How an APT technique turns to be a public Red Team Project - Yoroi
Tags
| attack-pattern: | Dll Side-Loading - T1574.002 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 |
Common Information
| Type | Value |
|---|---|
| UUID | e9df9c8e-cec1-467b-91e1-5542e6278f73 |
| Fingerprint | 6c303b3dab858ffb |
| Analysis status | DONE |
| Considered CTI value | -2 |
| Text language | |
| Published | Sept. 7, 2023, 10:05 a.m. |
| Added to db | Nov. 19, 2023, 3:55 a.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | How an APT technique turns to be a public Red Team Project |
| Title | How an APT technique turns to be a public Red Team Project - Yoroi |
| Detected Hints/Tags/Attributes | 90/1/23 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 409 | ✔ | Yoroi | https://yoroi.company/feed/ | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | File | 2 | 'ffmpeg.dll |
|
| Details | File | 89 | version.dll |
|
| Details | File | 9 | onedrivestandaloneupdater.exe |
|
| Details | File | 3 | vresion.dll |
|
| Details | File | 46 | runtimebroker.exe |
|
| Details | File | 146 | wininet.dll |
|
| Details | sha256 | 1 | c8ca2199aabae9af5c59e658d11a41f76af4576204c23bf5762825171c56e5e8 |
|
| Details | sha256 | 1 | bcc7c41209afcf67858b3ef80f0afa1eabf2e4faadcaa23bacc9aa5d57b9d836 |
|
| Details | sha256 | 1 | a855012a9e198837eae04295de56d28e9258da1e933c56805b39b1f8d0d03c56 |
|
| Details | sha256 | 1 | 4240201a9d957a01676ab7165d112d03c7dbdba7b34778407e7b73344b3fd158 |
|
| Details | sha256 | 1 | 2d866ccf2b24e3b922abb3d3980c2ed752d86b6c017bc2bf7a1c209aa9464643 |
|
| Details | sha256 | 1 | ffd5114ffb3a2f66757cecb2fb0079cceaa42a4b42ded566e76b7d58b4effac5 |
|
| Details | sha256 | 1 | 5e352c8f55ed9be1142b09e13df7b3efac7ea9e6173b6792d9a5c44dedc3a4ee |
|
| Details | sha256 | 1 | 17494a7687c8e57be6fcd486bc34aaa120105729196474ccffd078d8aa256f87 |
|
| Details | sha256 | 1 | dda686d6fda52c6ab3c084b7024cfc68dba60ae2143a1095659b795f84cf2329 |
|
| Details | sha256 | 1 | 664b8fbd825db53ccfc5712f7cd54c71bf53f0791b1bd42af8517729653ae7ae |
|
| Details | sha256 | 1 | 6f08ce39072bdacf4a98578ca6b508b68b2c78ed2a378c73a1c87595f9d0c591 |
|
| Details | sha256 | 1 | f62e0ec08b15f9a4f3178c77ad540bd7369d1341472fdcbc88aecc0ed29c0387 |
|
| Details | IPv4 | 1 | 193.37.254.27 |
|
| Details | MITRE ATT&CK Techniques | 227 | T1574.002 |
|
| Details | Threat Actor Identifier - APT | 665 | APT29 |
|
| Details | Yara rule | 1 | rule onedriveupdate_exe_repackage {
meta:
author = "Yoroi Malware ZLab"
description = "Rule for OneDriveUpdate EXE Repackage"
last_updated = "2023-07-27"
tlp = "WHITE"
category = "informational"
strings:
$1 = { 4? 83 F8 ?? 4? 8D 52 01 4? 8B ?? 4? 0F 45 C8 4? FF C0 0F B6 84 ?? ?? ?? ?? ?? 30 4? ?? 4? 8D 41 01 4? 81 F8 ?? ?? ?? ?? }
condition:
$1
} |
|
| Details | Yara rule | 1 | rule onedriveupdate_dll_repackage {
meta:
author = "Yoroi Malware ZLab"
description = "Rule for OneDriveUpdate DLL Repackage"
last_updated = "2023-07-27"
tlp = "WHITE"
category = "informational"
strings:
$1 = { 4? 83 F8 ?? 4? 8D 5? ?? 4? 8B CF 4? 0F 45 C8 4? FF C1 0F B6 84 0D 18 01 00 00 4? 8D 41 01 30 42 FF 4? 63 C1 4? 3B C7 }
condition:
$1
} |