2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2017-05-18" ,
"extends_uuid" : "" ,
"info" : "OSINT - New Loki Variant Being Spread via PDF File" ,
"publish_timestamp" : "1495135268" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1495135260" ,
"uuid" : "591df2b7-0408-43b6-90bd-4e3c02de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Flokibot\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#284800" ,
"local" : "0" ,
"name" : "malware_classification:malware-category=\"Trojan\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135180" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "591df311-e9f8-4181-9684-45e602de0b81" ,
"value" : "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file" ,
"Tag" : [
{
"colour" : "#00223b" ,
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135180" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "591df336-5ec4-48c7-adb9-4ccf02de0b81" ,
"value" : "The Loki Bot has been observed for years. As you may know, it is designed to steal credentials from installed software on a victim\u00e2\u20ac\u2122s machine, such as email clients, browsers, FTP clients, file management clients, and so on. FortiGuard Labs recently captured a PDF sample that is used to spread a new Loki variant. In this blog, we will analyze how this new variant works and what it steals." ,
"Tag" : [
{
"colour" : "#00223b" ,
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135180" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "591df376-1128-435c-b506-466c02de0b81" ,
"value" : "194.88.105.202/~ninjagro/pdfs/QUOTATION.exe"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135180" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "591df376-261c-4d59-95c8-4a6e02de0b81" ,
"value" : "online-prodaja.rs/tz/Panel/five/fre.php"
} ,
{
"category" : "Payload delivery" ,
"comment" : "QUOTATION (1).pdf" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135180" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "591df377-3708-4064-a6fa-47e302de0b81" ,
"value" : "e71379a53045385c4ac32e5be75a04e3d2a9fc7b707fb4478ce90fe689f66d19"
} ,
{
"category" : "Payload delivery" ,
"comment" : "QUOTATION.exe" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135180" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "591df377-c58c-4b41-b999-467902de0b81" ,
"value" : "fa417e0b42362c40301750809df9f0c9bdbf333269f50f74832d4f471358aaed"
} ,
{
"category" : "Network activity" ,
"comment" : "Compromised system to distribute malware" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135180" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "591df38f-0518-4328-bc11-ea5c02de0b81" ,
"value" : "194.88.105.202"
} ,
{
"category" : "Network activity" ,
"comment" : "compromised server" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135180" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "591df3a7-22d4-4231-b145-4fc102de0b81" ,
"value" : "online-prodaja.rs"
} ,
{
"category" : "Payload delivery" ,
"comment" : "QUOTATION.exe - Xchecked via VT: fa417e0b42362c40301750809df9f0c9bdbf333269f50f74832d4f471358aaed" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135183" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "591df3cf-ac70-4994-9051-45a702de0b81" ,
"value" : "f6b7baa8ed7561c9a9d7394ae65b207f49e9e575"
} ,
{
"category" : "Payload delivery" ,
"comment" : "QUOTATION.exe - Xchecked via VT: fa417e0b42362c40301750809df9f0c9bdbf333269f50f74832d4f471358aaed" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135184" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "591df3d0-5410-4e2a-b1e1-435502de0b81" ,
"value" : "973f20849613f197ff200f9bcd0fc7f5"
} ,
{
"category" : "External analysis" ,
"comment" : "QUOTATION.exe - Xchecked via VT: fa417e0b42362c40301750809df9f0c9bdbf333269f50f74832d4f471358aaed" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135184" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "591df3d0-67bc-4835-a1b0-4c8f02de0b81" ,
"value" : "https://www.virustotal.com/file/fa417e0b42362c40301750809df9f0c9bdbf333269f50f74832d4f471358aaed/analysis/1494822036/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "QUOTATION (1).pdf - Xchecked via VT: e71379a53045385c4ac32e5be75a04e3d2a9fc7b707fb4478ce90fe689f66d19" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135184" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "591df3d0-ba48-44d1-8fb8-4d2a02de0b81" ,
"value" : "100b1ff0a54bd7af57f0ac8030dfa29c3da8b745"
} ,
{
"category" : "Payload delivery" ,
"comment" : "QUOTATION (1).pdf - Xchecked via VT: e71379a53045385c4ac32e5be75a04e3d2a9fc7b707fb4478ce90fe689f66d19" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135185" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "591df3d1-5dd4-4c5e-b6ca-41a802de0b81" ,
"value" : "7bc2267d83b97d4733210fbd47ae0633"
} ,
{
"category" : "External analysis" ,
"comment" : "QUOTATION (1).pdf - Xchecked via VT: e71379a53045385c4ac32e5be75a04e3d2a9fc7b707fb4478ce90fe689f66d19" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495135185" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "591df3d1-2444-4489-8276-439f02de0b81" ,
"value" : "https://www.virustotal.com/file/e71379a53045385c4ac32e5be75a04e3d2a9fc7b707fb4478ce90fe689f66d19/analysis/1495003707/"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}