{ "Event": { "analysis": "1", "date": "2024-07-01", "extends_uuid": "", "info": "[Threat Intel] Functional Analysis of FrostyGoop ICS Malware pt. 1/2", "protected": false, "publish_timestamp": "1772407356", "published": true, "threat_level_id": "2", "timestamp": "1772407355", "uuid": "2be127c7-1bef-4b56-aa83-d166b6efb74f", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"FrostyGoop\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772361574", "to_ids": false, "type": "link", "uuid": "6f832e55-7f88-496d-90d1-4287eca44afd", "value": "https://www.remyjaspers.com/blog/frostygoop/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772361574", "to_ids": false, "type": "link", "uuid": "82762c30-85eb-4374-97f2-d625dc3064e0", "value": "https://www.remyjaspers.com/blog/frostygoop2/" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772361919", "uuid": "68dbc191-6e22-4a93-9068-2d5d36b7bae2", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772361919", "to_ids": false, "type": "text", "uuid": "b7018be1-4822-478d-b0fd-6d829d06bdb7", "value": "MAL_Go_Modbus_Jul24_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772361919", "to_ids": false, "type": "comment", "uuid": "de87a912-d45b-4bf1-921b-1603a029bc48", "value": "Detects characteristics reported by Dragos for FrostyGoop ICS malware" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772361919", "to_ids": true, "type": "yara", "uuid": "26512a1a-36d9-4fc4-b4a9-99b07f7f3420", "value": "rule MAL_Go_Modbus_Jul24_1 {\r\n meta:\r\n description = \"Detects characteristics reported by Dragos for FrostyGoop ICS malware\"\r\n author = \"Florian Roth\"\r\n reference = \"https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_.pdf\"\r\n date = \"2024-07-23\"\r\n modified = \"2024-07-24\"\r\n score = 75\r\n hash1 = \"5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb\"\r\n strings:\r\n $a1 = \"Go build\"\r\n\r\n $sa1 = \"github.com/rolfl/modbus\"\r\n\r\n $sb1 = \"main.TaskList.executeCommand\"\r\n $sb2 = \"main.TargetList.getTargetIpList\"\r\n $sb3 = \"main.TaskList.getTaskIpList\"\r\n $sb4 = \"main.CycleInfo\" fullword\r\n condition:\r\n filesize < 30MB\r\n and (\r\n $sa1\r\n and 3 of ($sb*)\r\n )\r\n or 4 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772368735", "uuid": "847da41c-9644-4e5c-89da-51667c668ae2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772368735", "to_ids": true, "type": "md5", "uuid": "07463ed3-bbd3-440a-97cf-a6148b4735da", "value": "0f302500bf0565737f09e75cd56b8088", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772367766", "to_ids": true, "type": "sha1", "uuid": "dae438ce-2180-4608-8290-9084ffe9e0bd", "value": "6a572f0395439e3ba00e1b32c3dfb729d7a197cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772367766", "to_ids": true, "type": "sha256", "uuid": "faf7654b-de21-4b6d-9e4f-67d80a3de8ad", "value": "5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772367027", "to_ids": true, "type": "ssdeep", "uuid": "f568b47c-0b6f-4c63-9c10-168b9b4615ab", "value": "49152:zZ02M3iGhwlrb/TlvO90d7HjmAFd4A64nsfJ2tDgsAwe9kSPgaS7r/a++lD1H54b:Whka4uNoPy5stb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772367027", "to_ids": false, "type": "size-in-bytes", "uuid": "3858e984-f77a-4a1a-80cb-bded41505a8c", "value": "3699200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772367027", "to_ids": true, "type": "vhash", "uuid": "daf36708-37cb-45fa-84e0-73dc015f27f9", "value": "0360d6655d15557575157az28!