{ "Event": { "analysis": "2", "date": "2019-04-22", "extends_uuid": "", "info": "OSINT - CARBANAK Week - Fire Eye", "publish_timestamp": "1557314563", "published": true, "threat_level_id": "3", "timestamp": "1557308326", "uuid": "5cd14624-0b24-4386-85f5-4e5e950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:malpedia=\"Carbanak\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Carbanak - G0008\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-malware=\"Carbanak - S0030\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-relationship=\"FIN7 uses Carbanak\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-intrusion-set=\"Carbanak - G0008\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-malware=\"Carbanak - S0030\"", "relationship_type": "" }, { "colour": "#12e400", "local": "0", "name": "misp-galaxy:threat-actor=\"Anunak\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7 - G0046\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-intrusion-set=\"FIN7\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-intrusion-set=\"FIN7 - G0046\"", "relationship_type": "" }, { "colour": "#00b3b3", "local": "0", "name": "ecsirt:intrusions=\"backdoor\"", "relationship_type": "" }, { "colour": "#00a9ce", "local": "0", "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" }, { "colour": "#2c0037", "local": "0", "name": "ms-caro-malware:malware-type=\"Backdoor\"", "relationship_type": "" }, { "colour": "#001534", "local": "0", "name": "ms-caro-malware-full:malware-type=\"Backdoor\"", "relationship_type": "" }, { "colour": "#3b7500", "local": "0", "name": "circl:incident-classification=\"malware\"", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1557218891", "to_ids": false, "type": "link", "uuid": "5cd1464b-5c38-40b2-bab2-44a3950d210f", "value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1557218891", "to_ids": false, "type": "link", "uuid": "5cd1464b-f590-4342-96f5-4204950d210f", "value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1557218891", "to_ids": false, "type": "link", "uuid": "5cd1464b-6008-4101-a704-4016950d210f", "value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1557218891", "to_ids": false, "type": "link", "uuid": "5cd1464b-b6f8-4ea7-bf52-4cc2950d210f", "value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html" }, { "category": "Network activity", "comment": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity", "deleted": false, "disable_correlation": false, "timestamp": "1557236282", "to_ids": true, "type": "domain", "uuid": "5cd18a3a-c808-4674-8acc-41f8950d210f", "value": "comixed.org" }, { "category": "Network activity", "comment": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity", "deleted": false, "disable_correlation": false, "timestamp": "1557236282", "to_ids": true, "type": "ip-dst", "uuid": "5cd18a3a-3210-4ab0-9d58-4e65950d210f", "value": "194.146.180.40" }, { "category": "Network activity", "comment": "Status: Active", "deleted": false, "disable_correlation": false, "timestamp": "1557236282", "to_ids": true, "type": "domain", "uuid": "5cd18a3a-9b74-4426-838f-44e7950d210f", "value": "aaaabbbbccccc.org" }, { "category": "Network activity", "comment": "Status: Commented out - Threat Group Association: FIN7", "deleted": false, "disable_correlation": false, "timestamp": "1557236282", "to_ids": true, "type": "domain", "uuid": "5cd18a3a-8f68-448a-83bf-40c8950d210f", "value": "stats10-google.com" }, { "category": "Network activity", "comment": "Status: Commented out", "deleted": false, "disable_correlation": false, "timestamp": "1557236282", "to_ids": true, "type": "ip-dst", "uuid": "5cd18a3a-6860-4dc8-a3f9-42c3950d210f", "value": "85.25.84.223" }, { "category": "Network activity", "comment": "Status: Active", "deleted": false, "disable_correlation": false, "timestamp": "1557236282", "to_ids": true, "type": "domain", "uuid": "5cd18a3a-8a48-4dbf-886f-4ee9950d210f", "value": "qwqreererwere.com" }, { "category": "Network activity", "comment": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity", "deleted": false, "disable_correlation": false, "timestamp": "1557236282", "to_ids": true, "type": "domain", "uuid": "5cd18a3a-e23c-4ee0-b712-465d950d210f", "value": "akamai-technologies.org" }, { "category": "Network activity", "comment": "Status: Compiled", "deleted": false, "disable_correlation": false, "timestamp": "1557236282", "to_ids": true, "type": "domain", "uuid": "5cd18a3a-78d4-45fd-b116-411e950d210f", "value": "hhklhlkhkjhjkjk.org" }, { "category": "Network activity", "comment": "Status: Compiled - Threat Group Association: DNS