Skip to content

Commit

Permalink
[ti_abusech] Change abusech.malwarebazaar.code_sign to Nested field (#…
Browse files Browse the repository at this point in the history 
…4102)

* [ti_abusech]  Change abusech.malwarebazaar.code_sign to Nested field

* updates per comment

* Added Cert thumprint to hashes
  • Loading branch information
@legoguy1000
legoguy1000 authored Sep 6, 2022
1 parent 832a74d commit 2c9e5fb
Show file tree
Hide file tree
Showing 7 changed files with 306 additions and 84 deletions.
5 changes: 5 additions & 0 deletions packages/ti_abusech/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.7.1"
changes:
- description: Change abusech.malwarebazaar.code_sign to Nested field
type: bugfix
link: https://github.com/elastic/integrations/pull/4102
- version: "1.7.0"
changes:
- description: Add Threat Fox datastream
Expand Down
1 change: 1 addition & 0 deletions ...ges/ti_abusech/data_stream/malwarebazaar/_dev/test/pipeline/test-malwarebazaar-ndjson.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
{"sha256_hash":"30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606","sha3_384_hash":"a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4","sha1_hash":"3d613d5678e43faeea1c636185a0b4c3ec80e742","md5_hash":"de80e1d7d9f5b1c64ec9f8d4f5063989","first_seen":"2021-04-06 19:58:44","last_seen":null,"file_name":"30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606.bin.sample","file_size":1088000,"file_type_mime":"application/msword","file_type":"docx","reporter":"DmitriyMelikov","origin_country":"DE","anonymous":0,"signature":null,"imphash":null,"tlsh":"8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7","telfhash":null,"ssdeep":"24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO","tags":null,"code_sign":[],"intelligence":{"clamav":null,"downloads":"32","uploads":"1","mail":null}}
{"sha256_hash":"84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b","sha3_384_hash":"138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d","sha1_hash":"00b52e8ca1785d5086703ad8cff1d28fc3354934","md5_hash":"2759c73c986c6a757bf9d25621c5595a","first_seen":"2021-04-06 19:52:32","last_seen":null,"file_name":"Purchase Order.8000.scan.pdf...exe","file_size":752128,"file_type_mime":"application/x-dosexec","file_type":"exe","reporter":"James_inthe_box","origin_country":"FR","anonymous":0,"signature":"SnakeKeylogger","imphash":"f34d5f2d4577ed6d9ceec516c1f5a744","tlsh":"23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646","telfhash":null,"ssdeep":"12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0","tags":["exe","SnakeKeylogger"],"code_sign":[],"intelligence":{"clamav":null,"downloads":"38","uploads":"1","mail":{"Generic":"low"}}}
