{ "Event": { "analysis": "2", "date": "2017-04-08", "extends_uuid": "", "info": "OSINT - Analysis of Malware in Brazilian Bank Attack Reveals Prolonged Campaign", "publish_timestamp": "1491666071", "published": true, "threat_level_id": "3", "timestamp": "1491665928", "uuid": "58e902cd-dae8-49b9-882b-186c02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#6bd600", "local": false, "name": "circl:topic=\"finance\"", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#14ff00", "local": false, "name": "admiralty-scale:information-credibility=\"6\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": false, "type": "link", "uuid": "58e902e7-686c-44a9-a6c6-46d302de0b81", "value": "https://blog.cyber4sight.com/2017/04/analysis-of-malware-in-brazilian-bank-attack-reveals-prolonged-campaign/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#001899", "local": false, "name": "estimative-language:likelihood-probability=\"likely\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": false, "type": "text", "uuid": "58e902fa-2778-4a63-a261-428802de0b81", "value": "During a security conference held on 4 April 2017, Kaspersky Lab revealed details of an attack in which attackers took control of dozens of domains owned by a Brazilian bank and leveraged this access to deliver malware and phishing pages to users. Our identification and analysis of the malware used in this campaign determined that it is a Java-based downloader that acquires and extracts a zip file from an IP address under the control of the attackers.\r\n\r\nThis zip contains several additional files, including a legitimate rootkit removal executable, a malicious DLL file, a text file used by the rootkit removal tool to delete antivirus programs, and a batch file used to leverage these files to install the malicious payload. Through further research, Cyber4Sight determined that this infection method dates back to at least 2009, but shared tools, techniques, and procedures (TTP) identified in other public sandbox reports suggest that the actor responsible for this attack likely continued their operations through April of this year.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#001899", "local": false, "name": "estimative-language:likelihood-probability=\"likely\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Atualizar.jar\tFirst submitted to VirusTotal 22 October 2016.", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "md5", "uuid": "58e903ac-8d0c-47a8-8958-4e7b02de0b81", "value": "95980f46ce76d862029b45908476532d" }, { "category": "Payload delivery", "comment": "fatura11.vbs\t191.101.230.149 162.222.177.155 191.101.230.149\tFirst submitted to VirusTotal 22 December 2016. Second and third IP address comment out as a backup. Delivered via Dropbox links and from 181.215.114.231.", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "md5", "uuid": "58e903ad-a7c0-4abe-8bd8-453b02de0b81", "value": "cdd5f47935a2a45afff20b222124177d" }, { "category": "Payload delivery", "comment": "191.101.237.196\tDelivered via Dropbox links and from 181.215.114.231.", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "md5", "uuid": "58e903af-6394-4f04-9733-404302de0b81", "value": "722050c1b3f110c0ac9f80bc80723407" }, { "category": "Payload delivery", "comment": "f893nuf9sdyfewnI98SDAJN787DHH.zip\t181.215.97.223 162.222.177.155191.101.159.215208.113.128.118\tFirst submitted to VirusTotal 12 January 2017. Delivered via Bit.ly link. Additional IP addresses are commented out