MAR-10400779-1.v1 – Zimbra 1 | CISA
Tags
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006 |
Common Information
| Type | Value |
|---|---|
| UUID | e4b28db3-bf3c-4e32-b23c-1db624a9638e |
| Fingerprint | 849e1dc3476b9e9d |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Sept. 27, 2022, midnight |
| Added to db | Jan. 16, 2023, 3:54 p.m. |
| Last updated | Nov. 17, 2024, 5:57 p.m. |
| Headline | Malware Analysis Report (AR22-270A) |
| Title | MAR-10400779-1.v1 – Zimbra 1 | CISA |
| Detected Hints/Tags/Attributes | 52/2/37 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 85 | ✔ | — | https://cisa.gov/uscert/ncas/analysis-reports.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 469 | www.cisa.gov |
|
| Details | Domain | 24 | test.sh |
|
| Details | Domain | 154 | us-cert.cisa.gov |
|
| Details | Domain | 84 | malware.us-cert.gov |
|
| Details | Domain | 84 | ftp.malware.us-cert.gov |
|
| Details | 84 | submit@malware.us-cert.gov |
||
| Details | File | 2 | tasksttt.jsp |
|
| Details | File | 2 | datatypeconverter.jsp |
|
| Details | File | 11 | test.jsp |
|
| Details | File | 2 | xjhdshd.jsp |
|
| Details | File | 5 | security.jsp |
|
| Details | File | 2 | test2.jsp |
|
| Details | File | 2 | tmp.jar |
|
| Details | md5 | 2 | 2847c3be246be1dfd49789ebbffd5553 |
|
| Details | md5 | 2 | 36cfcfb4e6988caf8e449a7f26c92eae |
|
| Details | md5 | 2 | 0751fbc32ada4ded129a15a0d1ea0459 |
|
| Details | md5 | 2 | e146561122214f67eb35c52758a21fa5 |
|
| Details | md5 | 2 | 55e51e8ceda717813a5223a8c99a8830 |
|
| Details | md5 | 2 | ab28345b8aba13ae82f8bc0694f15804 |
|
| Details | md5 | 3 | 6f1c2dd27e28a52eb09cdd2bc828386d |
|
| Details | sha256 | 2 | 28b7896bf81c5bcbe63c59ee7bfce3893894d93699949f59884834077694bd52 |
|
| Details | sha256 | 3 | 6dee4a1d4ac6b969b1f817e36cb5d36c5de84aa8fe512f3b6e7de80a2310caea |
|
| Details | sha256 | 2 | 9d2a842e7a39358adc68311dcc0bc550ba375eae7513a3d4de326e948d09c245 |
|
| Details | sha256 | 2 | c24ead55e58422365f034d173bb0415c16be78928b2843ef8f6f62feb15e1553 |
|
| Details | sha256 | 2 | c602db153f48ab6580e5e85925677780c3d5a483c66c392a8ab8265aa108a409 |
|
| Details | sha256 | 2 | c8c1a0fae73b578480b15ff552499c271a1b49f7af2fb9fc7f8adaa4e984f614 |
|
| Details | sha256 | 2 | d335d7e3a0ac77e132e9ea839591fa81f67cd8eef136ec6586a1d6b1f29e18f1 |
|
| Details | Url | 43 | http://www.cisa.gov/tlp. |
|
| Details | Url | 53 | https://us-cert.cisa.gov/forms/feedback |
|
| Details | Url | 84 | https://malware.us-cert.gov |
|
| Details | Yara rule | 2 | rule CISA_10400779_01 : trojan webshell GODZILLA {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10400779"
Date = "2022-08-29"
Last_Modified = "20220908_1400"
Actor = "n/a"
Category = "Trojan Webshell"
Family = "GODZILLA"
Description = "Detects Godzilla webshell samples"
MD5 = "2847c3be246be1dfd49789ebbffd5553"
SHA256 = "c602db153f48ab6580e5e85925677780c3d5a483c66c392a8ab8265aa108a409"
strings:
$s0 = { 53 74 72 69 6E 67 20 78 63 }
$s1 = { 53 74 72 69 6E 67 20 70 61 73 73 }
$s2 = { 6D 64 35 28 70 61 73 73 2B 78 63 29 }
$s3 = { 43 6C 61 73 73 4C 6F 61 64 65 72 }