{"sha256_hash":"0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8","sha3_384_hash":"ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c","sha1_hash":"a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5","md5_hash":"596b3dbf07a287dcf76860b5e54762c3","first_seen":"2021-04-06 19:47:13","last_seen":null,"file_name":"New Order PO#121012020_____PDF_______.exe","file_size":836096,"file_type_mime":"application/x-dosexec","file_type":"exe","reporter":"James_inthe_box","origin_country":"FR","anonymous":0,"signature":"AgentTesla","imphash":"f34d5f2d4577ed6d9ceec516c1f5a744","tlsh":"A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655","telfhash":null,"ssdeep":"12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN","tags":["AgentTesla","exe"],"code_sign":[],"intelligence":{"clamav":null,"downloads":"40","uploads":"1","mail":{"Generic":"low"}}}
{"sha256_hash":"4fccd38f504290cf5c70e7336071a90a064303c7fdf5c17f7c38001768bce115","sha3_384_hash":null,"sha1_hash":"3a83bb68be29e1f18fc9d328d952fd228abfae2a","md5_hash":"e614a69d706913376ab2bb20a703dcf5","first_seen":"2022-08-30 22:36:54","last_seen":null,"file_name":"4fccd38f504290cf5c70e7336071a90a064303c7fdf5c17f7c38001768bce115","file_size":246816,"file_type_mime":"application/x-dosexec","file_type":"exe","reporter":"OSimao","anonymous":0,"signature":"Dridex","imphash":"53654c59ffb323a249342d35a6b65745","tlsh":"T17034B0A0F196C8DAF85765B54C5FE9201012AAAED4B1D51E20EB3B39E8F33531077A4F","telfhash":null,"gimphash":null,"ssdeep":"3072:KWiPOo14wwI606CzpJEPlp+K2b1WvAUQdk5m84D2KQdXtvkDqW0TrHbed2rT2pN8:KWdEj6rapJEPr11AXdQm84Dr0OOPSR4","dhash_icon":"79e4e4ccccc4c4c0","tags":["Dridex","exe","signed"],"code_sign":[{"subject_cn":"\"VERONIKA 2\" OOO","issuer_cn":"Sectigo RSA Code Signing CA","algorithm":"sha256WithRSAEncryption","valid_from":"2019-07-15T00:00:00Z","valid_to":"2020-06-27T23:59:59Z","serial_number":"e573d9c8b403c41bd59ffa0a8efd4168","thumbprint_algorithm":"SHA256","thumbprint":"a9ab2be0ea677c6c6ed67b23cfee0fa44bfb346a4bb720f10a3f02a78b8f5c82","cscb_listed":false,"cscb_reason":""}]}
168 changes: 145 additions & 23 deletions .../data_stream/malwarebazaar/_dev/test/pipeline/test-malwarebazaar-ndjson.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,13 @@
},
"related": {
"hash": [
"0af07660056a692b7cb82fa329221ddd",
"a71fd0504821092e003f350080a6bcc5fa6a972e",
"3b454eb6421d17d093f19292b64d30bf918cb91e9322d0e2d2512857997f574ea2ca5b005133c16f6c33c7cee9c1bd0e",
"5bce7d528c1363104a93fbb5a7fa9bdd991ce929cc09cc7fb29052a68d4fd24b",
"F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686",
"3072:DsPPK3p+8r5igrL1Tq50cVBDmDJhE9yV4veedHrP6FXK7:D+PL8bronBDmDJ69JeedHriFG",
"f34d5f2d4577ed6d9ceec516c1f5a744",
"F9848B24AF932F9BC6CCC1FE50C2D165C9A9F85DD2B1251A73B6CB89FE00544ED2C686"
"0af07660056a692b7cb82fa329221ddd",
"f34d5f2d4577ed6d9ceec516c1f5a744"
]
},
"tags": [
Expand Down Expand Up @@ -87,10 +89,12 @@
},
"related": {
"hash": [
"296aad7075596d21516b30bfbc17fcac",
"c454be4eb0892d61a4ad6bac16f97724e73cd795",
