{ "type": "bundle", "id": "bundle--5b1e2aab-9e84-4908-9db2-4bb8950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:29:13.000Z", "modified": "2018-06-13T07:29:13.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5b1e2aab-9e84-4908-9db2-4bb8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:29:13.000Z", "modified": "2018-06-13T07:29:13.000Z", "name": "OSINT - Goodfellas, the Brazilian carding scene is after you", "published": "2018-06-13T15:40:52Z", "object_refs": [ "observed-data--5b1e2b05-0db8-4b98-b0c7-41d7950d210f", "url--5b1e2b05-0db8-4b98-b0c7-41d7950d210f", "x-misp-attribute--5b1e2b50-9cc0-4415-876b-4a99950d210f", "indicator--5b1e2bbb-576c-482a-b05c-41ef950d210f", "indicator--5b1e2c0a-c3fc-406b-8feb-4b6e950d210f", "indicator--5b1e2d11-43cc-4383-bb6d-41b5950d210f", "indicator--5b1e324a-724c-4fb6-a9cb-4b4a950d210f", "indicator--5b1e3263-e11c-42cf-b81e-4757950d210f", "x-misp-object--11027696-51a5-490c-8a4f-473fd0489c29", "x-misp-object--50c83155-900b-441a-83d6-2a391a274548", "x-misp-object--5b136ef2-fa8b-46dc-b170-42ff816d565b", "x-misp-object--aa90e50e-5831-4a40-90ff-abe012c776d8", "x-misp-object--dda87322-1b8c-4646-bc31-7a076d5bc6b4", "x-misp-object--25746874-1cb9-4718-ba55-35a0bd263c31", "x-misp-object--7abef902-1194-4ec5-a86e-c8d67e3d6b4f", "x-misp-object--205f50f6-77e7-43ac-a764-d13afc79e6b8", "x-misp-object--d7dd0509-3912-4c63-846b-2d8511faaffd", "x-misp-object--4a34ea3f-eb37-49e5-a937-c0fc11a122e9", "relationship--18e083b4-14a0-4658-8d10-ee5c0f49a81f", "relationship--aa832e09-6bb1-4039-b13b-b4095b2f07b6", "relationship--6fc65c87-076c-4f93-9386-05cafc3e3830", "relationship--07557186-5975-46ac-8aa7-839bfe4898c9", "relationship--14618d14-193e-420c-9449-af1ef247192a" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:tool=\"PRILEX\"", "circl:incident-classification=\"malware\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b1e2b05-0db8-4b98-b0c7-41d7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-11T07:57:17.000Z", "modified": "2018-06-11T07:57:17.000Z", "first_observed": "2018-06-11T07:57:17Z", "last_observed": "2018-06-11T07:57:17Z", "number_observed": 1, "object_refs": [ "url--5b1e2b05-0db8-4b98-b0c7-41d7950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b1e2b05-0db8-4b98-b0c7-41d7950d210f", "value": "https://securelist.com/goodfellas-the-brazilian-carding-scene-is-after-you/84263/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5b1e2b50-9cc0-4415-876b-4a99950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-11T07:57:10.000Z", "modified": "2018-06-11T07:57:10.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "There are three ways of doing things in the malware business: the right way, the wrong way and the way Brazilians do it. From the early beginnings, using skimmers on ATMs, compromising point of sales systems, or even modifying the hardware of processing devices, Latin America has been a fertile ground for collecting credit and debit cards en masse.\r\n\r\nBrazil started the migration to EMV cards in 1999 and nowadays almost all cards issued in the country are chip-enabled. A small Java-based application lives inside this chip and can be easily manipulated in order to create a \u00e2\u20ac\u0153golden ticket\u00e2\u20ac\u009d card that will be valid in most (if not all) point of sale systems. Having this knowledge has enabled the criminals to update their activities, allowing them to create their own cards featuring this new technology and keeping them \u00e2\u20ac\u0153in the business.\u00e2\u20ac\u009d\r\n\r\nEnter the world of Brazilian malware development, incorporating every trick in the book and adding a custom made malware that can easily collect data from chip and PIN protected cards; all while offering a nicely designed interface for administering the ill-gotten information, validating numbers, and offering their \u00e2\u20ac\u0153customers\u00e2\u20ac\u009d an easy to use package to burn their cloned card." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b1e2bbb-576c-482a-b05c-41ef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-11T07:58:51.000Z", "modified": "2018-06-11T07:58:51.000Z", "description": "Trojan.Win32.Prilex.b", "pattern": "[file:hashes.MD5 = '7ab092ea240430f45264b5dcbd350156' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-11T07:58:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b1e2c0a-c3fc-406b-8feb-4b6e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-11T08:00:10.000Z", "modified": "2018-06-11T08:00:10.000Z", "description": "Trojan.Win32.Prilex.c", "pattern": "[file:hashes.MD5 = '34fb450417471eba939057e903b25523' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-11T08:00:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b1e2d11-43cc-4383-bb6d-41b5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-11T08:04:33.000Z", "modified": "2018-06-11T08:04:33.000Z", "description": "Trojan.Win32.Prilex.h ", "pattern": "[file:hashes.MD5 = '26dcd3aa4918d4b7438e8c0ebd9e1cfd' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-11T08:04:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b1e324a-724c-4fb6-a9cb-4b4a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-11T08:26:50.000Z", "modified": "2018-06-11T08:26:50.000Z", "description": "Trojan.Win32.Prilex.f", "pattern": "[file:hashes.MD5 = 'f5ff2992bdb1979642599ee54cfbc3d3' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-11T08:26:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b1e3263-e11c-42cf-b81e-4757950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-11T08:27:15.000Z", "modified": "2018-06-11T08:27:15.000Z", "description": "Trojan.Win32.Prilex.m ", "pattern": "[file:hashes.MD5 = '7ae9043778fee965af4f8b66721bdfab' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-11T08:27:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--11027696-51a5-490c-8a4f-473fd0489c29", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:28:15.000Z", "modified": "2018-06-13T07:28:15.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--50c83155-900b-441a-83d6-2a391a274548", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:28:14.000Z", "modified": "2018-06-13T07:28:14.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5b136ef2-fa8b-46dc-b170-42ff816d565b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:28:18.000Z", "modified": "2018-06-13T07:28:18.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--aa90e50e-5831-4a40-90ff-abe012c776d8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:28:16.000Z", "modified": "2018-06-13T07:28:16.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--dda87322-1b8c-4646-bc31-7a076d5bc6b4", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:28:20.000Z", "modified": "2018-06-13T07:28:20.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--25746874-1cb9-4718-ba55-35a0bd263c31", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:28:19.000Z", "modified": "2018-06-13T07:28:19.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--7abef902-1194-4ec5-a86e-c8d67e3d6b4f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:28:22.000Z", "modified": "2018-06-13T07:28:22.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--205f50f6-77e7-43ac-a764-d13afc79e6b8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:28:21.000Z", "modified": "2018-06-13T07:28:21.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--d7dd0509-3912-4c63-846b-2d8511faaffd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:28:25.000Z", "modified": "2018-06-13T07:28:25.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--4a34ea3f-eb37-49e5-a937-c0fc11a122e9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-13T07:28:23.000Z", "modified": "2018-06-13T07:28:23.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--18e083b4-14a0-4658-8d10-ee5c0f49a81f", "created": "2018-06-13T07:28:24.000Z", "modified": "2018-06-13T07:28:24.000Z", "relationship_type": "analysed-with", "source_ref": "x-misp-object--11027696-51a5-490c-8a4f-473fd0489c29", "target_ref": "x-misp-object--50c83155-900b-441a-83d6-2a391a274548" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aa832e09-6bb1-4039-b13b-b4095b2f07b6", "created": "2018-06-13T07:28:25.000Z", "modified": "2018-06-13T07:28:25.000Z", "relationship_type": "analysed-with", "source_ref": "x-misp-object--5b136ef2-fa8b-46dc-b170-42ff816d565b", "target_ref": "x-misp-object--aa90e50e-5831-4a40-90ff-abe012c776d8" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6fc65c87-076c-4f93-9386-05cafc3e3830", "created": "2018-06-13T07:28:25.000Z", "modified": "2018-06-13T07:28:25.000Z", "relationship_type": "analysed-with", "source_ref": "x-misp-object--dda87322-1b8c-4646-bc31-7a076d5bc6b4", "target_ref": "x-misp-object--25746874-1cb9-4718-ba55-35a0bd263c31" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--07557186-5975-46ac-8aa7-839bfe4898c9", "created": "2018-06-13T07:28:25.000Z", "modified": "2018-06-13T07:28:25.000Z", "relationship_type": "analysed-with", "source_ref": "x-misp-object--7abef902-1194-4ec5-a86e-c8d67e3d6b4f", "target_ref": "x-misp-object--205f50f6-77e7-43ac-a764-d13afc79e6b8" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--14618d14-193e-420c-9449-af1ef247192a", "created": "2018-06-13T07:28:25.000Z", "modified": "2018-06-13T07:28:25.000Z", "relationship_type": "analysed-with", "source_ref": "x-misp-object--d7dd0509-3912-4c63-846b-2d8511faaffd", "target_ref": "x-misp-object--4a34ea3f-eb37-49e5-a937-c0fc11a122e9" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }