{ "exercise": { "description": "MISP Encoding Exercise : Flubot Malware", "expanded": "MISP Encoding Exercise : Flubot Malware", "meta": { "author": "MISP Project", "level": "beginner", "priority": 5 }, "name": "MISP Encoding Exercise : Flubot Malware", "namespace": "data-model", "tags": [ "exercise:software-scope=\"misp\"", "state:production" ], "total_duration": "7200", "uuid": "a7cb0e57-83f4-4c10-9f5f-6c54877b685e", "version": "20240702" }, "inject_flow": [ { "description": "event-creation", "inject_uuid": "84eb5c84-e05c-4d14-9a4c-4ef14430a242", "reporting_callback": [], "requirements": {}, "sequence": { "completion_trigger": [ "time_expiration", "completion" ], "followed_by": [ ], "trigger": [ "startex" ] }, "timing": { "triggered_at": null } }, { "description": "phishing-sms", "inject_uuid": "104377cb-cb45-4f6e-affb-2bc1350a4212", "reporting_callback": [], "requirements": { "inject_uuid": "84eb5c84-e05c-4d14-9a4c-4ef14430a242" }, "sequence": { "completion_trigger": [ "time_expiration", "completion" ], "followed_by": [ ], "trigger": [ ] }, "timing": { "triggered_at": null } }, { "description": "phone-number", "inject_uuid": "5a449087-ff74-4dea-9d97-d09dd2abe0b8", "reporting_callback": [], "requirements": { "inject_uuid": "104377cb-cb45-4f6e-affb-2bc1350a4212" }, "sequence": { "completion_trigger": [ "time_expiration", "completion" ], "followed_by": [ ], "trigger": [ ] }, "timing": { "triggered_at": null } }, { "description": "phishing-url&IP", "inject_uuid": "1729e6f9-b899-47b4-b3e8-c3e02f2a2ff8", "reporting_callback": [], "requirements": { "inject_uuid": "5a449087-ff74-4dea-9d97-d09dd2abe0b8" }, "sequence": { "completion_trigger": [ "time_expiration", "completion" ], "followed_by": [ ], "trigger": [ ] }, "timing": { "triggered_at": null } }, { "description": "apk", "inject_uuid": "a4ba921e-744f-4f58-9958-a7d59ff5ff62", "reporting_callback": [], "requirements": { "inject_uuid": "1729e6f9-b899-47b4-b3e8-c3e02f2a2ff8" }, "sequence": { "completion_trigger": [ "time_expiration", "completion" ], "followed_by": [ ], "trigger": [ ] }, "timing": { "triggered_at": null } }, { "description": "CVE", "inject_uuid": "9dc28a53-9011-4cb0-b9df-bff3fe095de1", "reporting_callback": [], "requirements": { "inject_uuid": "a4ba921e-744f-4f58-9958-a7d59ff5ff62" }, "sequence": { "completion_trigger": [ "time_expiration", "completion" ], "followed_by": [ ], "trigger": [ ] }, "timing": { "triggered_at": null } }, { "description": "c2", "inject_uuid": "f995b04d-4648-41b6-893b-19eeebd365ef", "reporting_callback": [], "requirements": { "inject_uuid": "9dc28a53-9011-4cb0-b9df-bff3fe095de1" }, "sequence": { "completion_trigger": [ "time_expiration", "completion" ], "followed_by": [ ], "trigger": [ ] }, "timing": { "triggered_at": null } }, { "description": "yara", "inject_uuid": "2d9a7cf7-25d2-4224-9f61-6aba91adfa78", "reporting_callback": [], "requirements": { "inject_uuid": "f995b04d-4648-41b6-893b-19eeebd365ef" }, "sequence": { "completion_trigger": [ "time_expiration", "completion" ], "followed_by": [ ], "trigger": [ ] }, "timing": { "triggered_at": null } }, { "description": "Contextualization", "inject_uuid": "05b3e7aa-b761-4f65-92e9-eed84e48a6a4", "reporting_callback": [], "requirements": { "inject_uuid": "2d9a7cf7-25d2-4224-9f61-6aba91adfa78" }, "sequence": { "completion_trigger": [ "time_expiration", "completion" ], "followed_by": [ ], "trigger": [ ] }, "timing": { "triggered_at": null } }, { "description": "Published", "inject_uuid": "49df070b-f6fc-47c3-bf43-92454f1582d5", "reporting_callback": [], "requirements": { "inject_uuid": "05b3e7aa-b761-4f65-92e9-eed84e48a6a4" }, "sequence": { "completion_trigger": [ "time_expiration", "completion" ], "followed_by": [ ], "trigger": [ ] }, "timing": { "triggered_at": null } } ], "inject_payloads": [ ], "injects": [ { "action": "event-creation", "inject_evaluation": [ { "parameters": [ { ".Event.info": { "comparison": "contains", "values": [ "flubot" ] } } ], "result": "MISP Event created", "evaluation_strategy": "data_filtering", "evaluation_context": { }, "score_range": [ 0, 10 ] } ], "name": "Event Creation", "target_tool": "MISP", "uuid": "84eb5c84-e05c-4d14-9a4c-4ef14430a242" }, { "action": "phishing-sms", "inject_evaluation": [ { "parameters": [ { ".Event.info": { "comparison": "contains", "values": [ "flubot" ] } }, { ".Event.Object[] | select((.name == \"instant-message\")).Attribute[] | select((.type == \"text\")).value": { "extract_type": "all", "comparison": "contains-regex", "values": [ "Missed Call: You have a missed call\\..