ioc[.]one - OSINT Cyber Threat Intelligence Database

Malicious Inauthentic Falcon Crash Reporter Installer Delivers Malware Named Ciro

Tags

cmtmf-attack-pattern:	Application Layer Protocol Boot Or Logon Autostart Execution Command And Scripting Interpreter Develop Capabilities Masquerading
country:	Germany
maec-delivery-vectors:	Watering Hole
attack-pattern:	Application Layer Protocol - T1437 Boot Or Logon Autostart Execution - T1547 Command And Scripting Interpreter - T1623 Develop Capabilities - T1587 Dynamic Resolution - T1637 Dynamic Resolution - T1568 Encrypted Channel - T1521 Encrypted Channel - T1573 Ip Addresses - T1590.005 Javascript - T1059.007 Lsa Secrets - T1003.004 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Phishing - T1660 Phishing - T1566 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 Standard Encoding - T1132.001 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Web Protocols - T1071.001 Web Protocols - T1437.001 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 Connection Proxy - T1090 Data Encoding - T1132 Deobfuscate/Decode Files Or Information - T1140 Masquerading - T1036 Registry Run Keys / Start Folder - T1060 Spearphishing Link - T1192 User Execution - T1204 Masquerading User Execution

Show in Graph

Common Information

Type	Value
UUID	d891c276-e4af-460b-a85e-31afedff881b
Fingerprint	8c86ad5b64bbacf1
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 7, 2024, midnight
Added to db	Nov. 12, 2024, 11:51 a.m.
Last updated	Nov. 17, 2024, 7:44 p.m.
Headline	Malicious Inauthentic Falcon Crash Reporter Installer Delivers LLVM-Based Mythic C2 Agent Named Ciro
Title	Malicious Inauthentic Falcon Crash Reporter Installer Delivers Malware Named Ciro
Detected Hints/Tags/Attributes	88/4/33

Source URLs

	Redirection	Url
Details	Source	https://www.crowdstrike.com/en-us/blog/malicious-inauthentic-falcon-crash-reporter-installer-ciro-malware/

URL Provider

Details	Provider	Source level domain
Details	crowdstrike.com	www.crowdstrike.com

Attributes

Details	Type	#Events	Value
Details	Domain	2	www.warnmelderzentrale.com
Details	Domain	2	csmon.westeurope.cloudapp.azure.com
Details	Domain	4	1-r7.zip
Details	Domain	5	docs.mythic-c2.net
Details	Domain	15	llvm.org
Details	Domain	4127	github.com
Details	File	3	csmon8.dat
Details	File	3	java8runtime.exe
Details	File	2	8ac34787.js
Details	File	3	1-r7.zip
Details	File	3	r3.exe
Details	File	3	r3.tmp
Details	File	2	lli.html
Details	File	2	lli.cpp
Details	sha256	2	19e02b2049e10104573ab05b3d8882f4c3373992d4b823998152b93eb4971873
Details	sha256	2	05d700c67e18358ee4e6c1c3e95c8c4ad687d96fc531aff7a5b07f3dbda8e14b
Details	sha256	3	82ef869e8f7accde731f8c289f19436347a30af1d53c8f61bde5bac8bc91ad1a
Details	sha256	2	4bc4b1381c0b99185b148d4a1edbd74730020b30a3541856c43d22a56e8782a9
Details	MITRE ATT&CK Techniques	96	T1587.001
Details	MITRE ATT&CK Techniques	183	T1566.002
Details	MITRE ATT&CK Techniques	695	T1059
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	99	T1132.001
Details	MITRE ATT&CK Techniques	130	T1573.001
Details	Url	2	https://www.warnmelderzentrale.com/jquery.min.8ac34787.js?v=8
Details	Url	3	https://docs.mythic-c2.net
Details	Url	2	https://llvm.org/docs/commandguide/lli.html
Details	Url	2	https://github.com/llvm/llvm-project/blob/main/llvm/tools/lli/lli.cpp
Details	Url	2	https://docs.mythic-c2.net/customizing/payload-type-development/create_tasking/agent-side-coding/initial-checkin#a
Details	Yara rule	2	rule CrowdStrike_CSA_240869_01 : ciro mythic { meta: copyright = "(c) 2024 CrowdStrike Inc." description = "Detects Custom Mythic Agent Ciro" reports = " CSA-240869 " version = "202407291125" last_modified = "2024-07-29" malware_family = "Mythic" strings: $module_name = "Cirostrike" condition: filesize < 1MB and uint32(0) == 0xdec04342 and all of them }