366 lines
16 KiB
JSON
366 lines
16 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--58369d20-cb08-4d10-9e08-45e802de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:59:51.000Z",
|
||
|
"modified": "2016-11-24T07:59:51.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--58369d20-cb08-4d10-9e08-45e802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:59:51.000Z",
|
||
|
"modified": "2016-11-24T07:59:51.000Z",
|
||
|
"name": "OSINT - Fareit Spam: Rocking Out to a New File Type",
|
||
|
"published": "2016-11-24T08:01:01Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--58369d2a-1dfc-49e1-a04d-470402de0b81",
|
||
|
"url--58369d2a-1dfc-49e1-a04d-470402de0b81",
|
||
|
"x-misp-attribute--58369d36-2bb0-40bf-88b2-4e1002de0b81",
|
||
|
"indicator--58369d62-76a0-4a70-a3f3-421402de0b81",
|
||
|
"indicator--58369d62-e900-4e1b-a80f-464a02de0b81",
|
||
|
"indicator--58369d63-7b50-41d2-8b2f-496102de0b81",
|
||
|
"indicator--58369d7f-42cc-4165-b820-4cb202de0b81",
|
||
|
"indicator--58369d90-97ac-4afa-83e9-45b202de0b81",
|
||
|
"indicator--58369df7-eb20-449b-8d49-4c8f02de0b81",
|
||
|
"indicator--58369df8-15a8-436f-a885-486b02de0b81",
|
||
|
"observed-data--58369df8-a440-4d9c-ad9c-46b102de0b81",
|
||
|
"url--58369df8-a440-4d9c-ad9c-46b102de0b81",
|
||
|
"indicator--58369df9-cd28-4ac4-96db-4d5d02de0b81",
|
||
|
"indicator--58369df9-487c-45a5-aa5d-445c02de0b81",
|
||
|
"observed-data--58369dfa-5d8c-44b0-803f-462602de0b81",
|
||
|
"url--58369dfa-5d8c-44b0-803f-462602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"estimative-language:likelihood-probability=\"very-likely\"",
|
||
|
"misp-galaxy:tool=\"Fareit\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58369d2a-1dfc-49e1-a04d-470402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:56:26.000Z",
|
||
|
"modified": "2016-11-24T07:56:26.000Z",
|
||
|
"first_observed": "2016-11-24T07:56:26Z",
|
||
|
"last_observed": "2016-11-24T07:56:26Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58369d2a-1dfc-49e1-a04d-470402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58369d2a-1dfc-49e1-a04d-470402de0b81",
|
||
|
"value": "http://blog.talosintel.com/2016/11/fareit-spam-mht.html?m=1"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--58369d36-2bb0-40bf-88b2-4e1002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:56:38.000Z",
|
||
|
"modified": "2016-11-24T07:56:38.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Talos is constantly monitoring the threat landscape including the email threat landscape. Lately this landscape has been dominated with Locky distribution. During a recent Locky vacation Talos noticed an interesting shift in file types being used to distribute another well known malware family, Fareit.\r\n\r\nWe've discussed Fareit before, it's a trojan used to steal credentials and distribute multiple different types of malware. The focus of this post will not be on Fareit but on a new way attackers are working to distribute it via email. Locky has been a case study in how to leverage different file extensions in email to distribute malware. The use of various file types such as .js, .wsf, and .hta have been used quite successfully for Locky. We've already noted other threats making use of .js for distribution largely due to Locky's success. Recently we observed another uncommon file type associated with email and decided to dig a little further on the infection chain."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58369d62-76a0-4a70-a3f3-421402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:57:22.000Z",
|
||
|
"modified": "2016-11-24T07:57:22.000Z",
|
||
|
"description": "File.hta",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a95a01472fdb42a123e1beb6332cb42c9372fdfe33066b94a7cabdac3d78efe1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-24T07:57:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58369d62-e900-4e1b-a80f-464a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:57:22.000Z",
|
||
|
"modified": "2016-11-24T07:57:22.000Z",
|
||
|
"description": "j.exe",
|
||
|
