297 lines
126 KiB
JSON
297 lines
126 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2019-03-16",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Spam Warns about Boeing 737 Max Crashes While Pushing Malware",
|
||
|
"publish_timestamp": "1559825436",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1559823829",
|
||
|
"uuid": "5c8f9bb3-c244-4dba-89cb-4fdc950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#1d3900",
|
||
|
"name": "circl:incident-classification=\"spam\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:android=\"Adwind\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:malpedia=\"AdWind\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-malware=\"jRAT - S0283\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:rat=\"Adwind RAT\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:rat=\"H-w0rm\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:rat=\"H-worm\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0da200",
|
||
|
"name": "misp-galaxy:tool=\"Adwind\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1552915413",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5c8f9bd5-55cc-458e-8cbc-4a08950d210f",
|
||
|
"value": "https://www.bleepingcomputer.com/news/security/spam-warns-about-boeing-737-max-crashes-while-pushing-malware/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1552915439",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c8f9bef-6d90-475c-91bd-4309950d210f",
|
||
|
"value": "A new malspam campaign is underway that is trying to utilize the tragic Boeing 737 Max crashes as a way to spread malware on a recipient's computer. These spam emails pretend to be leaked documents about imminent crashes that the sender states should be reviewed and shared with loved ones to warn them."
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"data": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8SEhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEUHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7/wgARCALHA/EDASIAAhEBAxEB/8QAGwABAAIDAQEAAAAAAAAAAAAAAAQFAgMGAQf/xAAZAQEBAQEBAQAAAAAAAAAAAAAAAQIDBQT/2gAMAwEAAhADEAAAAfq7XB1zsmEXPSarcS0Q9BZufxs6JW1h0qllrPV28lK2Il6gR1t1bYRkq9lWCthSX7TzFvWq3dExU+VbqudG5QZ1eOdsIslTosvVFEOoQYK3jJGLIYshiyGLIYshiyGLIYshiyGLIYshiyGLIYshiyGLIYshiyGLIYshiyGLIYshiyGLIYshiyGLIYshiyGLIYshiyGLIYshh61G3zmujM9GrYSPI0gyc1bl4Cnrr1vlHhWrjun03zeuEt+kWc1XdsXkd3UE43LsC8rJ6EnIedRIOFkdkOI6C3LzO7oBwtz0JKbmPoBeWg9uOXi9kTien1WhT1vVCnXBeXidmOXjdiSorepKEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGMO5nIDUnoAnoA27og36fBGuIBPZ0SXncwSwwAa6O+rY827tVeytWZnCsKwi5zYsbtXlSW/mMOrrz3URYkv2NtFZ1dWkyNWly5+0LWLrxNu6vnVKkQ5kAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVfzv6N809Ly/UfP1/IzxbpctOjdqV1vTzenNu17uXTHbE2F19G+ZfTfF9qYPg9GGAA1VMXaq22WCDKXYwhFgrsC0VmJaub2l+5nKOkUEqrVFiFqqci0Y5ICgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAEwLDaxsa1ewZqTTqlq1Z5I2Vk8tVqulczr6pFNpvxQ49ASiqO0W1eFukpMrkuxrWbGtLsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxsaxYAr8dVZFrjUV9X+/krE6DXAyibH5vOuh2VemOglcho07bTVosvIGBc6tUMuAgKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMBV1fULOatbAV6wS0M2xFesBXrAUsqwFf5YivWAr/ACxFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAV6wFesBXrAAQt9ZKSSj4LLR68uGkblZ6WSDrLJAkpuaS7mmGWTSNzSNzSNzTELFpqC9aRuQZBuafDeoN9XClmROV3hZK0WSFCLppG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG5pG32PkblRYm32D4T/IW4ke1EgtAc/z3TTOvz4V1po+ft7y3Y471wU3qvNTk4ncbY5So75XFyer2Rx+/ofaoajpLSOIw7XbbyN9MmRy8Lqc04iR1e6qbl/okSKWn7XavIQ+59s5yZ7YSV0Tpo61trtzmvnU7ssdZ4TPvMZYvJ9xHSYJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPMcxztvLELRaDnug8yOftJmRKBTTYU0AVdpQRaa4+yyburdyzIsqpJvtNojqHJR67XRyOS9m52Qlnr56OdnA5urXu5vJQrO6cFtjuHNxDr3H7K6xSXcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAK2x4g6XKHWR0mHPSbLjdTQprqovtbc2+mkmLY583pOksuX6glAppsKaACvLBF1E9p3AikpFlBoxJLz0AI0kIuJM1bRDmAR5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABh7kAAAAGWORKBTTYU0A8pLwVOdmSt3TCqm2HPV3ZI42D9AW8k63SnE2PVjgM+8HE6u7HAS+0HLxeyHEbOzVy8PtEcbdXCggAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABljkSgUe7COS99NXx1LiNtdk52Sly4z1eyc9BOvctIs6FXJbFW6y2RNBZMN1mDNLgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYMxgzGDMYZe5EoFNSXk255ToJZa6fkKyRLRHg2xYPk8nPyrX00YSREzklw0Shhl6s8epfHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejzLVkTQQZ0GcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARXkcswQdW2tiTu5GadJW0EU7vVyceu7mUN8gKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABzMLphNBBnV9gAAK+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBr2azowQJ8HGLBWWYU9mbRQArYshQrYshRjBLBBkxtNdbGuDFkVhZteyjDMAIEo2qeYTCNEk1G1T76sVfiWSvxiyUdmSUKbRWyIlIEo2q2yAoAAAV0WIoha4sRQBWzo2KpVqhbEktdPLeK2yAoAAAArrEAAAECJ6LRp0xXLYo0mirtIChGJKusQ17ACg17NZ0YINLcz45nnfpA+SzPpyuPgd+Tkq7spkvzS57IfM930ZXz+d2SPlG76ir5tfdWT5LYfSvJfntb9VHJc79PHz/wB78fKJf0wfMus6FXzzz6H6fLrztUnEct9gL8+pvrQ+R/Va+zsofOjRUcr9BL8/w+hj590l6OYo/oazhef+tJeD39qs+Y7fpOqa+UXvRWtny3telJ871/SEvF1H0r0+W7/pavk/fWO1OeqO8S8nzv04fF+569Xy/vrJHA592OW2dLHsqOI+reS8xE7OrOO1fSfbPn1N9aS/KrPrpZ8/6HqFnzWv+tJeDmdgrjed+qeRwvR3A4Tnvrg4fPtR8zh/WFfJOq7D1Pl3WdKl+UZ/U/Sh4b6us4aL9DS/KNn1NXzb6SAFBr2azowQZ0GcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUGvZrOjBBnQaOOq0cRpO+3cXGO33cQrt1Zykdxq42oPqjkolnceQOKl7vZ81l19FcJYx1XnMRa7JwU6Tr4ldzK/QnMUtfQVB5HQaOQrTvpXzTt9S008XHzfoWrla0+gub9ro9HCZx3O7iPa7DdxVinSOfgy9c5+nOy3fOLo6dwM87U+YJ9PcZivauSk10isp46vVy1ave58doueyc5VTXd58R7c9jlwNhL2OiNxJ9A3fPbCuy85yHHVbvnU6uzg8tnHcCgAAAAAAAAAAAAAAAAAAAKDXs1nRgg4Zziiw6AUlb1oo8L9FWtBRR+lFRpvVRY9kjkt/TKo5VkisxtVQYlyIUG7RVaLxVXunCgX6Oet5Sq2B0Io14Oes5yKHO7FBB
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1552919359",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "5c8fab3f-6100-477b-a7fa-443b950d210f",
|
||
|
"value": "D1sqKsyU0AA0HeV.jpg:large.jpeg"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1552920445",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c8faf7d-0148-415c-a1d6-4f16950d210f",
|
||
|
"value": "pm2bitcoin.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1552920445",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c8faf7d-f368-49fa-92e7-4198950d210f",
|
||
|
"value": "brothersjoy.nl"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "microblog",
|
||
|
"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
|
||
|
"template_version": "5",
|
||
|
"timestamp": "1552917017",
|
||
|
"uuid": "5c8fa219-3e68-48d7-9fd3-446f950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "post",
|
||
|
"timestamp": "1552917017",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c8fa219-94cc-40c3-898e-44cb950d210f",
|
||
|
"value": "Attackers are using topics regarding #Boeing 737 MAX 8 crash and seems an email account from @IsgecPresses has been abused to deliver the mails. The attachment is a JAR file which drops H-WORM RAT. C2: pm2bitcoin[.]com brothersjoy[.]nl https://www.virustotal.com/#/file/0d53ae6b78d37bff74cd6458624a9157b1a7d60d5722f9c4ebc83e5a7a058463/detection"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "type",
|
||
|
"timestamp": "1552917017",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c8fa219-d24c-453d-a924-4ef6950d210f",
|
||
|
