Open Hunting - Threat Library

Openhunting Threat Library

STASHLOG

(Type: Loader)

(Cybereason) STASHLOG (shiver.exe / forsrv.exe) is a 32 bit executable that is being used to prepare the victim machine for further compromise, and to “stash” a malicious, encrypted payload to a CLFS log file. This payload will be decrypted at each phase to deliver the next phase in the infection.

[News Analysis] Trends:

Total Trend: 4

Trend Per Year

2021

2022

Trend Per Month

Sep 2021

May 2022

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques

2022-05-04 by Chen Erlich from Cybereason

Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive

2022-05-04 by Chen Erlich from Cybereason

Twitter thread on SPARKLOG, a launcher component for PRIVATELOG along with STASHLOG

2021-09-03 by ESET Research from Twitter (@ESETresearch)

Too Log; Didn't Read — Unknown Actor Using CLFS Log Files for Stealth

2021-09-01 by Adrien Bataille from FireEye

Basic Information (Credit @etda.or.th)

Tool: STASHLOG

Names: STASHLOG

Description: (Cybereason) STASHLOG (shiver.exe / forsrv.exe) is a 32 bit executable that is being used to prepare the victim machine for further compromise, and to “stash” a malicious, encrypted payload to a CLFS log file. This payload will be decrypted at each phase to deliver the next phase in the infection.

Category: Malware

Type: Loader

Information: https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive

Information: https://www.mandiant.com/resources/unknown-actor-using-clfs-log-files-for-stealth

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.stashlog

Last-card-change: 2022-12-27

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact