{ "Event": { "analysis": "0", "date": "2024-02-28", "extends_uuid": "", "info": "[Zscaler] WINELOADER Analysis", "protected": false, "publish_timestamp": "0", "published": false, "threat_level_id": "4", "timestamp": "1718784997", "uuid": "65df11f4-0cf0-4f14-9c7c-4ef00abe1822", "Orgc": { "name": "CERT-FR", "uuid": "56bdf779-46f8-4353-bdf9-2bb95bce2212" }, "Tag": [ { "colour": "#f89595", "local": false, "name": "fr-classif:non-classifiees=\"NON-CLASSIFIEES\"", "relationship_type": "" }, { "colour": "#007350", "local": false, "name": "cert-fr:fiabilite=\"Moderee\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "PAP:CLEAR", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" } ], "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1718784997", "to_ids": true, "type": "comment", "uuid": "63a15be3-4f94-43fd-96cf-6b1260b9d84f", "value": "IOC from a blogpost presenting an analysis of a MOA SPIKEDWINE campaign. This campaign exploits geopolitical relations between India and European diplomats. It uses spearphishing in order to drop WINELOADER backdoor on compromised machine.", "Tag": [ { "colour": "#00af7a", "local": false, "name": "DescriptionTechnique", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "WINELOADER C2", "deleted": false, "disable_correlation": false, "timestamp": "1709117940", "to_ids": true, "type": "url", "uuid": "1d8aacd4-a38a-4580-9d5f-9098eaf325dc", "value": "https://castechtools.com/api.php" }, { "category": "Network activity", "comment": "Downloads base64-encoded ZIP archive from this URL", "deleted": false, "disable_correlation": false, "timestamp": "1709117940", "to_ids": true, "type": "url", "uuid": "343adb88-9383-45ae-824c-aa3fb883095f", "value": "https://seeceafcleaners.co.uk/cert.php" }, { "category": "Network activity", "comment": "Downloads the ZIP archive containing the wine.hta file", "deleted": false, "disable_correlation": false, "timestamp": "1709117940", "to_ids": true, "type": "url", "uuid": "39b72c1d-e74e-4d47-97cf-642b7d072766", "value": "https://seeceafcleaners.co.uk/wine.php" }, { "category": "Network activity", "comment": "Downloads the ZIP archive containing the wine.hta file (IOC from July 2023)", "deleted": false, "disable_correlation": false, "timestamp": "1709117940", "to_ids": true, "type": "url", "uuid": "e262a7e1-8db1-4eb0-981c-5e1d7ffc7542", "value": "https://passatempobasico.com.br/wine.php" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1709117940", "to_ids": true, "type": "domain", "uuid": "44503fca-03df-48b3-84c7-6219fcf87ff9", "value": "castechtools.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1709117940", "to_ids": true, "type": "domain", "uuid": "3df5d616-66e8-4114-90b4-679fe55f7984", "value": "seeceafcleaners.co.uk" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1709117940", "to_ids": true, "type": "domain", "uuid": "2d92ab59-6bc3-4237-8701-a2547b5d1edb", "value": "passatempobasico.com.br" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1709117941", "to_ids": true, "type": "filename", "uuid": "c7c45aa0-2c3b-445a-b002-a80611bd0d2e", "value": "%WINDIR%\\Tasks\\text.txt" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1709117941", "to_ids": true, "type": "filename", "uuid": "3c14fb31-245b-4c37-b661-6a1bf9181243", "value": "%WINDIR%\\Tasks\\text.zip" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1709215510", "to_ids": true, "type": "comment", "uuid": "fadd2652-57b2-4d09-ae84-58c6933aabb0", "value": "2023-07-01", "Tag": [ { "colour": "#000000", "local": false, "name": "cert-fr:relevantTimespan=\"from\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "WINELOADER core module