{ "Event": { "analysis": "2", "date": "2018-06-07", "extends_uuid": "", "info": "New Phishing Attacks Abuse Excel Internet Query Files", "publish_timestamp": "1528373882", "published": true, "threat_level_id": "2", "timestamp": "1528373863", "uuid": "5b191ead-fac0-4f21-aaef-b9700acd0835", "Orgc": { "name": "Synovus Financial", "uuid": "5a68c02d-959c-4c8a-a571-0dcac0a8060a" }, "Tag": [ { "colour": "#00b2d9", "local": false, "name": "veris:action:social:variety=\"Phishing\"", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#0eab00", "local": false, "name": "misp-galaxy:tool=\"Necurs\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "md5", "uuid": "5b191ead-1204-434b-975c-b9700acd0835", "value": "08bb85f5bff52d2605ddd8a19a5465fd" }, { "category": "Network activity", "comment": "clodflarechk", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "ip-dst", "uuid": "5b191ead-0c64-4e9e-8f04-b9700acd0835", "value": "85.119.150.29" }, { "category": "Payload delivery", "comment": "DomainTools Risk Score 100", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "domain", "uuid": "5b191ead-3238-4a16-8029-b9700acd0835", "value": "clodflarechk.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "md5", "uuid": "5b191ead-500c-42f1-bea4-b9700acd0835", "value": "418aa2d43b1e4a841d4769463b12fa3b", "Tag": [ { "colour": "#00183c", "local": false, "name": "ms-caro-malware-full:malware-type=\"Trojan\"", "relationship_type": "" }, { "colour": "#0eab00", "local": false, "name": "misp-galaxy:tool=\"Necurs\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "md5", "uuid": "5b191ead-c060-48f7-8455-b9700acd0835", "value": "d2a63814440f8d054d78b03b48f7a3df", "Tag": [ { "colour": "#00a9cf", "local": false, "name": "veris:action:malware:variety=\"Downloader\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "md5", "uuid": "5b191ead-e354-4b19-ba79-b9700acd0835", "value": "3a86ffce06d029730ad89cb233079d64" }, { "category": "Payload delivery", "comment": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "url", "uuid": "5b191ead-7e98-49b6-ae1c-b9700acd0835", "value": "http://clodflarechk.com/1.dat" }, { "category": "Payload delivery", "comment": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "url", "uuid": "5b191ead-8dfc-4b2c-b6cc-b9700acd0835", "value": "http://clodflarechk.com/cloud.png" }, { "category": "Payload delivery", "comment": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "url", "uuid": "5b191ead-90d0-429b-b96c-b9700acd0835", "value": "http://clodflarechk.com/2.dat" }, { "category": "Payload delivery", "comment": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "url", "uuid": "5b191ead-ca94-45d9-8517-b9700acd0835", "value": "http://clodflarechk.com/data.xls" }, { "category": "Network activity", "comment": "clodflarechk", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "ip-src", "uuid": "5b191ead-1230-4020-809a-b9700acd0835", "value": "103.208.86.69" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": true, "type": "md5", "uuid": "5b191ead-dfe4-4d54-8427-b9700acd0835", "value": "172bc98dbe0f6c4ac59857c071cd8673", "Tag": [ { "colour": "#00183c", "local": false, "name": "ms-caro-malware-full:malware-type=\"Trojan\"", "relationship_type": "" }, { "colour": "#0eab00", "local": false, "name": "misp-galaxy:tool=\"Necurs\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1528373863", "to_ids": false, "type": "link", "uuid": "5b191fd4-8598-4cf5-a279-b9700acd0835", "value": "https://myonlinesecurity.co.uk/necurs-delivering-flawed-ammy-rat-via-iqy-excel-web-query-files/" } ] } }