backups.", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "md5", "uuid": "58e903b0-c870-43b3-ac58-482902de0b81", "value": "907466374f7ef3787e4b8f8232a9c52e" }, { "category": "Payload delivery", "comment": "Planilha SAQUE FGTS INATIVO5.zip\t107.178.111.39\tFirst submitted 4 April 2017.Delivered via Bit.ly link.", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "md5", "uuid": "58e903b1-b8dc-4c58-9323-458302de0b81", "value": "74dee72c97399c308863a4cba5689f87" }, { "category": "Payload delivery", "comment": "Nota-Fiscal-abril.2017.jar\t185.141.164.210\tUnknown delivery mechanism", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "md5", "uuid": "58e903b2-5110-43ca-839b-48a202de0b81", "value": "28ef8b976f7c076b1651d57f30bbacee" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "ip-dst", "uuid": "58e903d1-e914-495a-b29b-186802de0b81", "value": "191.101.232.182" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "ip-dst", "uuid": "58e903d2-ddac-48a3-b609-186802de0b81", "value": "191.101.230.149" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "ip-dst", "uuid": "58e903d3-d7e8-42d2-a77c-186802de0b81", "value": "162.222.177.155" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "ip-dst", "uuid": "58e903d4-fce4-4cf8-aaca-186802de0b81", "value": "191.101.237.196" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "ip-dst", "uuid": "58e903d5-d904-4f2a-9b5b-186802de0b81", "value": "181.215.97.223" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "ip-dst", "uuid": "58e903d6-7f34-4a11-864e-186802de0b81", "value": "191.101.159.215" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "ip-dst", "uuid": "58e903d7-b490-43ab-887b-186802de0b81", "value": "208.113.128.118" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "ip-dst", "uuid": "58e903d8-c32c-4310-b275-186802de0b81", "value": "107.178.111.39" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": true, "type": "ip-dst", "uuid": "58e903d9-2da8-4c77-88d8-186802de0b81", "value": "185.141.164.210" }, { "category": "Targeting data", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491665928", "to_ids": false, "type": "target-location", "uuid": "58e903e9-6da0-4b79-8e52-186c02de0b81", "value": "BR" }, { "category": "Payload delivery", "comment": "Nota-Fiscal-abril.2017.jar\t185.141.164.210\tUnknown delivery mechanism - Xchecked via VT: 28ef8b976f7c076b1651d57f30bbacee", "deleted": false, "disable_correlation": false, "timestamp": "1491665948", "to_ids": true, "type": "sha256", "uuid": "58e9041c-9d0c-4c2f-8c3b-483602de0b81", "value": "bd61be5ad60f2b1af3dea88493107868d507c7671c17c3faf61df22b0e0e3d77" }, { "category": "Payload delivery", "comment": "Nota-Fiscal-abril.2017.jar\t185.141.164.210\tUnknown delivery mechanism - Xchecked via VT: 28ef8b976f7c076b1651d57f30bbacee", "deleted": false, "disable_correlation": false, "timestamp": "1491665949", "to_ids": true, "type": "sha1", "uuid": "58e9041d-9244-4755-ba63-4f3002de0b81", "value": "3c7a86e7194c2d5d2ce89912720fb8091e187066" }, { "category": "External analysis", "comment": "Nota-Fiscal-abril.2017.jar\t185.141.164.210\tUnknown delivery mechanism - Xchecked via VT: 28ef8b976f7c076b1651d57f30bbacee", "deleted": false, "disable_correlation": false, "timestamp": "1491665950", "to_ids": false, "type": "link", "uuid": "58e9041e-89f0-4f32-b2fa-450d02de0b81", "value": "https://www.virustotal.com/file/bd61be5ad60f2b1af3dea88493107868d507c7671c17c3faf61df22b0e0e3d77/analysis/1491468051/" }, { "category": "Payload delivery", "comment": "Planilha SAQUE FGTS INATIVO5.zip\t107.178.111.39\tFirst submitted 4 April 2017.Delivered via