loader", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1709117941", "uuid": "dba88b80-09a5-44b1-9dac-950f8884765c", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1709117941", "to_ids": false, "type": "size-in-bytes", "uuid": "d042efe2-20b6-4d7d-b266-72e039577a55", "value": "98736" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "entropy", "timestamp": "1709117941", "to_ids": false, "type": "float", "uuid": "45ddee0a-9c2f-4be7-8fd2-e964f59e6570", "value": "7.1357010202951" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1709117941", "to_ids": true, "type": "md5", "uuid": "aa74cf16-d712-483a-a6a6-a799a7ab30ea", "value": "7961263963841010a049265956b14666" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1709117941", "to_ids": true, "type": "sha1", "uuid": "0dcbad5d-df4a-48c8-9868-7ddaa1a20765", "value": "dd66cdc4242e8561ddacbcd1de95011fef927963" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1709117941", "to_ids": true, "type": "sha256", "uuid": "30203c37-ad46-4f03-92cb-1053420229d5", "value": "72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha512", "timestamp": "1709117941", "to_ids": true, "type": "sha512", "uuid": "b05972ad-06f8-43d5-b7ff-174f3295380b", "value": "a8b1da926bc45ec940049016c8cbab5720bf35c004ea6f4564bfca229f4658d21772329b6e8eb545e4247bcf0204a00959810633c0e00184f22f6d134b77cb4a" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "mimetype", "timestamp": "1709117941", "to_ids": false, "type": "mime-type", "uuid": "73a8d14c-38f5-4cc0-a62a-5a8e7235b250", "value": "PE32+ executable (DLL) (console) x86-64, for MS Windows" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1709117941", "to_ids": true, "type": "filename", "uuid": "edae5262-4063-4a70-86c9-7eb6b4ff2164", "value": "vcruntime140.dll" } ] }, { "comment": "July 2023 invitation", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1709117941", "uuid": "b2912ac0-5961-495e-8ecf-5f63ae7e93eb", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1709117941", "to_ids": false, "type": "size-in-bytes", "uuid": "5e89860d-cb12-471d-9d16-1ff5ea83a3dd", "value": "41459" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "entropy", "timestamp": "1709117941", "to_ids": false, "type": "float", "uuid": "9f6607ac-0ee8-4cdf-8b9f-15ddf5d9c346", "value": "7.9059738858361" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1709117941", "to_ids": true, "type": "md5", "uuid": "32a7dbf4-7f5f-4145-b2be-f65c4b9b319d", "value": "30a762f747ba9432673b8b94066b270a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1709117941", "to_ids": true, "type": "sha1", "uuid": "7965b2ab-2ddb-4ded-a230-c9d5d5b6dc30", "value": "ba10a6e635ea2972ba49b97372882287e555977f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1709117941", "to_ids": true, "type": "sha256", "uuid": "c831fdac-bf23-4fc5-982d-e5997dcfcf72", "value": "ad43bbb21e2524a71bad5312a7b74af223090a8375f586d65ff239410bbd81a7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha512", "timestamp": "1709117941", "to_ids": true, "type": "sha512", "uuid": "b9b4a297-042e-4524-98da-77abd1c7c9b3", "value": "b3e358db1dd25a15f3920a0477e01a64116c26a56d2b5df5cc14d10f2e1768e905727a0b3a59f72e8f3526592891a79f2266329391665761a08aa5b00c410132" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "mimetype", "timestamp": "1709117941", "to_ids": false, "type": "mime-type", "uuid": "aff84fea-5d01-4cfa-81e7-b669e5625a25", "value": "PDF document, version 1.5, 1 pages" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1709117941", "to_ids": true, "type": "filename", "uuid": "14da0c8a-ebff-43ea-9645-7f53956c7145", "value": "wine.pdf" } ] }, { "comment": "Feb 2024 invitation", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1709117941", "uuid": "70679281-45f9-46f5-8a5e-84373dd89f0b", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1709117941", "to_ids": false, "type": "size-in-bytes", "uuid": "8c874217-34b7-4911-8e19-a10cd5c91d9b", "value": "41311" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "entropy", "timestamp": "1709117941", "to_ids": false, "type": "float", "uuid": "ac2ab012-2934-41a0-a43c-8743c24494b7", "value": "7.9051312944466" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1709117941", "to_ids": true, "type": "md5", "uuid": "0c3c43e2-ac60-49ce-848a-327c5efacab2", "value": "6e1b219fc0db106ff3a6e982fb7b9241" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1709117941", "to_ids": true, "type": "sha1", "uuid": "1f69e472-8860-4665-a803-a533e18c63b0", "value": "f6aad0fbffc4f3bbcdcdbd1deee11b298ef86039" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1709117941", "to_ids": true, "type": "sha256", "uuid": "42500820-a383-4733-b6d0-5c71e7010701", "value": "3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha512", "timestamp": "1709117941", "to_ids": true, "type": "sha512", "uuid": "b5b21d78-fc5f-4b58-8557-d51a69a5611d", "value": "b16643a54ceda44e7fc2bb7462885841a36903dfe9bc15215993613638c22aea791f534b0d5def119dea2cf0712e33a949e08c9d60f07f64823a90309b550dfe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "mimetype", "timestamp": "1709117941", "to_ids": false, "type": "mime-type", "uuid": "5916dc9c-8935-4b52-9d20-33230b5c5d8e", "value": "PDF