"0a1536add280715320040d5ac5340d3b205d90045ff5c90993b8e909edb9b3e9338b3ffbb3febcaf82584d00d516e8c7",
"83d0429a2c5f1b611ebc30391eeeb75bebb51212ee1af51dbcf2624b48f9d27f",
"74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF",
"12288:j++y4mulTPaYJSaHwvJblQpLGwYeHU9vPpNGd+Zr:j3HPaMtQxblje01pNHZr",
"74A4233B9A6D5CA02B224AA69F37537D13A8406300944EAEFD375CA431583056B9F6FF"
"296aad7075596d21516b30bfbc17fcac"
]
},
"tags": [
Expand Down Expand Up @@ -149,11 +153,13 @@
},
"related": {
"hash": [
"a4838dd31c672122441bebcbf7e9d277",
"bf103996196df8255881127dee103c22fc12bef3",
"ee7586cb085fde3c14c9c1bea4635ccb30b1af2020f64e87a9983e61b05026ec9b35255670a3d9ecaab436c4ba302dcc",
"f4910ea08d14eeb634084de47cf590d4dc5e554552f111da20d22ae71d7b425b",
"0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7",
"12288:L2X/txpFDEVkUNglTovKfoLy+hqK/cEUMMlGOG:RzglgLm/9lGOG",
"0b5a952a025c2783c3126cdb9bef2844",
"0C947D11BA96C473E572163008399F6A17BE7A900B704BDBE3CC097E4E755C24B36BA7"
"a4838dd31c672122441bebcbf7e9d277",
"0b5a952a025c2783c3126cdb9bef2844"
]
},
"tags": [
Expand Down Expand Up @@ -217,10 +223,12 @@
},
"related": {
"hash": [
"8d7c8b55ac49d241fb7f75a27a5ef8d5",
"a68ca1b41cb93fe2879bb3baeb8e19990758f099",
"788f61cf45bbc8cad5775de18d0d5f42c4e028af0aaa34c570645efc96af8ebc3d7fe330aaf22ef34d35360bbd4a708c",
"e45ffc61a85c2f5c0cbe9376ff215cad324bf14f925bf52ec0d2949f7d235a00",
"AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD",
"192:z7X/yHo/yz/yBKiSOINLyhQMYd+LiTfq6LTf3ZoTta3Grj6rg2:z7CIKnNNLwufPfAPq7",
"AE3222515C6A881A03B3C66F7992B844FB588303C7116607F6FC86782F79568CAF1BBD"
"8d7c8b55ac49d241fb7f75a27a5ef8d5"
]
},
"tags": [
Expand Down Expand Up @@ -279,10 +287,12 @@
},
"related": {
"hash": [
"fe185f106730583156f39233f77f8019",
"e8378aede9f26f09b7d503d79a05d67612be15f6",
"752e5d56a166227d06f8cbd40cd3f693f543f9c3f798c673c1430957bb7e149a12d9158138fa449479105f472e70f68f",
"42f5f5474431738f91f612d9765b3fc9b85a547274ea64aa034298ad97ad28f4",
"13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144",
"196608:KQaeKLOiBEp+uc+iuYmbMdHmN1Rwyd2jecXeaH1pHE+2:oeIOTp+p+iNJC1ChjhXZ1pHz2",
"13863341B085EE2EE2CA41BA0DA9C2BD43B63D131E054F677269B72D3EB76E0E7D4144"
"fe185f106730583156f39233f77f8019"
]
},
"tags": [
Expand Down Expand Up @@ -342,11 +352,13 @@
},
"related": {
"hash": [
"70da6872b6b2da9ddc94d14b02302917",
"b2da45913353bfc66d189455f9ad80ef26968143",
"c82132559381b7b3b184b4ce8c7a58c301a46001621f346b637139f5987dee968ae2ef009a17b2388852b2db15a45b58",
"2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c",
"A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27",
"1536:2NVi7z0r0lJRn6I8+YDgr1fnWG5Ff0+adgBYlCtMiQMX1c0E4JsWjcdonPv870E1:YM7zh8+Cofnp5eRm6riQ6OZoPv870E",
"6476b7c4dd55eafbdf922a7ba1e2d5f9",
"A2D38C067790C071DAAF013908799E624B7F7D70DDB49D8B77841A8E69342D0AF3AB27"
"70da6872b6b2da9ddc94d14b02302917",