Bit.ly link. - Xchecked via VT: 74dee72c97399c308863a4cba5689f87", "deleted": false, "disable_correlation": false, "timestamp": "1491665951", "to_ids": true, "type": "sha256", "uuid": "58e9041f-8f8c-44b7-82bd-46ef02de0b81", "value": "44aa0025d46e9ddf5a56914115e5ebd59bd825556e42644c382c06fb1c81fdb2" }, { "category": "Payload delivery", "comment": "Planilha SAQUE FGTS INATIVO5.zip\t107.178.111.39\tFirst submitted 4 April 2017.Delivered via Bit.ly link. - Xchecked via VT: 74dee72c97399c308863a4cba5689f87", "deleted": false, "disable_correlation": false, "timestamp": "1491665952", "to_ids": true, "type": "sha1", "uuid": "58e90420-5e58-4ce0-a5a2-426202de0b81", "value": "62f37b93270b424b7bda905f0b8b4bd5057751c2" }, { "category": "External analysis", "comment": "Planilha SAQUE FGTS INATIVO5.zip\t107.178.111.39\tFirst submitted 4 April 2017.Delivered via Bit.ly link. - Xchecked via VT: 74dee72c97399c308863a4cba5689f87", "deleted": false, "disable_correlation": false, "timestamp": "1491665953", "to_ids": false, "type": "link", "uuid": "58e90421-9330-4368-b0b1-47c002de0b81", "value": "https://www.virustotal.com/file/44aa0025d46e9ddf5a56914115e5ebd59bd825556e42644c382c06fb1c81fdb2/analysis/1491375986/" }, { "category": "Payload delivery", "comment": "f893nuf9sdyfewnI98SDAJN787DHH.zip\t181.215.97.223 162.222.177.155191.101.159.215208.113.128.118\tFirst submitted to VirusTotal 12 January 2017. Delivered via Bit.ly link. Additional IP addresses are commented out backups. - Xchecked via VT: 907466374f7ef3787e4b8f8232a9c52e", "deleted": false, "disable_correlation": false, "timestamp": "1491665954", "to_ids": true, "type": "sha256", "uuid": "58e90422-95bc-46fc-9768-491902de0b81", "value": "f808b3f0ebc605e9c73d579997b2b1b8bfbed78656ba4f6e96d6daac028a7427" }, { "category": "Payload delivery", "comment": "f893nuf9sdyfewnI98SDAJN787DHH.zip\t181.215.97.223 162.222.177.155191.101.159.215208.113.128.118\tFirst submitted to VirusTotal 12 January 2017. Delivered via Bit.ly link. Additional IP addresses are commented out backups. - Xchecked via VT: 907466374f7ef3787e4b8f8232a9c52e", "deleted": false, "disable_correlation": false, "timestamp": "1491665956", "to_ids": true, "type": "sha1", "uuid": "58e90424-3f58-4f7e-96c4-4a6302de0b81", "value": "cc655b747087cc161ceafee69f001cad650bbd96" }, { "category": "External analysis", "comment": "f893nuf9sdyfewnI98SDAJN787DHH.zip\t181.215.97.223 162.222.177.155191.101.159.215208.113.128.118\tFirst submitted to VirusTotal 12 January 2017. Delivered via Bit.ly link. Additional IP addresses are commented out backups. - Xchecked via VT: 907466374f7ef3787e4b8f8232a9c52e", "deleted": false, "disable_correlation": false, "timestamp": "1491665957", "to_ids": false, "type": "link", "uuid": "58e90425-6ea0-4ba7-baeb-482102de0b81", "value": "https://www.virustotal.com/file/f808b3f0ebc605e9c73d579997b2b1b8bfbed78656ba4f6e96d6daac028a7427/analysis/1491592255/" }, { "category": "Payload delivery", "comment": "191.101.237.196\tDelivered via Dropbox links and from 181.215.114.231. - Xchecked via VT: 722050c1b3f110c0ac9f80bc80723407", "deleted": false, "disable_correlation": false, "timestamp": "1491665958", "to_ids": true, "type": "sha256", "uuid": "58e90426-5768-426d-8ee6-468302de0b81", "value": "32153446ba27778f4731c9acbba3df6e66071a49d12f4079c5f1b29097f790a4" }, { "category": "Payload delivery", "comment": "191.101.237.196\tDelivered via Dropbox links and from 181.215.114.231. - Xchecked via VT: 