document, version 1.5, 1 pages" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1709117941", "to_ids": true, "type": "filename", "uuid": "46b3e6b8-f146-49c3-9c73-40e48826c559", "value": "wine.pdf" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1709117941", "uuid": "095a0691-c5a4-45cd-94d6-5529eada81ed", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1709117941", "to_ids": false, "type": "size-in-bytes", "uuid": "7e6c4afb-c269-4624-91bb-53cee6505730", "value": "211547" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "entropy", "timestamp": "1709117941", "to_ids": false, "type": "float", "uuid": "6b3a28c0-7649-4aea-820e-c407eb2821f7", "value": "6.0447401809426" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1709117941", "to_ids": true, "type": "md5", "uuid": "a48affe0-457a-40da-b839-9572a97d6e28", "value": "9e07a9b8dd3ae5e360cfacc20bd1ec38" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1709117941", "to_ids": true, "type": "sha1", "uuid": "eadece99-7c5f-4fd7-b11f-263d74f65da5", "value": "74dd1d535e675406d45d747a30ffd86e194039c7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1709117941", "to_ids": true, "type": "sha256", "uuid": "fd0c2d18-a8fb-4da2-8c74-44cb6bb01d04", "value": "1c7593078f69f642b3442dc558cddff4347334ed7c96cd096367afd08dca67bc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha512", "timestamp": "1709117941", "to_ids": true, "type": "sha512", "uuid": "14d35186-c757-4a90-93ef-0c9f5d3824d7", "value": "da2bef9dac811cf67d245a1e0d2837db03e7281c735a462eb6b1344aff20aa43cb6aef2bfadb04e30669fbbb6fa9014d826061cd80e91407b44733485ca2ac0a" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "mimetype", "timestamp": "1709117941", "to_ids": false, "type": "mime-type", "uuid": "e1fa1b79-b430-4922-82c4-e35e1987414e", "value": "HTML document, ASCII text, with very long lines (60629)" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1709117941", "to_ids": true, "type": "filename", "uuid": "2b80a96d-32b2-4f52-9e93-da631c909951", "value": "wine.hta" } ] }, { "comment": "WINELOADER core module", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1709117941", "uuid": "e0bf3a65-1dec-47a2-a7d9-7c14eecbce9f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1709117941", "to_ids": true, "type": "sha256", "uuid": "c5da187a-de32-4d55-ad94-4d05649e2eef", "value": "e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bc" } ] }, { "comment": "WINELOADER core module (RC4-encrypted)", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1709117941", "uuid": "a9fc2e0b-84e7-4f21-80dc-5a5143c5b1a7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1709117941", "to_ids": true, "type": "sha256", "uuid": "11acc5ab-5bdb-4815-9054-72d5a8baccde", "value": "f61cee951b7024fca048175ca0606bfd550437f5ba2824c50d10bef8fb54ca45" } ] }, { "comment": "WINELOADER persistence module loader", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1709117941", "uuid": "d60f3d40-5ec3-41f2-81d1-5f82f634f1cb", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1709117941", "to_ids": true, "type": "sha256", "uuid": "1136aa28-81e8-40e4-8659-d6817861d4b1", "value": "c1223aa67a72e6c4a9a61bf3733b68bfbe08add41b73ad133a7c640ba265a19e" } ] }, { "comment": "WINELOADER persistence module", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1709117941", "uuid": "8ff5809d-7a3b-45b9-be82-578b801405ab", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1709117941", "to_ids": true, "type": "sha256", "uuid": "17f80dce-c5de-4908-b833-9517ceb4f155", "value": "b014cdff3ac877bdd329ca0c02bdd604817e7af36ad82f912132c50355af0920" } ] }, { "comment": "WINELOADER persistence module (RC4-encrypted)", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1709117942", "uuid": "f4f7d200-12b3-4eab-8733-f6f43e566f24", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1709117942", "to_ids": true, "type": "sha256", "uuid": "29adaa45-b36b-4545-8451-ff5008c837f6", "value": "7600d4bb4e159b38408cb4f3a4fa19a5526eec0051c8c508ef1045f75b0f6083" } ] } ] } }