312 lines
10 KiB
JSON
312 lines
10 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2017-10-06",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea",
|
||
|
"publish_timestamp": "1507317909",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1507317807",
|
||
|
"uuid": "59d7d6ca-34f4-4bec-b700-4afa02de0b81",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317625",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59d7d6f3-d80c-4fbc-8d14-105502de0b81",
|
||
|
"value": "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317625",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "59d7d704-a774-46fd-8e57-4f4702de0b81",
|
||
|
"value": "We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months. The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware, including:\r\n\r\n PDFs with download links\r\n DOC and XLS files with malicious macros\r\n Archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads\r\n\r\nThe PDF and DOC/XLS campaigns primarily impacted the United States and the Archive campaigns largely impacted the Unites States and South Korea.",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317625",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "59d7d733-a08c-48b4-8d9d-414102de0b81",
|
||
|
"value": "ce84640c3228925cc4815116dde968cb"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "- Xchecked via VT: ce84640c3228925cc4815116dde968cb",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "59d7d779-3220-4703-b1d2-43ee02de0b81",
|
||
|
"value": "6e4ec3712cf641a31f4e9e4af7d9d7a84fd7da4cc2875c6aceb9a283ed0330d7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "- Xchecked via VT: ce84640c3228925cc4815116dde968cb",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "59d7d779-e69c-4ad9-bd22-479102de0b81",
|
||
|
"value": "524e1011c26b6bf7e23f5d107222397129f9893d"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "- Xchecked via VT: ce84640c3228925cc4815116dde968cb",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317625",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59d7d779-5b08-4375-8c84-4b0202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/6e4ec3712cf641a31f4e9e4af7d9d7a84fd7da4cc2875c6aceb9a283ed0330d7/analysis/1507239296/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317655",
|
||
|
"to_ids": true,
|
||
|
"type": "mutex",
|
||
|
"uuid": "59d7d797-55fc-4d13-968a-834402de0b81",
|
||
|
"value": "8-3503835SZBFHHZ"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317679",
|
||
|
"to_ids": true,
|
||
|
"type": "mutex",
|
||
|
"uuid": "59d7d7af-587c-42e5-8e44-44ec02de0b81",
|
||
|
"value": "LL9PSC56RW7Bx3A5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "The malware communicates with the following C2 server using HTTP requests:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317723",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d7db-6e5c-4c22-a550-49d602de0b81",
|
||
|
"value": "www.clicks-track.info/list/hx28/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Shorted URLs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317774",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d80e-4114-47b1-a1f7-4a6902de0b81",
|
||
|
"value": "tny.im/9TK"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Shorted URLs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317774",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d80e-8414-436e-9f0d-488902de0b81",
|
||
|
"value": "tny.im/9Uw"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Shorted URLs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317774",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d80e-5fc0-4cde-b9bf-46ca02de0b81",
|
||
|
"value": "tny.im/9G1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Shorted URLs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317774",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d80e-a25c-4707-b368-404b02de0b81",
|
||
|
"value": "tny.im/9Q6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Shorted URLs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317774",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d80e-eb38-4bb9-90b8-481d02de0b81",
|
||
|
"value": "tny.im/9H1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Shorted URLs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317774",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d80e-e1a8-4a93-b25e-4a2a02de0b81",
|
||
|
"value": "tny.im/9R7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Shorted URLs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317774",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d80e-f524-4012-a7ab-442002de0b81",
|
||
|
"value": "tny.im/9Tc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Shorted URLs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317774",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d80e-8a90-4b5e-a2a9-4e4f02de0b81",
|
||
|
"value": "tny.im/9RM"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Shorted URLs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317774",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d80e-b044-4165-ad23-4ce502de0b81",
|
||
|
"value": "tny.im/9G0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Shorted URLs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317774",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d80e-1d74-467a-9c5a-491b02de0b81",
|
||
|
"value": "tny.im/9Oq"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Shorted URLs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317774",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "59d7d80e-4774-4579-af6d-4cc002de0b81",
|
||
|
"value": "tny.im/9Oh"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Staging Servers (compromised hosts?)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317807",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "59d7d82f-e4c8-4f47-90b4-402602de0b81",
|
||
|
"value": "maxsutton.co.uk"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Staging Servers (compromised hosts?)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317807",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "59d7d82f-3690-4709-9103-4e2402de0b81",
|
||
|
"value": "solderie.dream3w.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Staging Servers (compromised hosts?)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317807",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "59d7d82f-f10c-4393-a2ec-48b202de0b81",
|
||
|
"value": "lifekeeper.com.au"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Staging Servers (compromised hosts?)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317807",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59d7d82f-ddd0-4fb9-9ddf-4e0e02de0b81",
|
||
|
"value": "brinematriscript.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Staging Servers (compromised hosts?)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1507317807",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59d7d82f-d114-447f-82e3-4be102de0b81",
|
||
|
"value": "jaimagroup.com"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|