"6476b7c4dd55eafbdf922a7ba1e2d5f9"
]
},
"tags": [
Expand Down Expand Up @@ -404,10 +416,12 @@
},
"related": {
"hash": [
"de80e1d7d9f5b1c64ec9f8d4f5063989",
"3d613d5678e43faeea1c636185a0b4c3ec80e742",
"a3ec981ed158fe08cc2cd97303807cfbed147e59ccfd92fcaa9395c5718b4d9b892d6e9fa6337f5976dc1bd042562fe4",
"30787f32adc487311d764b19d4504fdeab08c0d385e2fa065bd8d5836c031606",
"8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7",
"24576:WKEiZxl3A4yJJG2dPQQCthXzglgLm/9lGO:WKEGByvGOQQC/XElga/9lGO",
"8635D001BA82C573D5621A35083ADBAA177E7D604F704ADBB3C83B2E5D355C14B32BA7"
"de80e1d7d9f5b1c64ec9f8d4f5063989"
]
},
"tags": [
Expand Down Expand Up @@ -470,11 +484,13 @@
},
"related": {
"hash": [
"2759c73c986c6a757bf9d25621c5595a",
"00b52e8ca1785d5086703ad8cff1d28fc3354934",
"138dc28a74d15c1f9797ce732e99097c8c6db4549cb17cb7b20c1c6738a170328e45aea2d4c3b593912f14a97f521c1d",
"84f983067868de50e5b1553782c056c1f5b5118bb2084473ca4b6908f221cd3b",
"23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646",
"12288:8t11ulRZRLZNh4YeX6f6XmwNShqE73YXy7moh:S11gZpZNmBX06WmAcy7m0",
"f34d5f2d4577ed6d9ceec516c1f5a744",
"23F4AE212684C9C0D93E67B4D43584F003BABD16D631F69F6E887C693EB32D2D63B646"
"2759c73c986c6a757bf9d25621c5595a",
"f34d5f2d4577ed6d9ceec516c1f5a744"
]
},
"tags": [
Expand Down Expand Up @@ -541,11 +557,13 @@
},
"related": {
"hash": [
"596b3dbf07a287dcf76860b5e54762c3",
"a34fd5e57d75d17bc2d84055ca4752e5ee2e92f5",
"ed5d03454121d81adf65a01ba90af81b1a7cea052709c22bb9170508069d17242861f85e5546b2cc3efb07c10926368c",
"0661d87116f44cbd5b5c6bec7fb06c4e5cd5b6ecbc5455d959e65f1ee46c54c8",
"A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655",
"12288:qRedcNeqimzAEmN03VgdZfBOMx+RVBM7pdWje9ppB5nAZGNY2:ZaNeqikqN0udZfBFUYp55nFN",
"f34d5f2d4577ed6d9ceec516c1f5a744",
"A505CF712694C9A4FABD53B80434403007F5FE42E232FA9A6FD17C993E72782DA3B655"
"596b3dbf07a287dcf76860b5e54762c3",
"f34d5f2d4577ed6d9ceec516c1f5a744"
]
},
"tags": [
Expand Down Expand Up @@ -582,6 +600,110 @@
"alias": "AgentTesla"
}
}
},
{
"abusech": {
"malwarebazaar": {
"anonymous": 0,
"code_sign": [
{
"algorithm": "sha256WithRSAEncryption",
"cscb_listed": false,
"cscb_reason": "",
"issuer_cn": "Sectigo RSA Code Signing CA",
"serial_number": "e573d9c8b403c41bd59ffa0a8efd4168",
"subject_cn": "\"VERONIKA 2\" OOO",
"thumbprint": "a9ab2be0ea677c6c6ed67b23cfee0fa44bfb346a4bb720f10a3f02a78b8f5c82",
"thumbprint_algorithm": "sha256",
"valid_from": "2019-07-15T00:00:00Z",
"valid_to": "2020-06-27T23:59:59Z"
}
],
"dhash_icon": "79e4e4ccccc4c4c0",
"tags": [
"Dridex",
"exe",
"signed"
]
}
},
"ecs": {
"version": "8.4.0"
},
"event": {
"category": "threat",
"kind": "enrichment",
