misp-circl-feed/feeds/circl/stix-2.1/588a7bc4-7a38-45c7-bc6f-215902de0b81.json

291 lines
13 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--588a7bc4-7a38-45c7-bc6f-215902de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:48:01.000Z",
"modified": "2017-01-26T22:48:01.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--588a7bc4-7a38-45c7-bc6f-215902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:48:01.000Z",
"modified": "2017-01-26T22:48:01.000Z",
"name": "OSINT - Dridex Banking Trojan Returns, Leverages New UAC Bypass Method",
"published": "2017-01-26T22:48:23Z",
"object_refs": [
"observed-data--588a7bda-c0c4-446c-9ca0-46b302de0b81",
"url--588a7bda-c0c4-446c-9ca0-46b302de0b81",
"x-misp-attribute--588a7bf6-0e60-40be-92e6-427902de0b81",
"indicator--588a7c19-147c-4d64-b521-fd2f02de0b81",
"indicator--588a7c1a-f620-4d23-85d5-fd2f02de0b81",
"indicator--588a7c36-e7a8-44a0-ba67-215e02de0b81",
"indicator--588a7c43-e400-455a-8933-44b402de0b81",
"indicator--588a7c55-d610-46ad-bcd7-428f02de0b81",
"indicator--588a7ca1-18d8-43db-956c-430702de0b81",
"indicator--588a7ca1-16dc-4f70-9be5-4d2402de0b81",
"observed-data--588a7ca2-86a8-4d9e-908a-4ce302de0b81",
"url--588a7ca2-86a8-4d9e-908a-4ce302de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"Dridex\"",
"circl:topic=\"finance\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a7bda-c0c4-446c-9ca0-46b302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:47:46.000Z",
"modified": "2017-01-26T22:47:46.000Z",
"first_observed": "2017-01-26T22:47:46Z",
"last_observed": "2017-01-26T22:47:46Z",
"number_observed": 1,
"object_refs": [
"url--588a7bda-c0c4-446c-9ca0-46b302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588a7bda-c0c4-446c-9ca0-46b302de0b81",
"value": "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--588a7bf6-0e60-40be-92e6-427902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:45:10.000Z",
"modified": "2017-01-26T22:45:10.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "\u00e2\u20ac\u00a2 First observed in July 2014, \u00e2\u20ac\u0153Dridex,\u00e2\u20ac\u009d a financial banking Trojan, is considered the successor to the \u00e2\u20ac\u0153GameOver ZeuS\u00e2\u20ac\u009d (GoZ) malware.\r\n\r\n\u00e2\u20ac\u00a2 Dridex was most active between 2014 and 2015, and smaller campaigns were observed throughout 2016 with its peak activity in May 2016.\r\n\r\n\u00e2\u20ac\u00a2 On January 25, 2017, the criminal syndicate behind Dridex launched another small campaign targeting UK financial institutions.\r\n\r\n\u00e2\u20ac\u00a2 Flashpoint identified a previously-unobserved Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll.\r\n\r\n\u00e2\u20ac\u00a2 The new Dridex infection uses svchost and spoolsrv to communicate to peers and first-layer command-and-control (C2) servers."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7c19-147c-4d64-b521-fd2f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:45:45.000Z",
"modified": "2017-01-26T22:45:45.000Z",
"description": "On port 8443 - First-Layer C2:",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '179.177.114.30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T22:45:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7c1a-f620-4d23-85d5-fd2f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:45:46.000Z",
"modified": "2017-01-26T22:45:46.000Z",
"description": "On port 8443 -First-Layer C2:",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '84.234.75.108']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T22:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7c36-e7a8-44a0-ba67-215e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:46:14.000Z",
"modified": "2017-01-26T22:46:14.000Z",
"description": "On port 8443 First-Layer C2:",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '81.130.131.55']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T22:46:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7c43-e400-455a-8933-44b402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:46:27.000Z",
"modified": "2017-01-26T22:46:27.000Z",
"description": "Payload:",
"pattern": "[url:value = 'http://1fevh.top/fiscal/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T22:46:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7c55-d610-46ad-bcd7-428f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:46:45.000Z",
"modified": "2017-01-26T22:46:45.000Z",
"description": "Dridex sample",
"pattern": "[file:hashes.MD5 = '6233778c733daa00ce5b9b25aae0a3cb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T22:46:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7ca1-18d8-43db-956c-430702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:48:01.000Z",
"modified": "2017-01-26T22:48:01.000Z",
"description": "Dridex sample - Xchecked via VT: 6233778c733daa00ce5b9b25aae0a3cb",
"pattern": "[file:hashes.SHA256 = '103a9e26e8d69cbbde4e871dd6cb1b0ee863a8265746aa7d77cd1106025c2d7c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T22:48:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7ca1-16dc-4f70-9be5-4d2402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:48:01.000Z",
"modified": "2017-01-26T22:48:01.000Z",
"description": "Dridex sample - Xchecked via VT: 6233778c733daa00ce5b9b25aae0a3cb",
"pattern": "[file:hashes.SHA1 = '1bfd0ac86f1bf52a5e8814dafb4a9bc4d3628384']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T22:48:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a7ca2-86a8-4d9e-908a-4ce302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T22:48:02.000Z",
"modified": "2017-01-26T22:48:02.000Z",
"first_observed": "2017-01-26T22:48:02Z",
"last_observed": "2017-01-26T22:48:02Z",
"number_observed": 1,
"object_refs": [
"url--588a7ca2-86a8-4d9e-908a-4ce302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588a7ca2-86a8-4d9e-908a-4ce302de0b81",
"value": "https://www.virustotal.com/file/103a9e26e8d69cbbde4e871dd6cb1b0ee863a8265746aa7d77cd1106025c2d7c/analysis/1485448506/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}