misp-circl-feed/feeds/circl/misp/58369d20-cb08-4d10-9e08-45e802de0b81.json

180 lines
6.9 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2016-11-24",
"extends_uuid": "",
"info": "OSINT - Fareit Spam: Rocking Out to a New File Type",
"publish_timestamp": "1479974461",
"published": true,
"threat_level_id": "3",
"timestamp": "1479974391",
"uuid": "58369d20-cb08-4d10-9e08-45e802de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#001cad",
"name": "estimative-language:likelihood-probability=\"very-likely\""
},
{
"colour": "#0da800",
"name": "misp-galaxy:tool=\"Fareit\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974186",
"to_ids": false,
"type": "link",
"uuid": "58369d2a-1dfc-49e1-a04d-470402de0b81",
"value": "http://blog.talosintel.com/2016/11/fareit-spam-mht.html?m=1"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974198",
"to_ids": false,
"type": "comment",
"uuid": "58369d36-2bb0-40bf-88b2-4e1002de0b81",
"value": "Talos is constantly monitoring the threat landscape including the email threat landscape. Lately this landscape has been dominated with Locky distribution. During a recent Locky vacation Talos noticed an interesting shift in file types being used to distribute another well known malware family, Fareit.\r\n\r\nWe've discussed Fareit before, it's a trojan used to steal credentials and distribute multiple different types of malware. The focus of this post will not be on Fareit but on a new way attackers are working to distribute it via email. Locky has been a case study in how to leverage different file extensions in email to distribute malware. The use of various file types such as .js, .wsf, and .hta have been used quite successfully for Locky. We've already noted other threats making use of .js for distribution largely due to Locky's success. Recently we observed another uncommon file type associated with email and decided to dig a little further on the infection chain."
},
{
"category": "Payload delivery",
"comment": "File.hta",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974242",
"to_ids": true,
"type": "sha256",
"uuid": "58369d62-76a0-4a70-a3f3-421402de0b81",
"value": "a95a01472fdb42a123e1beb6332cb42c9372fdfe33066b94a7cabdac3d78efe1"
},
{
"category": "Payload delivery",
"comment": "j.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974242",
"to_ids": true,
"type": "sha256",
"uuid": "58369d62-e900-4e1b-a80f-464a02de0b81",
"value": "27689bcbab872e321f4c9f9b5b01a6c7e1eca0ee7442afc80c5af48e62d3c5f3"
},
{
"category": "Payload delivery",
"comment": ".mht File",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974243",
"to_ids": true,
"type": "sha256",
"uuid": "58369d63-7b50-41d2-8b2f-496102de0b81",
"value": "d60bb9655a98b4fdb712162c75298ab6364951b1fc085131607f5073857b0ddc"
},
{
"category": "Network activity",
"comment": "C2 Domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974271",
"to_ids": true,
"type": "domain",
"uuid": "58369d7f-42cc-4165-b820-4cb202de0b81",
"value": "jerryotis.pw"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974288",
"to_ids": true,
"type": "ip-dst",
"uuid": "58369d90-97ac-4afa-83e9-45b202de0b81",
"value": "185.117.75.186"
},
{
"category": "Payload delivery",
"comment": "j.exe - Xchecked via VT: 27689bcbab872e321f4c9f9b5b01a6c7e1eca0ee7442afc80c5af48e62d3c5f3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974391",
"to_ids": true,
"type": "sha1",
"uuid": "58369df7-eb20-449b-8d49-4c8f02de0b81",
"value": "941694ae0920c07c7c2aab9fe0e7efe5f6067635"
},
{
"category": "Payload delivery",
"comment": "j.exe - Xchecked via VT: 27689bcbab872e321f4c9f9b5b01a6c7e1eca0ee7442afc80c5af48e62d3c5f3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974392",
"to_ids": true,
"type": "md5",
"uuid": "58369df8-15a8-436f-a885-486b02de0b81",
"value": "54e6e98e527f1befb5b530b571ecbd43"
},
{
"category": "External analysis",
"comment": "j.exe - Xchecked via VT: 27689bcbab872e321f4c9f9b5b01a6c7e1eca0ee7442afc80c5af48e62d3c5f3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974392",
"to_ids": false,
"type": "link",
"uuid": "58369df8-a440-4d9c-ad9c-46b102de0b81",
"value": "https://www.virustotal.com/file/27689bcbab872e321f4c9f9b5b01a6c7e1eca0ee7442afc80c5af48e62d3c5f3/analysis/1479749349/"
},
{
"category": "Payload delivery",
"comment": "File.hta - Xchecked via VT: a95a01472fdb42a123e1beb6332cb42c9372fdfe33066b94a7cabdac3d78efe1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974393",
"to_ids": true,
"type": "sha1",
"uuid": "58369df9-cd28-4ac4-96db-4d5d02de0b81",
"value": "f3eb6a3661f04325ac0504a9cc586fcb62743f02"
},
{
"category": "Payload delivery",
"comment": "File.hta - Xchecked via VT: a95a01472fdb42a123e1beb6332cb42c9372fdfe33066b94a7cabdac3d78efe1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974393",
"to_ids": true,
"type": "md5",
"uuid": "58369df9-487c-45a5-aa5d-445c02de0b81",
"value": "3ab8351b8a0a26718a91652463ee1484"
},
{
"category": "External analysis",
"comment": "File.hta - Xchecked via VT: a95a01472fdb42a123e1beb6332cb42c9372fdfe33066b94a7cabdac3d78efe1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1479974394",
"to_ids": false,
"type": "link",
"uuid": "58369dfa-5d8c-44b0-803f-462602de0b81",
"value": "https://www.virustotal.com/file/a95a01472fdb42a123e1beb6332cb42c9372fdfe33066b94a7cabdac3d78efe1/analysis/1479873331/"
}
]
}
}