misp-circl-feed/feeds/circl/misp/5878acc1-7fdc-4ec3-9e09-47d4950d210f.json

315 lines
14 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type": "bundle",
"id": "bundle--5878acc1-7fdc-4ec3-9e09-47d4950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:38:43.000Z",
"modified": "2017-01-13T10:38:43.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5878acc1-7fdc-4ec3-9e09-47d4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:38:43.000Z",
"modified": "2017-01-13T10:38:43.000Z",
"name": "OSINT - Targeted Threat Leads to Keylogger via Fake Silverlight Update",
"published": "2017-01-13T11:09:06Z",
"object_refs": [
"x-misp-attribute--5878acd3-6ea0-4be2-bd6b-4f98950d210f",
"observed-data--5878ace2-c9f4-4ce1-8144-4205950d210f",
"url--5878ace2-c9f4-4ce1-8144-4205950d210f",
"indicator--5878ad20-f5ac-4cf2-86b5-4789950d210f",
"indicator--5878ad21-0fac-4ec7-b459-498f950d210f",
"indicator--5878ad21-e778-422e-8df3-4c26950d210f",
"indicator--5878ae34-0a14-4916-9491-4ba202de0b81",
"indicator--5878ae34-07f4-4f6e-a97a-49ca02de0b81",
"observed-data--5878ae35-6f78-4c76-a330-4b8c02de0b81",
"url--5878ae35-6f78-4c76-a330-4b8c02de0b81",
"indicator--5878ae36-ca8c-4616-95f6-4a9202de0b81",
"indicator--5878ae36-59a4-46f6-afa2-4ddc02de0b81",
"observed-data--5878ae37-b5c8-419d-80fc-4da102de0b81",
"url--5878ae37-b5c8-419d-80fc-4da102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5878acd3-6ea0-4be2-bd6b-4f98950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:32:51.000Z",
"modified": "2017-01-13T10:32:51.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Proofpoint researchers recently discovered a small email-based campaign attacking a major financial services provider. This attack was notable for a few reasons:\r\n\r\nThe attack was very narrow in scope - a small number of malicious emails appear to have been sent to users in a single organization\r\nThe emails included a Microsoft Word attachment that used an embedded object rather than macros to avoid detection; the embedded object was also highly obfuscated\r\nThe payload was an unidentified keylogger hardcoded to send logs from infected computers to two Gmail addresses.\r\nWhile the use of embedded objects instead of macros is not new, malicious macros remain the vector of choice for most threat actors at this time. However, we expect that this technique will become more popular in 2017."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5878ace2-c9f4-4ce1-8144-4205950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:33:06.000Z",
"modified": "2017-01-13T10:33:06.000Z",
"first_observed": "2017-01-13T10:33:06Z",
"last_observed": "2017-01-13T10:33:06Z",
"number_observed": 1,
"object_refs": [
"url--5878ace2-c9f4-4ce1-8144-4205950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5878ace2-c9f4-4ce1-8144-4205950d210f",
"value": "https://www.proofpoint.com/us/threat-insight/post/targeted-threat-leads-to-keylogger-via-fake-silverlight-update"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5878ad20-f5ac-4cf2-86b5-4789950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:34:08.000Z",
"modified": "2017-01-13T10:34:08.000Z",
"description": "Attachment",
"pattern": "[file:hashes.SHA256 = '8b7845f5487847085753f940dbbd65c7e75e6be48918fcf9f0d98df169607003']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-13T10:34:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5878ad21-0fac-4ec7-b459-498f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:34:09.000Z",
"modified": "2017-01-13T10:34:09.000Z",
"description": "Hosted keylogger (since removed)",
"pattern": "[url:value = 'https://a.pomf.cat/sfkpiff.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-13T10:34:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5878ad21-e778-422e-8df3-4c26950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:34:09.000Z",
"modified": "2017-01-13T10:34:09.000Z",
"description": "Keylogger",
"pattern": "[file:hashes.SHA256 = '9a0b0832ac47b48475901269a0eb67f6287a2da64ec9a5cc8faf351ecd91d0e3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-13T10:34:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5878ae34-0a14-4916-9491-4ba202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:38:44.000Z",
"modified": "2017-01-13T10:38:44.000Z",
"description": "Attachment - Xchecked via VT: 8b7845f5487847085753f940dbbd65c7e75e6be48918fcf9f0d98df169607003",
"pattern": "[file:hashes.SHA1 = '22a88634423a79c649babda7391a500edd9b4ffb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-13T10:38:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5878ae34-07f4-4f6e-a97a-49ca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:38:44.000Z",
"modified": "2017-01-13T10:38:44.000Z",
"description": "Attachment - Xchecked via VT: 8b7845f5487847085753f940dbbd65c7e75e6be48918fcf9f0d98df169607003",
"pattern": "[file:hashes.MD5 = '42f587b277f02445b526e3887893c2c5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-13T10:38:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5878ae35-6f78-4c76-a330-4b8c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:38:45.000Z",
"modified": "2017-01-13T10:38:45.000Z",
"first_observed": "2017-01-13T10:38:45Z",
"last_observed": "2017-01-13T10:38:45Z",
"number_observed": 1,
"object_refs": [
"url--5878ae35-6f78-4c76-a330-4b8c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5878ae35-6f78-4c76-a330-4b8c02de0b81",
"value": "https://www.virustotal.com/file/8b7845f5487847085753f940dbbd65c7e75e6be48918fcf9f0d98df169607003/analysis/1483629467/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5878ae36-ca8c-4616-95f6-4a9202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:38:46.000Z",
"modified": "2017-01-13T10:38:46.000Z",
"description": "Keylogger - Xchecked via VT: 9a0b0832ac47b48475901269a0eb67f6287a2da64ec9a5cc8faf351ecd91d0e3",
"pattern": "[file:hashes.SHA1 = '74b120c7e54f635b85e01ed744ef87d018e316f6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-13T10:38:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5878ae36-59a4-46f6-afa2-4ddc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:38:46.000Z",
"modified": "2017-01-13T10:38:46.000Z",
"description": "Keylogger - Xchecked via VT: 9a0b0832ac47b48475901269a0eb67f6287a2da64ec9a5cc8faf351ecd91d0e3",
"pattern": "[file:hashes.MD5 = 'f7b81cff17ea72ccc0031669d7575493']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-13T10:38:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5878ae37-b5c8-419d-80fc-4da102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-13T10:38:47.000Z",
"modified": "2017-01-13T10:38:47.000Z",
"first_observed": "2017-01-13T10:38:47Z",
"last_observed": "2017-01-13T10:38:47Z",
"number_observed": 1,
"object_refs": [
"url--5878ae37-b5c8-419d-80fc-4da102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5878ae37-b5c8-419d-80fc-4da102de0b81",
"value": "https://www.virustotal.com/file/9a0b0832ac47b48475901269a0eb67f6287a2da64ec9a5cc8faf351ecd91d0e3/analysis/1483629543/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
2023-04-21 13:25:09 +00:00
]
}