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772367027", "to_ids": true, "type": "filename", "uuid": "010b6f09-9fdf-43d7-87bf-158bd3aa8a1b", "value": "5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb (2).exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 27/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772367027", "to_ids": false, "type": "text", "uuid": "7e2c9060-84c5-4462-9ae8-14342c7f5bfb", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/FrostyGoop.A!MTB\nVT Total Detection:54/72\nFirst Submission:2023-10-30T16:13:12.000000+00:00\nLast Submission:2026-02-27T08:27:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772368756", "uuid": "dfc83a2f-b5fb-481b-bfb5-34ce076ed534", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772368756", "to_ids": true, "type": "md5", "uuid": "b30365a0-4601-48d5-938f-43b82b3c4052", "value": "db210c39721c58c4c3fbf0c8d6cb3d0e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772367767", "to_ids": true, "type": "sha1", "uuid": "ad2fbc67-e7c2-4476-b6d2-29f6d9557ed3", "value": "a469583ded8d2cc7c5388a10c5f7a10331f38c16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772367767", "to_ids": true, "type": "sha256", "uuid": "794e7869-e5fd-437a-923a-61b41845268a", "value": "a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772367048", "to_ids": true, "type": "ssdeep", "uuid": "7a3acfe3-e24c-4c35-ab06-89731f50e7f8", "value": "49152:0TpI9F/cfr6XcJrb/TkvO90d7HjmAFd4A64nsfJyhrQRhdyg1a5SJZpIMgD1:BU6qHQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772367048", "to_ids": false, "type": "size-in-bytes", "uuid": "3d31586b-96a0-40b9-9daa-5a0c686b961d", "value": "2439680" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772367048", "to_ids": true, "type": "vhash", "uuid": "519489a9-be74-4551-8a6f-bc09b29d041f", "value": "026066655d1d15541az27!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772367048", "to_ids": true, "type": "filename", "uuid": "b3549ebe-26bc-4071-8945-abbc554a3efd", "value": "a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 09/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772367048", "to_ids": false, "type": "text", "uuid": "297ce733-0de4-4aad-adfa-e025bdfa5905", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CryptInject!MSR\nVT Total Detection:48/70\nFirst Submission:2023-10-30T09:27:04.000000+00:00\nLast Submission:2026-02-27T08:36:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772368777", "uuid": "5ee1cc60-79c8-456c-be2b-65658e2d32b5", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772368777", "to_ids": true, "type": "md5", "uuid": "b8270df1-28f9-4ea4-a7d3-a91d30770ed1", "value": "9194351159ea3faba1783895c2a17293", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772367768", "to_ids": true, "type": "sha1", "uuid": "adba8002-d0d7-48e0-8834-864adafdd9a1", "value": "cea3a3366d4b41c1d214e9e4d6680d5fe4e16d23", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772367768", "to_ids": true, "type": "sha256", "uuid": "3eabc137-7b0b-4e84-86a2-43f648921f91", "value": "2fd9cb69ef30c0d00a61851b2d96350a9be68c7f1f25a31f896082cfbf39559a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772367071", "to_ids": true, "type": "ssdeep", "uuid": "29015c53-eebc-42d2-9cf0-b5b948a552e2", "value": "49152:lad5PdCdsVIrb/TIvO90d7HjmAFd4A64nsfJsV5T04UA1xg6tqjDdOuggxRYYJmC:G04TSY" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772367071", "to_ids": false, "type": "size-in-bytes", "uuid": "34d4def9-75ef-48a9-bcdc-dc033ea172b1", "value": "3359232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772367071", "to_ids": true, "type": "vhash", "uuid": "6a760583-638e-41c1-9ecc-411dd6cd7937", "value": "036066655d1d15541az27!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772367071", "to_ids": true, "type": "filename", "uuid": "b4085717-248b-49eb-9aa5-5b9bae1ae753", "value": "malware.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 18/12/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772367071", "to_ids": false, "type": "text", "uuid": "478c35a7-7ee0-4ef9-9a6b-5fcb85be744d", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:48/71\nFirst Submission:2023-10-30T16:09:31.000000+00:00\nLast Submission:2025-02-12T04:48:59.000000+00:00" } ] } ] } }