infrastructure overlap with later FIN7 associated POWERSOURCE activity", "deleted": false, "disable_correlation": false, "timestamp": "1557236282", "to_ids": true, "type": "hostname", "uuid": "5cd18a3a-f414-49d6-b595-44b3950d210f", "value": "aaa.stage.4463714.news.meteonovosti.info" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1557296520", "to_ids": false, "type": "text", "uuid": "5cd27588-6cbc-4373-a9d7-4e5d950d210f", "value": "CARBANAK is one of the most full-featured backdoors around. It was used to perpetrate millions of dollars in financial crimes, largely by the group we track as FIN7. In 2017, Tom Bennett and Barry Vengerik published Behind the CARBANAK Backdoor, which was the product of a deep and broad analysis of CARBANAK samples and FIN7 activity across several years. On the heels of that publication, our colleague Nick Carr uncovered a pair of RAR archives containing CARBANAK source code, builders, and other tools (both available in VirusTotal: kb3r1p and apwmie)." }, { "category": "Network activity", "comment": "Attribute #4905579 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1557302578", "to_ids": false, "type": "ip-src", "uuid": "5cd28d32-4770-466b-b8c6-4655e387cbd9", "value": "107.181.155.151" }, { "category": "Network activity", "comment": "Attribute #4905586 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1557302581", "to_ids": false, "type": "ip-src", "uuid": "5cd28d35-7a48-4b05-b933-4fd2e387cbd9", "value": "23.253.126.58" } ], "Object": [ { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557219940", "uuid": "5cd14a64-a478-4a1d-bcaa-4af8950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "hostname", "timestamp": "1557219940", "to_ids": true, "type": "hostname", "uuid": "5cd14a64-a93c-4312-9e8d-4210950d210f", "value": "vds2.system-host.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557219941", "to_ids": true, "type": "ip-dst", "uuid": "5cd14a65-74d0-494d-aec6-4aac950d210f", "value": "104.193.252.151" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557219941", "to_ids": false, "type": "port", "uuid": "5cd14a65-c57c-495d-9f2d-4795950d210f", "value": "443" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "last-seen", "timestamp": "1557219941", "to_ids": false, "type": "datetime", "uuid": "5cd14a65-3f80-42e0-bc4e-4597950d210f", "value": "2019-04-26T14:49:12" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557221122", "uuid": "5cd14f02-6a40-4948-8120-41b7950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "hostname", "timestamp": "1557221122", "to_ids": true, "type": "hostname", "uuid": "5cd14f02-d9c0-4b4d-8cea-435e950d210f", "value": "customer.clientshostname.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557221122", "to_ids": true, "type": "ip-dst", "uuid": "5cd14f02-a570-4395-93ee-484f950d210f", "value": "185.180.196.35" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557221122", "to_ids": false, "type": "port", "uuid": "5cd14f02-5394-49c2-bae9-45aa950d210f", "value": "443" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "last-seen", "timestamp": "1557221122", "to_ids": false, "type": "datetime", "uuid": "5cd14f02-5a2c-4701-83dd-4eae950d210f", "value": "2019-04-24T07:44:30" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557221244", "uuid": "5cd14f7c-ed6c-4396-a8b8-48e9950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557221244", "to_ids": true, "type": "ip-dst", "uuid": "5cd14f7c-cf3c-4933-a073-4c35950d210f", "value": "213.227.155.8" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557221244", "to_ids": false, "type": "port", "uuid": "5cd14f7c-1c24-484a-9823-43e0950d210f", "value": "443" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "last-seen", "timestamp": "1557221244", "to_ids": false, "type": "datetime", "uuid": "5cd14f7c-174c-49d0-a336-4580950d210f", "value": "2019-04-24T04:33:52" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557221320", "uuid": "5cd14fc8-cc7c-46e2-8498-456e950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557221320", "to_ids": true, "type": "ip-dst", "uuid": "5cd14fc8-cb38-4fbb-8e71-490c950d210f", "value": "94.156.133.69" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557221320", "to_ids": false, "type": "port", "uuid": "5cd14fc8-3884-4328-a6e7-4232950d210f", "value": "443" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "last-seen", "timestamp": "1557221320", "to_ids": false, "type": "datetime", "uuid": "5cd14fc8-6524-41a0-9457-4b68950d210f", "value": "2018-11-15T10:27:07" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557222039", "uuid": "5cd15297-7048-4712-9572