866 lines
No EOL
38 KiB
JSON
866 lines
No EOL
38 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--f6098894-bbc6-4ee8-adbb-fc99b4c86f04",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:46:37.000Z",
|
|
"modified": "2023-01-10T15:46:37.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--f6098894-bbc6-4ee8-adbb-fc99b4c86f04",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:46:37.000Z",
|
|
"modified": "2023-01-10T15:46:37.000Z",
|
|
"name": "OSINT - Godfather Trojan IOCs",
|
|
"published": "2023-01-10T15:46:51Z",
|
|
"object_refs": [
|
|
"indicator--582e28d6-70ac-49a8-9523-2a55359b3a53",
|
|
"indicator--283be250-ecdc-4057-82d5-26c5d452dfbd",
|
|
"indicator--9d2bc2c9-2361-472a-86bb-81f99ccd6a15",
|
|
"indicator--c518b2f0-1417-4720-b578-13160b24e034",
|
|
"indicator--326dcec3-ac72-47b8-bb76-01463bee1c91",
|
|
"indicator--f9fcdd3d-3e6f-47b7-b1a8-319eb91f8dd9",
|
|
"indicator--8fc32fd2-12be-4460-bc40-f3374a26f868",
|
|
"indicator--67299acd-4ca5-499c-ba2c-47db1130e081",
|
|
"indicator--7ac407eb-b23e-469e-bde7-a2b31abc5d40",
|
|
"indicator--dfd9f51b-ef52-4b04-9f25-4a60c8bbbf0e",
|
|
"indicator--f3c722b8-75c6-479f-8805-7f06e6062c6c",
|
|
"indicator--a0f4eac1-dea6-4b7d-bda0-e69f09b65ce0",
|
|
"indicator--4a91a0e3-a25a-488c-aef4-2af731657555",
|
|
"indicator--6f9fd4b2-0c0d-4f5a-aa4a-184417889d0b",
|
|
"indicator--7b1f707d-3eea-492d-8196-5dd13921360f",
|
|
"indicator--748ec32a-a7c9-48f6-b189-3100b5ef40d8",
|
|
"indicator--cea15d0d-fac6-47d1-b9ea-5775b446b814",
|
|
"indicator--3c5664c2-98ff-499e-a915-2ef2fe2f6a88",
|
|
"indicator--2e220ffc-630f-4348-89b3-a894961cbb7d",
|
|
"indicator--8c02c3aa-e7c9-4e79-b9c8-d562835becb6",
|
|
"indicator--ae613301-2400-48c4-b23c-df853f9d4f3d",
|
|
"indicator--03574f55-8a78-4e36-add2-01b1f5c1df32",
|
|
"indicator--0c7c6c3b-5b82-4e61-a380-1115cc8b8fed",
|
|
"indicator--40fb7312-71a4-469c-89db-65f38ddb73ee",
|
|
"indicator--91bbcc0a-5c71-4750-9f41-bf08b72bbd4b",
|
|
"indicator--504c51f0-f3d2-43e6-b4d7-baac114828e9",
|
|
"indicator--4edbf8e1-d4ab-4fe1-8ba9-d28268cc9b9f",
|
|
"x-misp-object--00451894-1a23-462f-a90d-c0d852d9fe80",
|
|
"x-misp-object--05d7898d-e645-406b-ba38-eb56f4e4bd13",
|
|
"indicator--09799c14-87d6-4a36-9e61-f1353f49f50d",
|
|
"x-misp-object--344f2b3c-8c0a-49fe-867b-5b9c7dcf4166",
|
|
"x-misp-object--e6777be6-8b69-49a6-b286-521b557b108c"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Deliver Malicious App via Authorized App Store - T1475\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1646\"",
|
|
"veris:asset:variety=\"U - Mobile phone\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\"",
|
|
"tlp:clear"
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--582e28d6-70ac-49a8-9523-2a55359b3a53",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:08:13.000Z",
|
|
"modified": "2023-01-10T15:08:13.000Z",
|
|
"pattern": "[url:value = 'http://168.100.9.86/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:08:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--283be250-ecdc-4057-82d5-26c5d452dfbd",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:08:13.000Z",
|
|
"modified": "2023-01-10T15:08:13.000Z",
|
|
"pattern": "[url:value = 'http://45.61.138.60/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:08:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--9d2bc2c9-2361-472a-86bb-81f99ccd6a15",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:08:13.000Z",
|
|
"modified": "2023-01-10T15:08:13.000Z",
|
|
"pattern": "[url:value = 'http://50.18.3.26/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:08:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--c518b2f0-1417-4720-b578-13160b24e034",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:08:13.000Z",
|
|
"modified": "2023-01-10T15:08:13.000Z",
|
|
"pattern": "[url:value = 'http://heikenmorgan.com/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:08:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--326dcec3-ac72-47b8-bb76-01463bee1c91",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:08:13.000Z",
|
|
"modified": "2023-01-10T15:08:13.000Z",
|
|
"pattern": "[url:value = 'https://banerrokutepera.com/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:08:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--f9fcdd3d-3e6f-47b7-b1a8-319eb91f8dd9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:08:13.000Z",
|
|
"modified": "2023-01-10T15:08:13.000Z",
|
|
"pattern": "[url:value = 'https://henkormerise.com/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:08:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--8fc32fd2-12be-4460-bc40-f3374a26f868",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:09:18.000Z",
|
|
"modified": "2023-01-10T15:09:18.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '168.100.9.86']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:09:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--67299acd-4ca5-499c-ba2c-47db1130e081",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:09:18.000Z",