722050c1b3f110c0ac9f80bc80723407", "deleted": false, "disable_correlation": false, "timestamp": "1491665959", "to_ids": true, "type": "sha1", "uuid": "58e90427-6020-41a8-b8e5-4cd402de0b81", "value": "8764a362913f379a844dab0fb49b51b526ac2fe1" }, { "category": "External analysis", "comment": "191.101.237.196\tDelivered via Dropbox links and from 181.215.114.231. - Xchecked via VT: 722050c1b3f110c0ac9f80bc80723407", "deleted": false, "disable_correlation": false, "timestamp": "1491665959", "to_ids": false, "type": "link", "uuid": "58e90427-fd3c-4710-b14e-480d02de0b81", "value": "https://www.virustotal.com/file/32153446ba27778f4731c9acbba3df6e66071a49d12f4079c5f1b29097f790a4/analysis/1482681227/" }, { "category": "Payload delivery", "comment": "fatura11.vbs\t191.101.230.149 162.222.177.155 191.101.230.149\tFirst submitted to VirusTotal 22 December 2016. Second and third IP address comment out as a backup. Delivered via Dropbox links and from 181.215.114.231. - Xchecked via VT: cdd5f47935a2a45afff20b222124177d", "deleted": false, "disable_correlation": false, "timestamp": "1491665960", "to_ids": true, "type": "sha256", "uuid": "58e90428-e7bc-48df-92d5-4e7a02de0b81", "value": "f7c50c386c0800781258809f01a2fde67bb5896282178e400b78cb0b21bb1247" }, { "category": "Payload delivery", "comment": "fatura11.vbs\t191.101.230.149 162.222.177.155 191.101.230.149\tFirst submitted to VirusTotal 22 December 2016. Second and third IP address comment out as a backup. Delivered via Dropbox links and from 181.215.114.231. - Xchecked via VT: cdd5f47935a2a45afff20b222124177d", "deleted": false, "disable_correlation": false, "timestamp": "1491665961", "to_ids": true, "type": "sha1", "uuid": "58e90429-2798-4faa-b1a9-4c5f02de0b81", "value": "f6d4c612acd7e1864b7ae3490fcc4f962d6ff8e3" }, { "category": "External analysis", "comment": "fatura11.vbs\t191.101.230.149 162.222.177.155 191.101.230.149\tFirst submitted to VirusTotal 22 December 2016. Second and third IP address comment out as a backup. Delivered via Dropbox links and from 181.215.114.231. - Xchecked via VT: cdd5f47935a2a45afff20b222124177d", "deleted": false, "disable_correlation": false, "timestamp": "1491665962", "to_ids": false, "type": "link", "uuid": "58e9042a-7cc4-4d68-97db-406c02de0b81", "value": "https://www.virustotal.com/file/f7c50c386c0800781258809f01a2fde67bb5896282178e400b78cb0b21bb1247/analysis/1491592256/" }, { "category": "Payload delivery", "comment": "Atualizar.jar\tFirst submitted to VirusTotal 22 October 2016. - Xchecked via VT: 95980f46ce76d862029b45908476532d", "deleted": false, "disable_correlation": false, "timestamp": "1491665963", "to_ids": true, "type": "sha256", "uuid": "58e9042b-53a4-4e0c-85a2-4b2c02de0b81", "value": "cd73460714bf2dc2326b3eef53d707b00ad64131a529ed27b2ba07362799a7dc" }, { "category": "Payload delivery", "comment": "Atualizar.jar\tFirst submitted to VirusTotal 22 October 2016. - Xchecked via VT: 95980f46ce76d862029b45908476532d", "deleted": false, "disable_correlation": false, "timestamp": "1491665964", "to_ids": true, "type": "sha1", "uuid": "58e9042c-91ac-4cb5-8f81-4b1602de0b81", "value": "5b70fca8c5f6e312f9633cb9eeea10bfd3384f86" }, { "category": "External analysis", "comment": "Atualizar.jar\tFirst submitted to VirusTotal 22 October 2016. - Xchecked via VT: 95980f46ce76d862029b45908476532d", "deleted": false, "disable_correlation": false, "timestamp": "1491665965", "to_ids": false, "type": "link", "uuid": "58e9042d-8c2c-4831-b31d-4b2602de0b81", "value": "https://www.virustotal.com/file/cd73460714bf2dc2326b3eef53d707b00ad64131a529ed27b2ba07362799a7dc/analysis/1477399542/" } ] } }