-4258950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557222039", "to_ids": true, "type": "ip-dst", "uuid": "5cd15297-21a0-4998-b558-456c950d210f", "value": "185.174.172.241" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557222039", "to_ids": false, "type": "port", "uuid": "5cd15297-db20-4d41-b7c7-40d5950d210f", "value": "443" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "last-seen", "timestamp": "1557222039", "to_ids": false, "type": "datetime", "uuid": "5cd15297-ef24-478c-8a1e-4e17950d210f", "value": "2019-04-27T13:24:36" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557222113", "uuid": "5cd152e1-b8a0-4bcf-9ea3-4ca4950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557222113", "to_ids": true, "type": "ip-dst", "uuid": "5cd152e1-821c-4bf4-8a92-43ca950d210f", "value": "109.230.199.227" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557222113", "to_ids": false, "type": "port", "uuid": "5cd152e1-251c-468d-bdd9-401d950d210f", "value": "443" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "last-seen", "timestamp": "1557222113", "to_ids": false, "type": "datetime", "uuid": "5cd152e1-4388-47c6-8780-4026950d210f", "value": "2019-04-27T13:24:36" } ] }, { "comment": "Status: Commented out", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557224775", "uuid": "5cd15d47-ed54-49b9-aeaa-4471950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557224775", "to_ids": true, "type": "ip-dst", "uuid": "5cd15d47-c4b8-49fb-81d4-492a950d210f", "value": "37.1.212.100" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557224775", "to_ids": false, "type": "port", "uuid": "5cd15d47-e980-4374-984d-4e05950d210f", "value": "700" } ] }, { "comment": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557224810", "uuid": "5cd15d6a-b964-4779-8f3a-43b5950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557224810", "to_ids": true, "type": "ip-dst", "uuid": "5cd15d6a-b770-4f9d-b29b-4d29950d210f", "value": "188.138.98.105" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557224811", "to_ids": false, "type": "port", "uuid": "5cd15d6b-bfbc-4488-a71b-47b5950d210f", "value": "710" } ] }, { "comment": "Status: Commented out", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557234557", "uuid": "5cd1837d-0694-4391-8cb9-364f950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557234558", "to_ids": true, "type": "ip-dst", "uuid": "5cd1837e-199c-4f9b-8460-364f950d210f", "value": "80.84.49.50" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557234558", "to_ids": false, "type": "port", "uuid": "5cd1837e-3e1c-4109-8e6c-364f950d210f", "value": "443" } ] }, { "comment": "Status: Commented out", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557235492", "uuid": "5cd18724-ce4c-410f-95db-b3d7950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557235492", "to_ids": true, "type": "ip-dst", "uuid": "5cd18724-0dd8-473b-bb5a-b3d7950d210f", "value": "52.11.125.44" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557235492", "to_ids": false, "type": "port", "uuid": "5cd18724-1acc-4132-ac62-b3d7950d210f", "value": "443" } ] }, { "comment": "Status: Active", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557235569", "uuid": "5cd18771-bac0-47c3-9a8c-a966950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557308323", "to_ids": false, "type": "ip-dst", "uuid": "5cd18771-9f18-4005-a613-a966950d210f", "value": "192.168.0.100" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557235569", "to_ids": false, "type": "port", "uuid": "5cd18771-ecd8-412a-a9de-a966950d210f", "value": "700" } ] }, { "comment": "Status: Compiled", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557235637", "uuid": "5cd187b5-1eb8-474a-ae22-a97c950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557308326", "to_ids": false, "type": "ip-dst", "uuid": "5cd187b5-d93c-4c9a-9658-a97c950d210f", "value": "192.168.0.100" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557235637", "to_ids": false, "type": "port", "uuid": "5cd187b5-0bc4-4376-8f80-a97c950d210f", "value": "700" } ] }, { "comment": "Status: Active - Threat Group Association: Earlier CARBANAK activity", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1557236169", "uuid": "5cd189c9-dd18-4b41-9ad4-b3d7950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1557236169", "to_ids": true, "type": "ip-dst", "uuid": "5cd189c9-6e80-4c2c-8949-b3d7950d210f", "value": "193.203.48.23" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1557236169", "to_ids": false, "type": "port", "uuid": "5cd189c9-8d90-43dc-8664-b3d7950d210f", "value": "800" } ] } ] } }