misp-circl-feed/feeds/circl/misp/588a7bc4-7a38-45c7-bc6f-215902de0b81.json

{
  "Event": {
    "analysis": "0",
    "date": "2017-01-26",
    "extends_uuid": "",
    "info": "OSINT - Dridex Banking Trojan Returns, Leverages New UAC Bypass Method",
    "publish_timestamp": "1485470903",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1485470881",
    "uuid": "588a7bc4-7a38-45c7-bc6f-215902de0b81",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#0da700",
        "local": "0",
        "name": "misp-galaxy:tool=\"Dridex\"",
        "relationship_type": ""
      },
      {
        "colour": "#ffffff",
        "local": "0",
        "name": "tlp:white",
        "relationship_type": ""
      },
      {
        "colour": "#6bd600",
        "local": "0",
        "name": "circl:topic=\"finance\"",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1485470866",
        "to_ids": false,
        "type": "link",
        "uuid": "588a7bda-c0c4-446c-9ca0-46b302de0b81",
        "value": "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/",
        "Tag": [
          {
            "colour": "#00223b",
            "local": "0",
            "name": "osint:source-type=\"blog-post\"",
            "relationship_type": ""
          }
        ]
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1485470710",
        "to_ids": false,
        "type": "text",
        "uuid": "588a7bf6-0e60-40be-92e6-427902de0b81",
        "value": "\u00e2\u20ac\u00a2 First observed in July 2014, \u00e2\u20ac\u0153Dridex,\u00e2\u20ac\u009d a financial banking Trojan, is considered the successor to the \u00e2\u20ac\u0153GameOver ZeuS\u00e2\u20ac\u009d (GoZ) malware.\r\n\r\n\u00e2\u20ac\u00a2 Dridex was most active between 2014 and 2015, and smaller campaigns were observed throughout 2016 with its peak activity in May 2016.\r\n\r\n\u00e2\u20ac\u00a2 On January 25, 2017, the criminal syndicate behind Dridex launched another small campaign targeting UK financial institutions.\r\n\r\n\u00e2\u20ac\u00a2 Flashpoint identified a previously-unobserved Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll.\r\n\r\n\u00e2\u20ac\u00a2 The new Dridex infection uses svchost and spoolsrv to communicate to peers and first-layer command-and-control (C2) servers."
      },
      {
        "category": "Network activity",
        "comment": "On port 8443 - First-Layer C2:",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1485470745",
        "to_ids": true,
        "type": "ip-dst",
        "uuid": "588a7c19-147c-4d64-b521-fd2f02de0b81",
        "value": "179.177.114.30"
      },
      {
        "category": "Network activity",
        "comment": "On port 8443 -First-Layer C2:",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1485470746",
        "to_ids": true,
        "type": "ip-dst",
        "uuid": "588a7c1a-f620-4d23-85d5-fd2f02de0b81",
        "value": "84.234.75.108"
      },
      {
        "category": "Network activity",
        "comment": "On port 8443 First-Layer C2:",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1485470774",
        "to_ids": true,
        "type": "ip-dst",
        "uuid": "588a7c36-e7a8-44a0-ba67-215e02de0b81",
        "value": "81.130.131.55"
      },
      {
        "category": "Network activity",
        "comment": "Payload:",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1485470787",
        "to_ids": true,
        "type": "url",
        "uuid": "588a7c43-e400-455a-8933-44b402de0b81",
        "value": "http://1fevh.top/fiscal/"
      },
      {
        "category": "Payload delivery",
        "comment": "Dridex sample",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1485470805",
        "to_ids": true,
        "type": "md5",
        "uuid": "588a7c55-d610-46ad-bcd7-428f02de0b81",
        "value": "6233778c733daa00ce5b9b25aae0a3cb"
      },
      {
        "category": "Payload delivery",
        "comment": "Dridex sample - Xchecked via VT: 6233778c733daa00ce5b9b25aae0a3cb",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1485470881",
        "to_ids": true,
        "type": "sha256",
        "uuid": "588a7ca1-18d8-43db-956c-430702de0b81",
        "value": "103a9e26e8d69cbbde4e871dd6cb1b0ee863a8265746aa7d77cd1106025c2d7c"
      },
      {
        "category": "Payload delivery",
        "comment": "Dridex sample - Xchecked via VT: 6233778c733daa00ce5b9b25aae0a3cb",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1485470881",
        "to_ids": true,
        "type": "sha1",
        "uuid": "588a7ca1-16dc-4f70-9be5-4d2402de0b81",
        "value": "1bfd0ac86f1bf52a5e8814dafb4a9bc4d3628384"
      },
      {
        "category": "External analysis",
        "comment": "Dridex sample - Xchecked via VT: 6233778c733daa00ce5b9b25aae0a3cb",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1485470882",
        "to_ids": false,
        "type": "link",
        "uuid": "588a7ca2-86a8-4d9e-908a-4ce302de0b81",
        "value": "https://www.virustotal.com/file/103a9e26e8d69cbbde4e871dd6cb1b0ee863a8265746aa7d77cd1106025c2d7c/analysis/1485448506/"
      }
    ]
  }
}