"pattern": "[file:hashes.SHA256 = '27689bcbab872e321f4c9f9b5b01a6c7e1eca0ee7442afc80c5af48e62d3c5f3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-24T07:57:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58369d63-7b50-41d2-8b2f-496102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:57:23.000Z",
|
||
|
"modified": "2016-11-24T07:57:23.000Z",
|
||
|
"description": ".mht File",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd60bb9655a98b4fdb712162c75298ab6364951b1fc085131607f5073857b0ddc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-24T07:57:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58369d7f-42cc-4165-b820-4cb202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:57:51.000Z",
|
||
|
"modified": "2016-11-24T07:57:51.000Z",
|
||
|
"description": "C2 Domain",
|
||
|
"pattern": "[domain-name:value = 'jerryotis.pw']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-24T07:57:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58369d90-97ac-4afa-83e9-45b202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:58:08.000Z",
|
||
|
"modified": "2016-11-24T07:58:08.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.117.75.186']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-24T07:58:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58369df7-eb20-449b-8d49-4c8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:59:51.000Z",
|
||
|
"modified": "2016-11-24T07:59:51.000Z",
|
||
|
"description": "j.exe - Xchecked via VT: 27689bcbab872e321f4c9f9b5b01a6c7e1eca0ee7442afc80c5af48e62d3c5f3",
|
||
|
"pattern": "[file:hashes.SHA1 = '941694ae0920c07c7c2aab9fe0e7efe5f6067635']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-24T07:59:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58369df8-15a8-436f-a885-486b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:59:52.000Z",
|
||
|
"modified": "2016-11-24T07:59:52.000Z",
|
||
|
"description": "j.exe - Xchecked via VT: 27689bcbab872e321f4c9f9b5b01a6c7e1eca0ee7442afc80c5af48e62d3c5f3",
|
||
|
"pattern": "[file:hashes.MD5 = '54e6e98e527f1befb5b530b571ecbd43']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-24T07:59:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58369df8-a440-4d9c-ad9c-46b102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:59:52.000Z",
|
||
|
"modified": "2016-11-24T07:59:52.000Z",
|
||
|
"first_observed": "2016-11-24T07:59:52Z",
|
||
|
"last_observed": "2016-11-24T07:59:52Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58369df8-a440-4d9c-ad9c-46b102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58369df8-a440-4d9c-ad9c-46b102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/27689bcbab872e321f4c9f9b5b01a6c7e1eca0ee7442afc80c5af48e62d3c5f3/analysis/1479749349/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58369df9-cd28-4ac4-96db-4d5d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:59:53.000Z",
|
||
|
"modified": "2016-11-24T07:59:53.000Z",
|
||
|
"description": "File.hta - Xchecked via VT: a95a01472fdb42a123e1beb6332cb42c9372fdfe33066b94a7cabdac3d78efe1",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f3eb6a3661f04325ac0504a9cc586fcb62743f02']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-24T07:59:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58369df9-487c-45a5-aa5d-445c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:59:53.000Z",
|
||
|
"modified": "2016-11-24T07:59:53.000Z",
|
||
|
"description": "File.hta - Xchecked via VT: a95a01472fdb42a123e1beb6332cb42c9372fdfe33066b94a7cabdac3d78efe1",
|
||
|
"pattern": "[file:hashes.MD5 = '3ab8351b8a0a26718a91652463ee1484']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-24T07:59:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58369dfa-5d8c-44b0-803f-462602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-24T07:59:54.000Z",
|
||
|
"modified": "2016-11-24T07:59:54.000Z",
|
||
|
"first_observed": "2016-11-24T07:59:54Z",
|
||
|
"last_observed": "2016-11-24T07:59:54Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58369dfa-5d8c-44b0-803f-462602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58369dfa-5d8c-44b0-803f-462602de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a95a01472fdb42a123e1beb6332cb42c9372fdfe33066b94a7cabdac3d78efe1/analysis/1479873331/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|