebf48fc21b9dcec68587a010f21b88250bda195"
strings:
$s0 = { 67 65 74 50 61 72 61 6D 65 74 65 72 28 22 63 6D 64 22 29 }
$s1 = { 6F 75 74 2E 70 72 69 6E 74 6C 6E 28 22 43 6F 6D 6D 61 6E 64 }
$s2 = { 22 3C 42 52 3E 22 }
$s3 = { 67 65 74 50 72 6F 70 65 72 74 79 }
$s4 = { 22 6F 73 2E 6E 61 6D 65 22 }
$s5 = { 22 77 69 6E 64 6F 77 73 22 }
$s6 = { 63 6D 64 2E 65 78 65 20 2F 43 }
$s7 = { 4F 75 74 70 75 74 53 74 72 65 61 6D }
$s8 = { 6F 75 74 2E 70 72 69 6E 74 6C 6E 28 64 69 73 72 29 }
condition:
all of them
} |