misp-circl-feed/feeds/circl/stix-2.1/58161e18-c578-479e-add4-408002de0b81.json

161 lines
6.8 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--58161e18-c578-479e-add4-408002de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-30T16:29:07.000Z",
"modified": "2016-10-30T16:29:07.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--58161e18-c578-479e-add4-408002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-30T16:29:07.000Z",
"modified": "2016-10-30T16:29:07.000Z",
"name": "OSINT - CloudFanta Malware Campaign Technical Analysis",
"context": "suspicious-activity",
"object_refs": [
"observed-data--58161ede-e344-41de-b9d2-42ae02de0b81",
"url--58161ede-e344-41de-b9d2-42ae02de0b81",
"x-misp-attribute--58161ef2-c9a8-4b13-8b3a-418c02de0b81",
"indicator--58161f12-58bc-4cfc-ac0d-4fe402de0b81",
"indicator--58161fc5-caa8-4cca-b4ec-4b6a02de0b81",
"indicator--58161fd3-0a2c-4da3-a026-4a1c02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58161ede-e344-41de-b9d2-42ae02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-30T16:25:02.000Z",
"modified": "2016-10-30T16:25:02.000Z",
"first_observed": "2016-10-30T16:25:02Z",
"last_observed": "2016-10-30T16:25:02Z",
"number_observed": 1,
"object_refs": [
"url--58161ede-e344-41de-b9d2-42ae02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58161ede-e344-41de-b9d2-42ae02de0b81",
"value": "https://resources.netskope.com/h/i/297473838-cloudfanta-malware-campaign-technical-analysis"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58161ef2-c9a8-4b13-8b3a-418c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-30T16:25:22.000Z",
"modified": "2016-10-30T16:25:22.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "We recently published an overview blog about the CloudFanta malware campaign that uses the Sugarsync cloud storage app to deliver malware capable of stealing user credentials and monitoring online banking activities. This blog will detail the technical aspects of CloudFanta.\r\n\r\nAlthough CloudSquirrel and CloudFanta malware are not similar, we believe that both malware campaigns are deployed by the same actor based on the following similarities."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58161f12-58bc-4cfc-ac0d-4fe402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-30T16:25:54.000Z",
"modified": "2016-10-30T16:25:54.000Z",
"description": "The Sugarsync URL we observed delivering CloudFanta malware was at",
"pattern": "[url:value = 'https://www.sugarsync.com/pf/D3202366_07280196_66523?directDownload=true']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-30T16:25:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58161fc5-caa8-4cca-b4ec-4b6a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-30T16:28:53.000Z",
"modified": "2016-10-30T16:28:53.000Z",
"pattern": "[url:value = 'http://192.95.39.246/xx/config/msg.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-30T16:28:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58161fd3-0a2c-4da3-a026-4a1c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-30T16:29:07.000Z",
"modified": "2016-10-30T16:29:07.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.95.39.246']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-30T16:29:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}