|
|
"modified": "2023-01-10T15:09:18.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.61.138.60']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:09:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--7ac407eb-b23e-469e-bde7-a2b31abc5d40",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:09:18.000Z",
|
|
"modified": "2023-01-10T15:09:18.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.18.3.26']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:09:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--dfd9f51b-ef52-4b04-9f25-4a60c8bbbf0e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:09:18.000Z",
|
|
"modified": "2023-01-10T15:09:18.000Z",
|
|
"pattern": "[url:value = 'heikenmorgan.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:09:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--f3c722b8-75c6-479f-8805-7f06e6062c6c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:09:18.000Z",
|
|
"modified": "2023-01-10T15:09:18.000Z",
|
|
"pattern": "[url:value = 'banerrokutepera.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:09:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--a0f4eac1-dea6-4b7d-bda0-e69f09b65ce0",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:09:18.000Z",
|
|
"modified": "2023-01-10T15:09:18.000Z",
|
|
"pattern": "[domain-name:value = 'henkormerise.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:09:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--4a91a0e3-a25a-488c-aef4-2af731657555",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:23.000Z",
|
|
"modified": "2023-01-10T15:10:23.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:10:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--6f9fd4b2-0c0d-4f5a-aa4a-184417889d0b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:23.000Z",
|
|
"modified": "2023-01-10T15:10:23.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '38386f4fabd0bc7f7065eaee818717e89772fb3b1a3744df754c45778e353f70']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:10:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--7b1f707d-3eea-492d-8196-5dd13921360f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:23.000Z",
|
|
"modified": "2023-01-10T15:10:23.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '7664293fc1dde797940d857d1f16eb1e12a15b9126d704854f97df1bedc18758']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:10:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--748ec32a-a7c9-48f6-b189-3100b5ef40d8",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:23.000Z",
|
|
"modified": "2023-01-10T15:10:23.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:10:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--cea15d0d-fac6-47d1-b9ea-5775b446b814",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:23.000Z",
|
|
"modified": "2023-01-10T15:10:23.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '9dfb5b4ad9aac36c2d7fbb93f8668faa819cb0df16f4a55d00f1cdda89c9a6d2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:10:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--3c5664c2-98ff-499e-a915-2ef2fe2f6a88",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:23.000Z",
|
|
"modified": "2023-01-10T15:10:23.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'a14aad1265eb307fbe71a3a5f6e688408ce153ff19838b3c5229f26ee3ece5dd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:10:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--2e220ffc-630f-4348-89b3-a894961cbb7d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:23.000Z",
|
|
"modified": "2023-01-10T15:10:23.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:10:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--8c02c3aa-e7c9-4e79-b9c8-d562835becb6",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:23.000Z",
|
|
"modified": "2023-01-10T15:10:23.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'c3dadb9a593523d1bf3fe76dabf375578119aff3110d92a1a4ee6db06742263a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:10:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--ae613301-2400-48c4-b23c-df853f9d4f3d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:23.000Z",
|
|
"modified": "2023-01-10T15:10:23.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'c4bace10849f23e9972e555ac2e30ac128b7a90017a0f76c197685a0c60def6d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:10:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--03574f55-8a78-4e36-add2-01b1f5c1df32",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:23.000Z",
|
|
