adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5a9922cb-9c5c-4979-a78c-4fee950d210f.json

369 lines
70 KiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "0",
"date": "2018-03-02",
"extends_uuid": "",
"info": "SMS/iMessage phishes forcing users to install/run scripts and update VPN settings",
"publish_timestamp": "1519987698",
"published": true,
"threat_level_id": "3",
"timestamp": "1519987573",
"uuid": "5a9922cb-9c5c-4979-a78c-4fee950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#086200",
"name": "admiralty-scale:source-reliability=\"c\""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1519986221",
"to_ids": true,
"type": "ip-dst",
"uuid": "5a9922e9-c640-42d2-8428-4808950d210f",
"value": "172.96.173.150"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1519986221",
"to_ids": true,
"type": "domain",
"uuid": "5a99230c-d524-44ac-a40a-c8e0950d210f",
"value": "corp-vpn.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1519986221",
"to_ids": true,
"type": "domain",
"uuid": "5a992340-a754-4006-9526-4892950d210f",
"value": "sso-vpn.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1519986222",
"to_ids": true,
"type": "domain",
"uuid": "5a992341-2d9c-4ece-a508-418e950d210f",
"value": "up-sso.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1519986223",
"to_ids": true,
"type": "domain",
"uuid": "5a992341-8798-47cf-ad4e-490f950d210f",
"value": "up-vpn.com"
},
{
"category": "Payload delivery",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tipok.gotdns.ch",
"deleted": false,
"disable_correlation": false,
"timestamp": "1519985514",
"to_ids": true,
"type": "sha256",
"uuid": "5a99236a-56b4-4f76-8928-4d41950d210f",
"value": "2ff6b78a4c2b239b2502d4eb7907906ae68275dbb92d3773fa083fb2fbc09a76"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1519986223",
"to_ids": false,
"type": "link",
"uuid": "5a99237b-5c80-4ba0-92df-47b0950d210f",
"value": "https://virustotal.com/en/file/2ff6b78a4c2b239b2502d4eb7907906ae68275dbb92d3773fa083fb2fbc09a76/analysis/1519948184/"
},
{
"category": "Payload delivery",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tatiano96.zapto.org",
"deleted": false,
"disable_correlation": false,
"timestamp": "1519985899",
"to_ids": true,
"type": "sha256",
"uuid": "5a9924eb-e468-417f-a0e9-4bce950d210f",
"value": "1bccbc10642a31b871f5503a52ec5c89598976e6aea0874ed2e396394d8dca00"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1519986224",
"to_ids": false,
"type": "link",
"uuid": "5a99258c-a394-4f4b-915a-4a6b950d210f",
"value": "https://twitter.com/timstrazz/status/969360276423311360"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1519987570",
"to_ids": false,
"type": "link",
"uuid": "5a992b72-c434-48f1-af1b-43e7950d210f",
"value": "https://twitter.com/dyngnosis/status/969397210860478464"
},
{
"category": "External analysis",
"comment": "from: https://twitter.com/dyngnosis/status/969397210860478464",
"data": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8SEhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEUHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7/wgARCAKrBLADASIAAhEBAxEB/8QAHAABAAIDAQEBAAAAAAAAAAAAAAMEAQIFBgcI/8QAGgEBAAMBAQEAAAAAAAAAAAAAAAECAwQFBv/aAAwDAQACEAMQAAAB+ygAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAg1sgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADHBqYtzWe/5PeY9YKdQAAAAAAAAAAAAAAADjwUbc9ntebgmntWM06wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPH26rTh2nqdmLdgU7AAAAAAAAAAAAAAAAPL17EOnDtLV6Ce9uZ9gJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOWOo51M6vAtzTnzvTc7RPVc3aL9Bw+gXAAAAAAAAAAAAACuWHMydDzsl6acrvQ5ReU68adRy7pOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADlUPSDgc72A83c7A87L3R5u91hxt+sAAAAAAAAAAAAAHJ6w4MHpR5Do94cDPeHBk7Q8z35wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA03jJAAAAAAAAAAAAGNCRFkkRgkEaQa7AMGkmm4xkRpBGkGm+NCRHglRZJGm4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAjkjJAAAAAAAGmCREJdddjRKIsyDTcAAAAAEckZIAAAAAABHII0gjSCORGSIxIjEiOQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVbQhmAAABrtEZSCLMgxkAAAAAAAAAAFC+MZAAAAAAAAAAAABHII0gjSYK1qOQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAo+W83zOrD1nt/jvrYfQBzbgAIpYiUAAAAAAAAAAAApop+V87yuzD6L7H5R6fK/sxhqAAAAAAAAAAAAA5nQ+SaU9Dt4PpdOP16fw3ueTcK2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/P9j23A7+Tk97n/QKz6kcXUAAiliJQAAAAAAAAAAAOB38THwap6ax38lPueY+vZadAcnQAAAAAAAAAAAABV+E/oD5f0Y+Q6HU5nRj3/p/D7nH0hncAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp8Y9LzqtQ7Vzj1Zj0Ty3dibgAEUsRKAAAAAAAAAAAamzzsR6fj61Eegl89Odp5q0ntgAAAAAAAAAAAFGF55qaVq5wb0x2XnIon1CKUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA153R2NKXQEMFzJBJvqbAARSxEoAAAAAAAAAAAKS6IqfREOlkVZZMgAAAAAAAAAABrqSQ77lCexgqb2RTlmyYziMlAAAAAAAAAAAAAAAAAAAAAAAAAISZUwXFbUtquSyoTFlXFhFoWFWA6OlXclzWkLKsLKGuWpIJwCNJgyi2N4lQ6CpsWVPcsooC4qi0qTEqvqWlGQtKwsoqxeVsFpStG+EZiYAAIpURKpblpS0Ogpal9S2LahuXFGcl1pzEyHQsohKgkN1aUm2hmBCZkyANG+ptUnjJJKkR0FKQsqkpMrbkytGXWsBZUty0qbFlQmLKvgsqsZeAAAAAAAAAAAAAAAAAAARDbXfYjkAAAACOTGpuABjIi1nhJkW5sAAAAAYMtMEiMSIxJiOMkljyMb5I2sROiEsedSTNfJazVkJlecyq5LKtqW0GhaVxYU5CwhmAAGMamJQAAAxHKCGY10lGMx4JQAAAAAAAAAAAAAAAAAAAAAAAAAQ7VroAAAAAAAhmpF0AACOSMk12EM1K6ANdqpLnO5GkEedwAAxnBDPTuAAGGRhkYxsI0lEusjGQ1zkYxsMY2GGRrnIAAab1SaTXYAAAAAQT0y4ACFuId9skedskEmdiPWbBrpNg3gsRmuJBFtnYgk2yaaTamNZcEgAAAAAAAAAAAACDy1q+wfGveXr6kZaAAAAAAFO5WQtAACOSMkANIbq1mJC0AAAAAFLydq+5fGvpl69kZaAAAAAEcdZsC0AAAAAAAHC8tpT6M+W/Q4XxS4AAAABirWbYtAAAAAAAAAAAAAAAAAAAAAAAAAHhPB+w8h3csHofK+kvX6b1eL2uDqCtgAAAAOb5rt+M8P0fTdHh9XWnfHr8ICOSMkAIInyE3Gs/N+t3PSeS9b7HAHbzgAAAfLfMdvj+hya+g8t3kfXpYZvP6wSAAAA8P6/575Pb3LnE6WGvrB7vmgAAAAI5Ij4zx97HpcV31Hj/AEud/pw4eoAAAAB4313z3zOzqXOH0ePo9iPf8sAAAAAAAAAAAAAAAAAAAAAAACp8u+uNKfK+h9DzaAx0AAAAGDLXYgS7UmjewlkxaMgRyRkgDGSrHc2ztFLjN6mEsgAAA5Hzj680p8n9N7HMwGWgAAABrkzUt4rNK1JrE7Gt67AAAAAA8b5j6zjXP5D9L6iJDO4AAABgZrWdazTsTIkwvXLGQAAAAAAAAAAAAAAAAAAB5D18Z47Hth4e56wjxkfr7ET43f16XkNPZDysnpsHl4/VYPJ9Hvjxt70gAeP9gh4v0nQS8pL6YeXj9YhyPLfQEuN2QRyRknE7aHzvu+nS8F6PtDxtv048j2+mAOBzfYxQ8Xv7PeXlYvXjxmfZDgc32I8ra7kkPF9H0G8vJR+xADGR5THrB4/X2Q5HI9chxuB7hLynqwA53nfZxniXuh5/ie7jPIRe0kPI49ePE2vWDzFT2UcPPVvXJeeo+vHj+/0QB5jme6Hm+R7scbk+vHjJvWoed9ESAAAAAAAAAAIdCypSFlWFlXjLitksKc5KgiLirksoIi4g1LKvgs4qzkgAAAGiuWwAAAAAAAAI5IyQAAAAAAAGM1cllTkLCsLKOsWZOZeJVaQlQRltU2LKvGXEGhaQxlpUtGQAAANdoyQAAAEclG8AAAAAAAAAAAAAAAAAAYZGMhjGwwyMMjGQwyMZBjIxkNc5GNdxjMUoAABHJFKAAAAAAAAAI5IyQAAAAAAAEMukhjIANdojbcBqZZGM4GcAZwZwDLBljIYGWBlgZik1N2MgAA1NJddgAAAAAAAAAAAAAAAAAAAAAAAAAAAAACORESgAa7RG+wAAAAAAAAAI5IyQAAAAAAAGm2YyQACKTQkBrVuCti0Km9gV8WRX1tCttOIobYq5sirmyK+lsVs2BWlkEUse5kACOSIlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAilplxHIAI5IyQAAAAAAAAACOSgXwAAAAAAAI5OedAAEckcgAAAAAAAAAAAAAil550AARyRyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwZAAAAAAAAAAAMGXmPP6U+juV1aWCJAAAAAAAMZAAAAAAAAAAAAAAAADGYBIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB5v0nzr
"deleted": false,
"disable_correlation": false,
"timestamp": "1519987611",
"to_ids": false,
"type": "attachment",
"uuid": "5a992b9b-a540-4a1e-8fd0-44a0950d210f",
"value": "DXP9dttU0AAGavM.jpg"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1519986227",
"uuid": "0601169d-401d-466b-99e5-ab32aca720c0",
"ObjectReference": [
{
"comment": "",
"object_uuid": "0601169d-401d-466b-99e5-ab32aca720c0",
"referenced_uuid": "37a03acb-9238-44c5-8f31-2ae308034e7b",
"relationship_type": "analysed-with",
"timestamp": "1519986229",
"uuid": "5a992635-6f58-42cc-b086-403c02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tipok.gotdns.ch",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1519986225",
"to_ids": true,
"type": "sha1",
"uuid": "5a992631-1a84-4d1c-9ea0-4fe902de0b81",
"value": "5e8784026c3fd64c932e53622d0454c33038976e"
},
{
"category": "Payload delivery",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tipok.gotdns.ch",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1519986225",