*" ] } } ], "result": "SMS added", "evaluation_strategy": "data_filtering", "evaluation_context": { }, "score_range": [ 0, 20 ] } ], "name": "Phishing SMS", "target_tool": "MISP", "uuid": "104377cb-cb45-4f6e-affb-2bc1350a4212" }, { "action": "phone-number", "inject_evaluation": [ { "parameters": [ { ".Event.info": { "comparison": "contains", "values": [ "flubot" ] } }, { "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"phone-number\")).value": { "extract_type": "all", "comparison": "contains-regex", "values": [ "\\+?352131575" ] } } ], "result": "Phone Number added", "evaluation_strategy": "data_filtering", "evaluation_context": { }, "score_range": [ 0, 20 ] } ], "name": "Phone Number", "target_tool": "MISP", "uuid": "5a449087-ff74-4dea-9d97-d09dd2abe0b8" }, { "action": "url", "inject_evaluation": [ { "parameters": [ { ".Event.info": { "comparison": "contains", "values": [ "flubot" ] } }, { ".Event.Object[].Attribute[] | select((.type == \"url\")).value": { "extract_type": "all", "comparison": "equals", "values": [ "https://evilprovider.com/r.php?e1525c0f" ] } }, { ".Event.Object[].Attribute[] | select(.object_relation == \"query_string\").value": { "extract_type": "all", "comparison": "equals", "values": [ ".?e1525c0f" ] } } ], "result": "Download URL added", "evaluation_strategy": "data_filtering", "evaluation_context": { }, "score_range": [ 0, 20 ] } ], "name": "Download URL & IP", "target_tool": "MISP", "uuid": "1729e6f9-b899-47b4-b3e8-c3e02f2a2ff8" }, { "action": "apk", "inject_evaluation": [ { "parameters": [ { ".Event.info": { "comparison": "contains", "values": [ "flubot" ] } }, { ".Event.Object[].Attribute[] | select((.type == \"filename\")).value": { "extract_type": "all", "comparison": "equals", "values": [ "sample.apk" ] } } ], "result": "APK added", "evaluation_strategy": "data_filtering", "evaluation_context": { }, "score_range": [ 0, 20 ] } ], "name": "Malicious APK", "target_tool": "MISP", "uuid": "a4ba921e-744f-4f58-9958-a7d59ff5ff62" }, { "action": "cve", "inject_evaluation": [ { "parameters": [ { ".Event.info": { "comparison": "contains", "values": [ "flubot" ] } }, { "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"vulnerability\")).value": { "extract_type": "all", "comparison": "equals", "values": [ "CVE-2022-27835" ] } } ], "result": "CVE added", "evaluation_strategy": "data_filtering", "evaluation_context": { }, "score_range": [ 0, 20 ] } ], "name": "CVE", "target_tool": "MISP", "uuid": "9dc28a53-9011-4cb0-b9df-bff3fe095de1" }, { "action": "c2", "inject_evaluation": [ { "parameters": [ { ".Event.info": { "comparison": "contains", "values": [ "flubot" ] } }, { ".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.type == \"url\")).value": { "extract_type": "all", "comparison": "equals", "values": [ "https://another.evil.provider.com:42666/c.php?e1525c0f" ] } }, { ".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.type == \"domain\") or (.type == \"hostname\")).value": { "extract_type": "all", "comparison": "equals", "values": [ "another.evil.provider.com" ] } }, { ".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.object_relation == \"ip\")).value": { "extract_type": "all", "comparison": "equals", "values": [ "226.140.183.77" ] } } ], "result": "C2 added", "evaluation_strategy": "data_filtering", "evaluation_context": { }, "score_range": [ 0, 20 ] } ], "name": "C2 Server", "target_tool": "MISP", "uuid": "f995b04d-4648-41b6-893b-19eeebd365ef" }, { "action": "yara", "inject_evaluation": [ { "parameters": [ { ".Event.info": { "comparison": "contains", "values": [ "flubot" ] } }, { "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"yara\")).value": { "extract_type": "all", "comparison": "contains-regex", "values": [ "rule android_flubot \\{.*" ] } } ], "result": "Yara rule added", "evaluation_strategy": "data_filtering", "evaluation_context": { }, "score_range": [ 0, 20 ] } ], "name": "Yara Rule", "target_tool": "MISP", "uuid": "2d9a7cf7-25d2-4224-9f61-6aba91adfa78" }, { "action": "context", "inject_evaluation": [ { "parameters": [ { ".Event.info": { "comparison": "contains", "values": [ "flubot" ] } }, { ".Event.Tag | select(length > 0) | .[].name": { "extract_type": "all", "comparison": "count", "values": [ ">=3" ] } } ], "result": "Context added", "evaluation_strategy": "data_filtering", "evaluation_context": { }, "score_range": [ 0, 20 ] } ], "name": "Contextualization", "target_tool": "MISP", "uuid": "05b3e7aa-b761-4f65-92e9-eed84e48a6a4" }, { "action": "published", "inject_evaluation": [ { "parameters": [ { ".Event.info": { "comparison": "contains", "values": [ "flubot" ] } }, { ".Event.published": { "comparison": "equals", "values": [ "1" ] } } ], "result": "Event published", "evaluation_strategy": "data_filtering", "evaluation_context": { }, "score_range": [ 0, 20 ] } ], "name": "Published", "target_tool": "MISP", "uuid": "49df070b-f6fc-47c3-bf43-92454f1582d5" } ] }