$s4 = { 53 65 63 72 65 74 4B 65 79 53 70 65 63 }
$s5 = { 4D 65 73 73 61 67 65 44 69 67 65 73 74 }
$s6 = { 62 61 73 65 36 34 }
$s7 = { 72 65 71 75 65 73 74 2E 67 65 74 50 61 72 61 6D 65 74 65 72 }
$s8 = { 73 65 73 73 69 6F 6E 2E 73 65 74 41 74 74 72 69 62 75 74 65 }
condition:
filesize < 10KB and all of them
} |
|
| Details | Yara rule | 2 | rule CISA_10400779_02 : utility ZIMBRA {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10400779"
Date = "2022-08-29"
Last_Modified = "20220908_1400"
Actor = "n/a"
Category = "Utility"
Family = "ZIMBRA"
Description = "Detects malicious JSP Zimbra samples"
MD5 = "36cfcfb4e6988caf8e449a7f26c92eae"
SHA256 = "28b7896bf81c5bcbe63c59ee7bfce3893894d93699949f59884834077694bd52"
strings:
$s0 = { 2F 62 69 6E 2F 73 68 }
$s1 = { 22 72 6D 20 2D 72 66 }
$s2 = { 2F 76 61 72 2F 74 6D 70 2F 74 6D 70 2E 6A 61 72 }
$s3 = { 74 61 72 20 63 7A 66 }
$s4 = { 61 63 63 6F 75 6E 74 73 2E 78 6D 6C }
$s5 = { 6C 6F 63 61 6C 63 6F 6E 66 69 67 2E 78 6D 6C }
$s6 = { 2E 65 78 65 63 28 63 31 }
$s7 = { 2E 65 78 65 63 28 63 32 }
$s8 = { 2E 65 78 65 63 28 63 33 }
condition:
filesize < 10KB and all of them
} |
|
| Details | Yara rule | 2 | rule CISA_10400779_03 : trojan webshell backdoor {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10400779"
Date = "2022-08-29"
Last_Modified = "20220908_1400"
Actor = "n/a"
Category = "Trojan Webshell Backdoor"
Family = "n/a"
Description = "Detects malicious password protected JSP webshell samples"
MD5 = "0751fbc32ada4ded129a15a0d1ea0459"
SHA256 = "c8c1a0fae73b578480b15ff552499c271a1b49f7af2fb9fc7f8adaa4e984f614"
strings:
$s0 = { 2E 65 71 75 61 6C 73 }
$s1 = { 67 65 74 50 61 72 61 6D 65 74 65 72 28 22 70 77 64 22 29 }
$s2 = { 2E 65 78 65 63 28 72 65 71 75 65 73 74 2E 67 65 74 50 61 72 61 6D 65 74 65 72 }
$s3 = { 2E 67 65 74 49 6E 70 75 74 53 74 72 65 61 6D }
$s4 = { 6F 75 74 2E 70 72 69 6E 74 28 }
$s5 = { 3C 70 72 65 3E }
$s6 = { 3C 2F 70 72 65 3E }
condition:
filesize < 10KB and all of them
} |
|
| Details | Yara rule | 2 | rule CISA_10400779_04 : trojan webshell backdoor {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10400779"
Date = "2022-08-29"
Last_Modified = "20220908_1400"
Actor = "n/a"
Category = "Trojan Webshell Backdoor"
Family = "n/a"
Description = "Detects malicious JSP webshell samples"
MD5 = "e146561122214f67eb35c52758a21fa5"
SHA256 = "c24ead55e58422365f034d173bb0415c16be78928b2843ef8f6f62feb15e1553"
strings:
$s0 = { 49 4E 50 55 54 20 6E 61 6D 65 }
$s1 = { 63 6D 64 }
$s2 = { 73 75 62 6D 69 74 20 76 61 6C 75 65 }
$s3 = { 52 75 6E }
$s4 = { 53 74 72 69 6E 67 20 63 6D 64 }
$s5 = { 67 65 74 50 61 72 61 6D 65 74 65 72 }
$s6 = { 53 74 72 69 6E 67 20 6F 75 74 70 75 74 }
$s7 = { 65 78 65 63 28 63 6D 64 }
$s8 = { 67 65 74 49 6E 70 75 74 53 74 72 65 61 6D }
$s9 = { 73 2B 22 3C 2F 62 72 3E 22 }
$s10 = { 70 72 69 6E 74 53 74 61 63 6B 54 72 61 63 65 }
condition:
filesize < 10KB and all of them
} |
|
| Details | Yara rule | 2 | rule CISA_10400779_05 : utility webshell ZIMBRA {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10400779"
Date = "2022-08-29"
Last_Modified = "20220908_1400"
Actor = "n/a"
Category = "Utility Webshell"
Family = "ZIMBRA"
Description = "Detects malicious JSP webshell samples"
MD5 = "55e51e8ceda717813a5223a8c99a8830"
SHA256 = "9d2a842e7a39358adc68311dcc0bc550ba375eae7513a3d4de326e948d09c245"
strings:
$s0 = { 2F 6F 70 74 2F 7A 69 6D 62 72 61 2F 6A 65 74 74 79 2F 77 65 62 61 70 70 73 2F 7A 69 6D 62 72 61 41 64 6D 69 6E 2F 70 75 62 6C 69 63 2F 74 65 73 74 2E 73 68 }
$s1 = { 2E 65 78 65 63 28 }
$s2 = { 5A 69 70 4F 75 74 70 75 74 53 74 72 65 61 6D }
$s3 = { 67 65 74 50 61 72 61 6D 65 74 65 72 }
$s4 = { 22 61 63 74 69 6F 6E 22 }
$s5 = { 22 65 78 65 63 22 2E }
$s6 = { 70 72 69 6E 74 6C 6E 28 65 78 65 63 }
$s7 = { 22 64 6F 77 6E 22 2E }
$s8 = { 43 6F 6E 74 65 6E 74 2D 44 69 73 70 6F 73 69 74 69 6F 6E }
$s9 = { 61 74 74 61 63 68 6D 65 6E 74 }
$s10 = { 67 65 74 4F 75 74 70 75 74 53 74 72 65 61 6D }
$s11 = { 70 61 67 65 43 6F 6E 74 65 78 74 2E }
$s12 = { 6F 75 74 2E 70 72 69 6E 74 6C 6E 28 22 6E 6F 22 29 }
condition:
filesize < 10KB and all of them
} |
|
| Details | Yara rule | 2 | rule CISA_10400779_06 : credential_harvester ZIMBRA {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10400779"
Date = "2022-08-29"
Last_Modified = "20220908_1400"
Actor = "n/a"
Category = "Credential-Harvester"
Family = "ZIMBRA"
Description = "Detects ZIMBRA bash file samples"
MD5 = "ab28345b8aba13ae82f8bc0694f15804"
SHA256 = "d335d7e3a0ac77e132e9ea839591fa81f67cd8eef136ec6586a1d6b1f29e18f1"
strings:
$s0 = "/opt/zimbra/bin/zmlocalconfig"
$s1 = { 7A 69 6D 62 72 61 5F 6C 64 61 70 5F 70 61 73 73 77 6F 72 64 }
$s2 = { 7A 69 6D 62 72 61 5F 6C 64 61 70 5F 75 73 65 72 }
$s3 = { 7A 69 6D 62 72 61 5F 6C 64 61 70 5F 75 73 65 72 64 6E }
$s4 = { 6C 64 61 70 5F 75 72 6C }
$s5 = { 2D 73 20 7C 20 67 72 65 70 }
$s6 = { 6C 64 61 70 73 65 61 72 63 68 }
$s7 = { 75 73 65 72 73 2E 6C 64 69 66 }
$s8 = { 63 6F 6E 66 69 67 2E 6C 64 69 66 }
$s9 = { 73 65 72 76 69 63 65 2E 6C 64 69 66 }
$s10 = { 72 6D 20 2D 72 66 }
$s11 = { 2F 74 6D 70 2F 7A 69 6D 62 72 61 }
$s12 = { 74 65 73 74 2E 73 68 }
$s13 = { 74 65 73 74 2E 6A 73 70 }
condition:
filesize < 10KB and all of them
} |
|
| Details | Yara rule | 3 | rule CISA_10400779_07 : webshell {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10400779"
Date = "2022-08-29"
Last_Modified = "20220908_1400"
Actor = "n/a"
Category = "Webshell"
Family = "n/a"
Description = "Detects JSP Webshell samples"
MD5 = "6f1c2dd27e28a52eb09cdd2bc828386d"
SHA256 = "6dee4a1d4ac6b969b1f817e36cb5d36c5de84aa8fe512f3b6e7de80a2310caea"
strings:
$s0 = { 78 3D 55 52 4C 44 65 63 6F 64 65 72 }
$s1 = { 53 74 72 69 6E 67 20 6F 2C 6C 2C 64 }
$s2 = { 72 65 71 75 65 73 74 2E 67 65 74 49 6E 70 75 74 53 74 72 65 61 6D }
$s3 = { 69 6E 64 65 78 4F 66 28 22 63 3D 22 29 }
$s4 = { 2E 65 78 65 63 28 67 29 }
$s5 = { 6F 75 74 2E 70 72 69 6E 74 }
$s6 = { 70 61 72 73 65 42 61 73 65 36 34 42 69 6E 61 72 79 }
$s7 = { 46 69 6C 65 2E 73 65 70 61 72 61 74 6F 72 }
$s8 = { 6F 3D 22 55 70 6C 6F 61 64 65 64 }
$s9 = { 6F 75 74 2E 70 72 69 6E 74 28 65 29 }
condition:
filesize < 10KB and all of them
} |