misp-circl-feed/feeds/circl/misp/f6098894-bbc6-4ee8-adbb-fc99b4c86f04.json

625 lines
22 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "1",
"date": "2023-01-10",
"extends_uuid": "",
"info": "OSINT - Godfather Trojan IOCs",
"publish_timestamp": "1673365611",
"published": true,
"threat_level_id": "1",
"timestamp": "1673365597",
"uuid": "f6098894-bbc6-4ee8-adbb-fc99b4c86f04",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Deliver Malicious App via Authorized App Store - T1475\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1646\"",
"relationship_type": ""
},
{
"colour": "#00829e",
"local": "0",
"name": "veris:asset:variety=\"U - Mobile phone\"",
"relationship_type": ""
},
{
"colour": "#004646",
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": "0",
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:clear",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363293",
"to_ids": true,
"type": "url",
"uuid": "582e28d6-70ac-49a8-9523-2a55359b3a53",
"value": "http://168.100.9.86/"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363293",
"to_ids": true,
"type": "url",
"uuid": "283be250-ecdc-4057-82d5-26c5d452dfbd",
"value": "http://45.61.138.60/"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363293",
"to_ids": true,
"type": "url",
"uuid": "9d2bc2c9-2361-472a-86bb-81f99ccd6a15",
"value": "http://50.18.3.26/"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363293",
"to_ids": true,
"type": "url",
"uuid": "c518b2f0-1417-4720-b578-13160b24e034",
"value": "http://heikenmorgan.com/"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363293",
"to_ids": true,
"type": "url",
"uuid": "326dcec3-ac72-47b8-bb76-01463bee1c91",
"value": "https://banerrokutepera.com/"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363293",
"to_ids": true,
"type": "url",
"uuid": "f9fcdd3d-3e6f-47b7-b1a8-319eb91f8dd9",
"value": "https://henkormerise.com/"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363358",
"to_ids": true,
"type": "ip-dst",
"uuid": "8fc32fd2-12be-4460-bc40-f3374a26f868",
"value": "168.100.9.86"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363358",
"to_ids": true,
"type": "ip-dst",
"uuid": "67299acd-4ca5-499c-ba2c-47db1130e081",
"value": "45.61.138.60"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363358",
"to_ids": true,
"type": "ip-dst",
"uuid": "7ac407eb-b23e-469e-bde7-a2b31abc5d40",
"value": "50.18.3.26"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363358",
"to_ids": true,
"type": "url",
"uuid": "dfd9f51b-ef52-4b04-9f25-4a60c8bbbf0e",
"value": "heikenmorgan.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363358",
"to_ids": true,
"type": "url",
"uuid": "f3c722b8-75c6-479f-8805-7f06e6062c6c",
"value": "banerrokutepera.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363358",
"to_ids": true,
"type": "domain",
"uuid": "a0f4eac1-dea6-4b7d-bda0-e69f09b65ce0",
"value": "henkormerise.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363423",
"to_ids": true,
"type": "sha256",
"uuid": "4a91a0e3-a25a-488c-aef4-2af731657555",
"value": "0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363423",
"to_ids": true,
"type": "sha256",
"uuid": "6f9fd4b2-0c0d-4f5a-aa4a-184417889d0b",
"value": "38386f4fabd0bc7f7065eaee818717e89772fb3b1a3744df754c45778e353f70"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363423",
"to_ids": true,
"type": "sha256",
"uuid": "7b1f707d-3eea-492d-8196-5dd13921360f",
"value": "7664293fc1dde797940d857d1f16eb1e12a15b9126d704854f97df1bedc18758"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363423",
"to_ids": true,
"type": "sha256",
"uuid": "748ec32a-a7c9-48f6-b189-3100b5ef40d8",
"value": "9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363423",
"to_ids": true,
"type": "sha256",
"uuid": "cea15d0d-fac6-47d1-b9ea-5775b446b814",
"value": "9dfb5b4ad9aac36c2d7fbb93f8668faa819cb0df16f4a55d00f1cdda89c9a6d2"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363423",
