244 lines
8.1 KiB
JSON
244 lines
8.1 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2017-12-08",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - GratefulPOS credit card stealing malware - just in time for the shopping season",
|
||
|
"publish_timestamp": "1518771480",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1518231662",
|
||
|
"uuid": "5a38dd78-f12c-4c15-8b98-c4d6950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#3b7500",
|
||
|
"name": "circl:incident-classification=\"malware\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#002149",
|
||
|
"name": "riskiq:threat-type=\"credit-card-stealer\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1518185205",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5a38dd89-15bc-4949-9a88-bfca950d210f",
|
||
|
"value": "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1518185206",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5a38ddb6-7a90-45be-b13d-bfdb950d210f",
|
||
|
"value": "Well into the holiday season, people are making their shopping lists, recovering from Black Friday and Cyber Monday, and perhaps contemplating the many things for which they are grateful. Criminals, too, are making their lists, and posturing for the big shopping days ahead. \r\n\r\nThreat researchers are still at work of course, so it was inevitable that FirstWatch contemplated which things credit card stealing criminals--AKA \u00e2\u20ac\u0153carders\u00e2\u20ac\u009d appreciate. This is what we came up with.",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "GratefulPOS exfiltration domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1518185206",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5a38de2c-07b4-4e0a-b59b-c4d7950d210f",
|
||
|
"value": "a193-108-94-56-deploy-akamaitechnologies.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Current Exfiltration DNS server",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1518185206",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5a38de56-7040-4dce-a606-bfe1950d210f",
|
||
|
"value": "96.44.135.70"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "GratefulPOS",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1513676354",
|
||
|
"uuid": "5a38de0c-8d9c-4634-8985-bfc8950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1513676354",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5a38de0d-71fc-4674-bb93-bfc8950d210f",
|
||
|
"value": "9a58657669bb3075c1103e73a8948a56"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1513676354",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5a38de0d-9ac8-49f6-aac3-bfc8950d210f",
|
||
|
"value": "Malicious"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1518185210",
|
||
|
"uuid": "d025c9e2-00f6-48d5-8968-8c893e71e157",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "d025c9e2-00f6-48d5-8968-8c893e71e157",
|
||
|
"referenced_uuid": "4ef3034d-1ff0-44b0-8566-0c945e9afd7e",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1518771480",
|
||
|
"uuid": "5a7daaf9-7b74-4f66-b34b-23db02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1518185207",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5a7daaf7-6bd8-4e73-aee2-23db02de0b81",
|
||
|
"value": "17b657174313e3e7ce84c030991a271b66eb0840"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1518185207",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5a7daaf7-16b4-4e60-b14b-23db02de0b81",
|
||
|
"value": "5540b8d51f2190c45aaa5212c866c402f834d5988752537c388dcfecdf89f4e4"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1518185208",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5a7daaf8-876c-492e-bd1c-23db02de0b81",
|
||
|
"value": "9a58657669bb3075c1103e73a8948a56"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1518185208",
|
||
|
"uuid": "4ef3034d-1ff0-44b0-8566-0c945e9afd7e",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1518185208",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5a7daaf8-9988-42f0-9967-23db02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5540b8d51f2190c45aaa5212c866c402f834d5988752537c388dcfecdf89f4e4/analysis/1514451231/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1518185209",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5a7daaf9-13b8-4150-841d-23db02de0b81",
|
||
|
"value": "41/67"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1518185209",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5a7daaf9-10d4-4253-8560-23db02de0b81",
|
||
|
"value": "2017-12-28T08:53:51"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|