"to_ids": true,
"type": "sha256",
"uuid": "5a992631-8b38-44fd-ac48-448102de0b81",
"value": "2ff6b78a4c2b239b2502d4eb7907906ae68275dbb92d3773fa083fb2fbc09a76"
},
{
"category": "Payload delivery",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tipok.gotdns.ch",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1519986226",
"to_ids": true,
"type": "md5",
"uuid": "5a992632-03ac-46a4-931a-459602de0b81",
"value": "b97847bcc1a27107888475fd6baeb2d9"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1519986226",
"uuid": "37a03acb-9238-44c5-8f31-2ae308034e7b",
"Attribute": [
{
"category": "External analysis",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tipok.gotdns.ch",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1519986226",
"to_ids": false,
"type": "link",
"uuid": "5a992632-874c-409b-a280-437e02de0b81",
"value": "https://www.virustotal.com/file/2ff6b78a4c2b239b2502d4eb7907906ae68275dbb92d3773fa083fb2fbc09a76/analysis/1519981318/"
},
{
"category": "Other",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tipok.gotdns.ch",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1519986227",
"to_ids": false,
"type": "text",
"uuid": "5a992633-db0c-4e94-bdf4-4bec02de0b81",
"value": "1/60"
},
{
"category": "Other",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tipok.gotdns.ch",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1519986227",
"to_ids": false,
"type": "datetime",
"uuid": "5a992633-896c-4657-8f26-471002de0b81",
"value": "2018-03-02T09:01:58"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1519986230",
"uuid": "491fb46e-2c0f-4060-a745-a5cf809be441",
"ObjectReference": [
{
"comment": "",
"object_uuid": "491fb46e-2c0f-4060-a745-a5cf809be441",
"referenced_uuid": "9aaf2bc6-ccc6-4658-9440-d6a54f790a9f",
"relationship_type": "analysed-with",
"timestamp": "1519986230",
"uuid": "5a992636-3894-4552-9ddd-467b02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tatiano96.zapto.org",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1519986227",
"to_ids": true,
"type": "sha1",
"uuid": "5a992633-0954-4665-84d7-47dc02de0b81",
"value": "4fb8edfe9694e2cd58ffaae30777bae324ac1558"
},
{
"category": "Payload delivery",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tatiano96.zapto.org",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1519986228",
"to_ids": true,
"type": "sha256",
"uuid": "5a992634-52e8-4e3f-ac54-4ac202de0b81",
"value": "1bccbc10642a31b871f5503a52ec5c89598976e6aea0874ed2e396394d8dca00"
},
{
"category": "Payload delivery",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tatiano96.zapto.org",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1519986228",
"to_ids": true,
"type": "md5",
"uuid": "5a992634-71d4-49af-bbfe-441c02de0b81",
"value": "35fba2a83659d22eedf5926a3dc680f4"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1519986228",
"uuid": "9aaf2bc6-ccc6-4658-9440-d6a54f790a9f",
"Attribute": [
{
"category": "External analysis",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tatiano96.zapto.org",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1519986229",
"to_ids": false,
"type": "link",
"uuid": "5a992635-6d0c-4faf-b632-449e02de0b81",
"value": "https://www.virustotal.com/file/1bccbc10642a31b871f5503a52ec5c89598976e6aea0874ed2e396394d8dca00/analysis/1519980899/"
},
{
"category": "Other",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tatiano96.zapto.org",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1519986229",
"to_ids": false,
"type": "text",
"uuid": "5a992635-0854-453f-a479-4c9d02de0b81",
"value": "1/60"
},
{
"category": "Other",
"comment": "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tatiano96.zapto.org",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1519986229",
"to_ids": false,
"type": "datetime",
"uuid": "5a992635-d534-48df-ba48-41c302de0b81",
"value": "2018-03-02T08:54:59"
}
]
}
]
}
}
Reference in a new issue Copy permalink