"original": "{\"sha256_hash\":\"4fccd38f504290cf5c70e7336071a90a064303c7fdf5c17f7c38001768bce115\",\"sha3_384_hash\":null,\"sha1_hash\":\"3a83bb68be29e1f18fc9d328d952fd228abfae2a\",\"md5_hash\":\"e614a69d706913376ab2bb20a703dcf5\",\"first_seen\":\"2022-08-30 22:36:54\",\"last_seen\":null,\"file_name\":\"4fccd38f504290cf5c70e7336071a90a064303c7fdf5c17f7c38001768bce115\",\"file_size\":246816,\"file_type_mime\":\"application/x-dosexec\",\"file_type\":\"exe\",\"reporter\":\"OSimao\",\"anonymous\":0,\"signature\":\"Dridex\",\"imphash\":\"53654c59ffb323a249342d35a6b65745\",\"tlsh\":\"T17034B0A0F196C8DAF85765B54C5FE9201012AAAED4B1D51E20EB3B39E8F33531077A4F\",\"telfhash\":null,\"gimphash\":null,\"ssdeep\":\"3072:KWiPOo14wwI606CzpJEPlp+K2b1WvAUQdk5m84D2KQdXtvkDqW0TrHbed2rT2pN8:KWdEj6rapJEPr11AXdQm84Dr0OOPSR4\",\"dhash_icon\":\"79e4e4ccccc4c4c0\",\"tags\":[\"Dridex\",\"exe\",\"signed\"],\"code_sign\":[{\"subject_cn\":\"\\\"VERONIKA 2\\\" OOO\",\"issuer_cn\":\"Sectigo RSA Code Signing CA\",\"algorithm\":\"sha256WithRSAEncryption\",\"valid_from\":\"2019-07-15T00:00:00Z\",\"valid_to\":\"2020-06-27T23:59:59Z\",\"serial_number\":\"e573d9c8b403c41bd59ffa0a8efd4168\",\"thumbprint_algorithm\":\"SHA256\",\"thumbprint\":\"a9ab2be0ea677c6c6ed67b23cfee0fa44bfb346a4bb720f10a3f02a78b8f5c82\",\"cscb_listed\":false,\"cscb_reason\":\"\"}]}",
"type": "indicator"
},
"related": {
"hash": [
"3a83bb68be29e1f18fc9d328d952fd228abfae2a",
"4fccd38f504290cf5c70e7336071a90a064303c7fdf5c17f7c38001768bce115",
"a9ab2be0ea677c6c6ed67b23cfee0fa44bfb346a4bb720f10a3f02a78b8f5c82",
"T17034B0A0F196C8DAF85765B54C5FE9201012AAAED4B1D51E20EB3B39E8F33531077A4F",
"3072:KWiPOo14wwI606CzpJEPlp+K2b1WvAUQdk5m84D2KQdXtvkDqW0TrHbed2rT2pN8:KWdEj6rapJEPr11AXdQm84Dr0OOPSR4",
"e614a69d706913376ab2bb20a703dcf5",
"53654c59ffb323a249342d35a6b65745"
]
},
"tags": [
"preserve_original_event"
],
"threat": {
"indicator": {
"file": {
"elf": {},
"extension": "exe",
"hash": {
"md5": "e614a69d706913376ab2bb20a703dcf5",
"sha1": "3a83bb68be29e1f18fc9d328d952fd228abfae2a",
"sha256": [
"4fccd38f504290cf5c70e7336071a90a064303c7fdf5c17f7c38001768bce115",
"a9ab2be0ea677c6c6ed67b23cfee0fa44bfb346a4bb720f10a3f02a78b8f5c82"
],
"ssdeep": "3072:KWiPOo14wwI606CzpJEPlp+K2b1WvAUQdk5m84D2KQdXtvkDqW0TrHbed2rT2pN8:KWdEj6rapJEPr11AXdQm84Dr0OOPSR4",
"tlsh": "T17034B0A0F196C8DAF85765B54C5FE9201012AAAED4B1D51E20EB3B39E8F33531077A4F"
},
"mime_type": "application/x-dosexec",
"name": "4fccd38f504290cf5c70e7336071a90a064303c7fdf5c17f7c38001768bce115",
"pe": {
"imphash": "53654c59ffb323a249342d35a6b65745"
},
"size": 246816,
"x509": {
"issuer": {
"common_name": [
"Sectigo RSA Code Signing CA"
]
},
"not_after": [
"2020-06-27T23:59:59Z"
],
"not_before": [
"2019-07-15T00:00:00Z"
],
"public_key_algorithm": [
"sha256WithRSAEncryption"
],
"serial_number": [
"e573d9c8b403c41bd59ffa0a8efd4168"
],
"subject": {
"common_name": [
"\"VERONIKA 2\" OOO"
]
}
}
},
"first_seen": "2022-08-30T22:36:54.000Z",
"provider": "OSimao",
"type": "file"
},
"software": {
"alias": "Dridex"
}
}
}
]
}
Loading

0 comments on commit 2c9e5fb

Please sign in to comment.