296 lines
9.2 KiB
JSON
296 lines
9.2 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "1",
|
||
|
"date": "2017-02-03",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT: Malicious software targeting financial sector internals",
|
||
|
"publish_timestamp": "1486155976",
|
||
|
"published": true,
|
||
|
"threat_level_id": "1",
|
||
|
"timestamp": "1486155965",
|
||
|
"uuid": "5894bd56-d458-489f-a692-41d102de0b81",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#6edb00",
|
||
|
"name": "circl:topic=\"finance\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#1f9900",
|
||
|
"name": "Threat Type:RAT"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware hash",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143093",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5894be75-7574-4e69-bfae-455202de0b81",
|
||
|
"value": "c1364bbf63b3617b25b58209e4529d8c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware hash",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143094",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5894be76-7508-4910-9d02-4dba02de0b81",
|
||
|
"value": "85d316590edfb4212049c4490db08c4b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware hash",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143094",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5894be76-4f38-4e7e-ac86-497f02de0b81",
|
||
|
"value": "1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware hash",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143095",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5894be77-75b0-4734-8249-40a902de0b81",
|
||
|
"value": "496207db444203a6a9c02a32aff28d563999736c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware hash",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143096",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5894be78-4ab0-454c-9b6b-450f02de0b81",
|
||
|
"value": "4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware hash",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143097",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5894be79-6d7c-4bde-bcd3-465202de0b81",
|
||
|
"value": "bedceafa2109139c793cb158cec9fa48f980ff2b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware hash",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143097",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5894be79-698c-4f80-b7b5-499402de0b81",
|
||
|
"value": "fc8607c155617e09d540c5030eabad9a9512f656f16b38682fd50b2007583e9b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware hash",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143098",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5894be7a-58b4-4e46-a226-480f02de0b81",
|
||
|
"value": "d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "malware hash",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143099",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5894be7b-8e00-49c2-aefc-447b02de0b81",
|
||
|
"value": "cc6a731e9daff84bae4214603e1c3bad8d6735b0cbb2a0ec1635b36e6a38cb3a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C&C",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143100",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5894be7c-b780-4516-bbf0-4ed702de0b81",
|
||
|
"value": "125.214.195.17"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C&C",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143100",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5894be7d-b554-4cc4-85d8-499e02de0b81",
|
||
|
"value": "196.29.166.218"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "injected URL in compromised website",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143101",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5894be7d-4fb0-4992-b86f-42a502de0b81",
|
||
|
"value": "http://sap.misapor.ch/vishop/view.jsp?pagenum=1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143102",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "5894be7e-2770-473e-9555-440f02de0b81",
|
||
|
"value": "sap.misapor.ch"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "sap.misapor.ch",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143103",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5894be7f-4d6c-4b70-816b-409402de0b81",
|
||
|
"value": "109.164.247.169"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "injected URL in compromised website",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143103",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5894be7f-62f0-4f96-b04a-482202de0b81",
|
||
|
"value": "https://www.eye-watch.in/design/fancybox/Pnf.action"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143104",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "5894be80-8628-4324-8b08-488102de0b81",
|
||
|
"value": "www.eye-watch.in"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "www.eye-watch.in",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143105",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5894be81-1b9c-4742-b624-4aa002de0b81",
|
||
|
"value": "54.225.154.115"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "www.eye-watch.in",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143105",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5894be81-0220-46ab-b665-4e6c02de0b81",
|
||
|
"value": "54.235.128.97"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "compromised website for distribution",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143106",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5894be82-36dc-43bf-ba0a-4c7902de0b81",
|
||
|
"value": "http://www.knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js?ver=11"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "compromised website for distribution",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143107",
|
||
|
"to_ids": false,
|
||
|
"type": "hostname",
|
||
|
"uuid": "5894be83-553c-4da5-9230-445002de0b81",
|
||
|
"value": "www.knf.gov.pl"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "compromised website for distribution",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486143108",
|
||
|
"to_ids": false,
|
||
|
"type": "hostname",
|
||
|
"uuid": "5894be84-385c-4009-ab47-476802de0b81",
|
||
|
"value": "knf.gov.pl"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "compromised website for distribution",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486155965",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5894be84-c4d0-4b38-85ab-40d802de0b81",
|
||
|
"value": "https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#11d000",
|
||
|
"name": "admiralty-scale:information-credibility=\"3\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "malware hash - Xchecked via VT: d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1486155927",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5894f097-1eb8-4aab-9cbb-41d202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2/analysis/1486132198/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|