"value": "Twitter"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1552917017",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c8fa219-abdc-48b6-884f-4947950d210f",
|
||
|
"value": "https://twitter.com/360TIC/status/1106524508612026369"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "username-quoted",
|
||
|
"timestamp": "1552917017",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c8fa219-b210-4b04-afac-4687950d210f",
|
||
|
"value": "@IsgecPresses"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "link",
|
||
|
"timestamp": "1552917017",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c8fa219-9454-4300-b649-42f0950d210f",
|
||
|
"value": "https://t.co/qs6XhKMU3k"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "link",
|
||
|
"timestamp": "1552917017",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c8fa219-be38-4ece-9e5b-4a2c950d210f",
|
||
|
"value": "https://www.virustotal.com/#/file/0d53ae6b78d37bff74cd6458624a9157b1a7d60d5722f9c4ebc83e5a7a058463/detection"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "creation-date",
|
||
|
"timestamp": "1552917017",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5c8fa219-0d38-475c-b5b2-4eaf950d210f",
|
||
|
"value": "2019-03-15T04:56:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "username",
|
||
|
"timestamp": "1552917017",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c8fa219-9164-4a70-9a22-449e950d210f",
|
||
|
"value": "360TIC"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Email object describing an email with meta-information",
|
||
|
"meta-category": "network",
|
||
|
"name": "email",
|
||
|
"template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
|
||
|
"template_version": "13",
|
||
|
"timestamp": "1552920733",
|
||
|
"uuid": "5c8fb070-9b58-46d1-842d-4183950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "email-body",
|
||
|
"timestamp": "1552920733",
|
||
|
"to_ids": false,
|
||
|
"type": "email-body",
|
||
|
"uuid": "5c8fb071-e6ec-44fa-bfda-4739950d210f",
|
||
|
"value": "Greetings \r\n\r\nI believe you have heard about the latest crash Boeing 737 MAX 8 which happen on sunday 10 march 2019, All passengers and crew were killed in the accident\r\n\r\nEthiopian Airlines Flight ET302 from Addis Ababa, Ethiopia, to Nairobi, Kenya, crashed shortly after takeoff \r\n\r\nThe dead were of 35 different nationalities, including eight Americans.\r\n\r\nOn 29 October 2018, the Boeing 737 MAX 8 operating the route crashed into the Java Sea 12 minutes after takeoff.\r\n\r\nAll 189 passengers and crew were killed in the accident.\r\n\r\nnote: there was a leak information from Darkweb which listed all the airline companies that will go down soon.\r\n\r\nkindly notify your love ones about the informations on these file.\r\n \r\nRegards\r\n\r\nJoshua Berlinger \r\nprivate inteligent analyst"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "attachment",
|
||
|
"timestamp": "1552920733",
|
||
|
"to_ids": true,
|
||
|
"type": "email-attachment",
|
||
|
"uuid": "5c8fb071-05e0-4443-9ac5-4e54950d210f",
|
||
|
"value": "MP4_142019.jar"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "from",
|
||
|
"timestamp": "1552920733",
|
||
|
"to_ids": true,
|
||
|
"type": "email-src",
|
||
|
"uuid": "5c8fb09d-07c8-4907-9a7e-4772950d210f",
|
||
|
"value": "info@isgec.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "subject",
|
||
|
"timestamp": "1552920733",
|
||
|
"to_ids": false,
|
||
|
"type": "email-subject",
|
||
|
"uuid": "5c8fb09d-2308-4095-b6f1-4d9e950d210f",
|
||
|
"value": "Fwd: Airlines plane crash Boeing 737 Max 8"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|