"to_ids": true,
"type": "sha256",
"uuid": "3c5664c2-98ff-499e-a915-2ef2fe2f6a88",
"value": "a14aad1265eb307fbe71a3a5f6e688408ce153ff19838b3c5229f26ee3ece5dd"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363423",
"to_ids": true,
"type": "sha256",
"uuid": "2e220ffc-630f-4348-89b3-a894961cbb7d",
"value": "b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363423",
"to_ids": true,
"type": "sha256",
"uuid": "8c02c3aa-e7c9-4e79-b9c8-d562835becb6",
"value": "c3dadb9a593523d1bf3fe76dabf375578119aff3110d92a1a4ee6db06742263a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363423",
"to_ids": true,
"type": "sha256",
"uuid": "ae613301-2400-48c4-b23c-df853f9d4f3d",
"value": "c4bace10849f23e9972e555ac2e30ac128b7a90017a0f76c197685a0c60def6d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363423",
"to_ids": true,
"type": "sha256",
"uuid": "03574f55-8a78-4e36-add2-01b1f5c1df32",
"value": "c79857015dbf220111e7c5f47cf20a656741a9380cc0faecd486b517648eb199"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363423",
"to_ids": true,
"type": "sha256",
"uuid": "0c7c6c3b-5b82-4e61-a380-1115cc8b8fed",
"value": "d652ac528102de3ebb42a973db639ae27f13738e005172e5ff8aac6e91f3f760"
},
{
"category": "Network activity",
"comment": "%KEY% is the key sent as a parameter in the requests mentioned above. %LOCALE% is the system language. The user-agent used when the request is executed is:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673363949",
"to_ids": true,
"type": "user-agent",
"uuid": "40fb7312-71a4-469c-89db-65f38ddb73ee",
"value": "Mozilla/5.0 (Linux; Android 9; SM-J730F Build/PPR12.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.181 Mobile Safari/537.36"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673364044",
"to_ids": true,
"type": "domain",
"uuid": "91bbcc0a-5c71-4750-9f41-bf08b72bbd4b",
"value": "banerrokutepera.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673364044",
"to_ids": true,
"type": "domain",
"uuid": "504c51f0-f3d2-43e6-b4d7-baac114828e9",
"value": "heikenmorgan.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1673364044",
"to_ids": true,
"type": "domain",
"uuid": "4edbf8e1-d4ab-4fe1-8ba9-d28268cc9b9f",
"value": "pluscurrencyconverter.com"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "7",
"timestamp": "1673363404",
"uuid": "00451894-1a23-462f-a90d-c0d852d9fe80",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1673363404",
"to_ids": false,
"type": "link",
"uuid": "8dc384c7-67b9-4a8d-b449-f6804487902b",
"value": "https://1275.ru/ioc/1192/godfather-trojan-iocs/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1673363404",
"to_ids": false,
"type": "text",
"uuid": "ae3e1b8d-b149-4551-9412-ebee765c9de5",
"value": "Group-IB \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u0432 \u043e\u0444\u0438\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u043c \u043c\u0430\u0433\u0430\u0437\u0438\u043d\u0435 Google Play \u0431\u0430\u043d\u043a\u043e\u0432\u0441\u043a\u043e\u0433\u043e \u0442\u0440\u043e\u044f\u043d\u0430 Godfather, \u0433\u0434\u0435 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441 \u043c\u0430\u0441\u043a\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u043f\u043e\u0434 \u043b\u0435\u0433\u0430\u043b\u044c\u043d\u044b\u0435 \u043a\u0440\u0438\u043f\u0442\u043e\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f. \u0413\u0435\u043e\u0433\u0440\u0430\u0444\u0438\u044f \u0435\u0433\u043e \u0436\u0435\u0440\u0442\u0432 \u043e\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0435\u0442 16 \u0441\u0442\u0440\u0430\u043d \u043c\u0438\u0440\u0430, \u0430 \u0441\u043f\u0438\u0441\u043e\u043a \u0446\u0435\u043b\u0435\u0439 \u043d\u0430\u0441\u0447\u0438\u0442\u044b\u0432\u0430\u0435\u0442 \u0431\u043e\u043b\u0435\u0435 400 \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0445 \u0431\u0430\u043d\u043a\u043e\u0432, \u043a\u0440\u0438\u043f\u0442\u043e\u0432\u0430\u043b\u044e\u0442\u043d\u044b\u0445 \u0431\u0438\u0440\u0436 \u0438 \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u044b\u0445 \u043a\u043e\u0448\u0435\u043b\u044c\u043a\u043e\u0432."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1673363404",
