193 lines
8.5 KiB
JSON
193 lines
8.5 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5899bcd7-5984-4988-b60f-41f5950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T13:11:36.000Z",
|
||
|
"modified": "2017-02-07T13:11:36.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "grouping",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "grouping--5899bcd7-5984-4988-b60f-41f5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T13:11:36.000Z",
|
||
|
"modified": "2017-02-07T13:11:36.000Z",
|
||
|
"name": "OSINT - Zeus Panda Webinjects: a case study",
|
||
|
"context": "suspicious-activity",
|
||
|
"object_refs": [
|
||
|
"observed-data--5899bd13-beac-459f-9513-44b9950d210f",
|
||
|
"url--5899bd13-beac-459f-9513-44b9950d210f",
|
||
|
"x-misp-attribute--5899bd70-2dac-4769-acbb-4e1b950d210f",
|
||
|
"indicator--5899bda0-a19c-4403-b93c-4c30950d210f",
|
||
|
"indicator--5899be2c-4ba0-4b96-a301-432f950d210f",
|
||
|
"indicator--5899be2d-9670-4775-a39f-4282950d210f",
|
||
|
"indicator--5899be4b-a1f4-4496-9720-41ee950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:tool=\"Zeus\"",
|
||
|
"circl:topic=\"finance\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5899bd13-beac-459f-9513-44b9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T12:39:00.000Z",
|
||
|
"modified": "2017-02-07T12:39:00.000Z",
|
||
|
"first_observed": "2017-02-07T12:39:00Z",
|
||
|
"last_observed": "2017-02-07T12:39:00Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5899bd13-beac-459f-9513-44b9950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"admiralty-scale:source-reliability=\"b\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5899bd13-beac-459f-9513-44b9950d210f",
|
||
|
"value": "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5899bd70-2dac-4769-acbb-4e1b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T12:39:00.000Z",
|
||
|
"modified": "2017-02-07T12:39:00.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Our mothership G DATA runs extensive automated sample processing infrastructure as part of providing up to date protection to their AV customers. At G DATA Advanced Analytics, we have integrated these processes within our own routines in order to maintain the fraud detection solutions we provide to our customers from the financial sector.\r\n\r\nWe have been observing an increase in Zeus Panda infections recently. When we decrypted the config files from samples of Zeus Panda Banking Trojans that went through our processing this week, we decided to have a closer look at the current features. The low level functionality of the Zeus Panda Banking Trojan is already known quite well, so we focus our analysis on the webinjects. These webinjects are used to manipulate the functionality of the target online banking websites on the client. The one we found here was pretty interesting."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5899bda0-a19c-4403-b93c-4c30950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T12:39:00.000Z",
|
||
|
"modified": "2017-02-07T12:39:00.000Z",
|
||
|
"description": "1st Stage - Loader",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd8444c2c23e7469a518b303763edfe5fd38f9ffd11d42bfdba2663b9caf3de06']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-07T12:39:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"diamond-model:Capability"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5899be2c-4ba0-4b96-a301-432f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T12:39:00.000Z",
|
||
|
"modified": "2017-02-07T12:39:00.000Z",
|
||
|
"description": "1st stage initial webinject - Loader",
|
||
|
"pattern": "[file:name = '_brows.botid']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-07T12:39:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5899be2d-9670-4775-a39f-4282950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T12:39:00.000Z",
|
||
|
"modified": "2017-02-07T12:39:00.000Z",
|
||
|
"description": "1st stage initial webinject - Loader",
|
||
|
"pattern": "[file:name = '_brows.inject']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-07T12:39:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5899be4b-a1f4-4496-9720-41ee950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-07T12:39:00.000Z",
|
||
|
"modified": "2017-02-07T12:39:00.000Z",
|
||
|
"description": "2nd stage Exfiltration",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a99e2d6ec2a1c5b5e59c544302aa61266bb0b7d0d76f4ebed17a3906f94c2794']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-07T12:39:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"diamond-model:Capability"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|