161 lines
6.8 KiB
JSON
161 lines
6.8 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--58161e18-c578-479e-add4-408002de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-30T16:29:07.000Z",
|
||
|
"modified": "2016-10-30T16:29:07.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "grouping",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "grouping--58161e18-c578-479e-add4-408002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-30T16:29:07.000Z",
|
||
|
"modified": "2016-10-30T16:29:07.000Z",
|
||
|
"name": "OSINT - CloudFanta Malware Campaign Technical Analysis",
|
||
|
"context": "suspicious-activity",
|
||
|
"object_refs": [
|
||
|
"observed-data--58161ede-e344-41de-b9d2-42ae02de0b81",
|
||
|
"url--58161ede-e344-41de-b9d2-42ae02de0b81",
|
||
|
"x-misp-attribute--58161ef2-c9a8-4b13-8b3a-418c02de0b81",
|
||
|
"indicator--58161f12-58bc-4cfc-ac0d-4fe402de0b81",
|
||
|
"indicator--58161fc5-caa8-4cca-b4ec-4b6a02de0b81",
|
||
|
"indicator--58161fd3-0a2c-4da3-a026-4a1c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58161ede-e344-41de-b9d2-42ae02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-30T16:25:02.000Z",
|
||
|
"modified": "2016-10-30T16:25:02.000Z",
|
||
|
"first_observed": "2016-10-30T16:25:02Z",
|
||
|
"last_observed": "2016-10-30T16:25:02Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58161ede-e344-41de-b9d2-42ae02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58161ede-e344-41de-b9d2-42ae02de0b81",
|
||
|
"value": "https://resources.netskope.com/h/i/297473838-cloudfanta-malware-campaign-technical-analysis"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--58161ef2-c9a8-4b13-8b3a-418c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-30T16:25:22.000Z",
|
||
|
"modified": "2016-10-30T16:25:22.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "We recently published an overview blog about the CloudFanta malware campaign that uses the Sugarsync cloud storage app to deliver malware capable of stealing user credentials and monitoring online banking activities. This blog will detail the technical aspects of CloudFanta.\r\n\r\nAlthough CloudSquirrel and CloudFanta malware are not similar, we believe that both malware campaigns are deployed by the same actor based on the following similarities."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58161f12-58bc-4cfc-ac0d-4fe402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-30T16:25:54.000Z",
|
||
|
"modified": "2016-10-30T16:25:54.000Z",
|
||
|
"description": "The Sugarsync URL we observed delivering CloudFanta malware was at",
|
||
|
"pattern": "[url:value = 'https://www.sugarsync.com/pf/D3202366_07280196_66523?directDownload=true']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-30T16:25:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58161fc5-caa8-4cca-b4ec-4b6a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-30T16:28:53.000Z",
|
||
|
"modified": "2016-10-30T16:28:53.000Z",
|
||
|
"pattern": "[url:value = 'http://192.95.39.246/xx/config/msg.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-30T16:28:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58161fd3-0a2c-4da3-a026-4a1c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-30T16:29:07.000Z",
|
||
|
"modified": "2016-10-30T16:29:07.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.95.39.246']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-30T16:29:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|