"to_ids": false,
"type": "text",
"uuid": "469bd9cb-bb87-404f-a325-624866e88da7",
"value": "Blog"
}
]
},
{
"comment": "0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8: Enriched via the virustotal module",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "4",
"timestamp": "1673363469",
"uuid": "05d7898d-e645-406b-ba38-eb56f4e4bd13",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "permalink",
"timestamp": "1673363469",
"to_ids": false,
"type": "link",
"uuid": "cf926a0e-0c8a-46ea-9fe9-915e81b5e76e",
"value": "https://www.virustotal.com/gui/file/0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1673363469",
"to_ids": false,
"type": "text",
"uuid": "1de1435a-1eb5-4bcf-8c82-5576ce32606c",
"value": "29/66"
}
]
},
{
"comment": "0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1673363469",
"uuid": "09799c14-87d6-4a36-9e61-f1353f49f50d",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1673363469",
"to_ids": true,
"type": "md5",
"uuid": "1dc5a6c1-b81e-4fd0-86b5-73ab0c2b89cf",
"value": "ec9f857999b4fc3dd007fdb786b7a8d1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1673363469",
"to_ids": true,
"type": "sha1",
"uuid": "853708f3-cca5-43cf-98c0-af17c3968bad",
"value": "3fa48a36d22d848ad111b246ca94fa58088dbb7a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1673363469",
"to_ids": true,
"type": "sha256",
"uuid": "c15b4526-9819-4594-a66d-0a4efc25e287",
"value": "0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1673363469",
"to_ids": true,
"type": "tlsh",
"uuid": "576fab8d-57a5-4bb6-9105-99da9042209a",
"value": "t1cb76125af718a86fc1f792324679522a66074c268743ea875968727c0dbbdc04f4bfcc"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1673363469",
"to_ids": true,
"type": "vhash",
"uuid": "29606b35-6796-4255-b3a8-8263863ddcb3",
"value": "ede26ab6fd89266ae46ad188b676ce54"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1673363469",
"to_ids": true,
"type": "ssdeep",
"uuid": "5d97b9b5-9072-4aa1-bbec-a05c84c68dc9",
"value": "98304:vDdInEpAOdLl2DfGjOmP34z09nmw3xAZMV8JiDQeZgUGdh0fr33dmh++0oEHi6Pz:5gE7tf3u09nmiOZmDid9h+CFZMXmwfXR"
}
]
},
{
"comment": "9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070: Enriched via the virustotal module",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "4",
"timestamp": "1673363654",
"uuid": "344f2b3c-8c0a-49fe-867b-5b9c7dcf4166",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "permalink",
"timestamp": "1673363654",
"to_ids": false,
"type": "link",
"uuid": "0514771e-3eee-4ab7-bda0-005ada4ce08c",
"value": "https://www.virustotal.com/gui/file/9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1673363654",
"to_ids": false,
"type": "text",
"uuid": "45c71feb-c0cf-41c7-ac50-eb21152dda6e",
"value": "22/66"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "7",
"timestamp": "1673363843",
"uuid": "e6777be6-8b69-49a6-b286-521b557b108c",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1673363843",
"to_ids": false,
"type": "link",
"uuid": "288a1ec3-7867-48fa-aeb0-6718edaae63c",
"value": "https://blog.group-ib.com/godfather-trojan"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1673363843",
"to_ids": false,
"type": "text",
"uuid": "76bfccf5-2126-4090-b782-fd2c85ba72db",
"value": "The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges.\r\n\r\nFew people realize that hiding under Godfather\u2019s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1673363843",
"to_ids": false,
"type": "text",
"uuid": "c402c0b0-0a54-40b1-825d-3a8b21f33917",
"value": "Blog"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}