"modified": "2023-01-10T15:10:23.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'c79857015dbf220111e7c5f47cf20a656741a9380cc0faecd486b517648eb199']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:10:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--0c7c6c3b-5b82-4e61-a380-1115cc8b8fed",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:23.000Z",
|
|
"modified": "2023-01-10T15:10:23.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'd652ac528102de3ebb42a973db639ae27f13738e005172e5ff8aac6e91f3f760']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:10:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--40fb7312-71a4-469c-89db-65f38ddb73ee",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:19:09.000Z",
|
|
"modified": "2023-01-10T15:19:09.000Z",
|
|
"description": "%KEY% is the key sent as a parameter in the requests mentioned above. %LOCALE% is the system language. The user-agent used when the request is executed is:",
|
|
"pattern": "[network-traffic:extensions.'http-request-ext'.request_header.'User-Agent' = 'Mozilla/5.0 (Linux; Android 9; SM-J730F Build/PPR12.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.181 Mobile Safari/537.36']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:19:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"user-agent\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--91bbcc0a-5c71-4750-9f41-bf08b72bbd4b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:20:44.000Z",
|
|
"modified": "2023-01-10T15:20:44.000Z",
|
|
"pattern": "[domain-name:value = 'banerrokutepera.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:20:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--504c51f0-f3d2-43e6-b4d7-baac114828e9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:20:44.000Z",
|
|
"modified": "2023-01-10T15:20:44.000Z",
|
|
"pattern": "[domain-name:value = 'heikenmorgan.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:20:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--4edbf8e1-d4ab-4fe1-8ba9-d28268cc9b9f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:20:44.000Z",
|
|
"modified": "2023-01-10T15:20:44.000Z",
|
|
"pattern": "[domain-name:value = 'pluscurrencyconverter.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:20:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--00451894-1a23-462f-a90d-c0d852d9fe80",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:10:04.000Z",
|
|
"modified": "2023-01-10T15:10:04.000Z",
|
|
"labels": [
|
|
"misp:name=\"report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "link",
|
|
"value": "https://1275.ru/ioc/1192/godfather-trojan-iocs/",
|
|
"category": "External analysis",
|
|
"uuid": "8dc384c7-67b9-4a8d-b449-f6804487902b"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "summary",
|
|
"value": "Group-IB \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u0432 \u043e\u0444\u0438\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u043c \u043c\u0430\u0433\u0430\u0437\u0438\u043d\u0435 Google Play \u0431\u0430\u043d\u043a\u043e\u0432\u0441\u043a\u043e\u0433\u043e \u0442\u0440\u043e\u044f\u043d\u0430 Godfather, \u0433\u0434\u0435 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441 \u043c\u0430\u0441\u043a\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u043f\u043e\u0434 \u043b\u0435\u0433\u0430\u043b\u044c\u043d\u044b\u0435 \u043a\u0440\u0438\u043f\u0442\u043e\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f. \u0413\u0435\u043e\u0433\u0440\u0430\u0444\u0438\u044f \u0435\u0433\u043e \u0436\u0435\u0440\u0442\u0432 \u043e\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0435\u0442 16 \u0441\u0442\u0440\u0430\u043d \u043c\u0438\u0440\u0430, \u0430 \u0441\u043f\u0438\u0441\u043e\u043a \u0446\u0435\u043b\u0435\u0439 \u043d\u0430\u0441\u0447\u0438\u0442\u044b\u0432\u0430\u0435\u0442 \u0431\u043e\u043b\u0435\u0435 400 \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0445 \u0431\u0430\u043d\u043a\u043e\u0432, \u043a\u0440\u0438\u043f\u0442\u043e\u0432\u0430\u043b\u044e\u0442\u043d\u044b\u0445 \u0431\u0438\u0440\u0436 \u0438 \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u044b\u0445 \u043a\u043e\u0448\u0435\u043b\u044c\u043a\u043e\u0432.",
|
|
"category": "Other",
|
|
"uuid": "ae3e1b8d-b149-4551-9412-ebee765c9de5"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Blog",
|
|
"category": "Other",
|
|
"uuid": "469bd9cb-bb87-404f-a325-624866e88da7"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--05d7898d-e645-406b-ba38-eb56f4e4bd13",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:11:09.000Z",
|
|
"modified": "2023-01-10T15:11:09.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8",
|
|
"category": "External analysis",
|
|
"uuid": "cf926a0e-0c8a-46ea-9fe9-915e81b5e76e"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "29/66",
|
|
"category": "Other",
|
|
"uuid": "1de1435a-1eb5-4bcf-8c82-5576ce32606c"
|
|
}
|
|
],
|
|
"x_misp_comment": "0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8: Enriched via the virustotal module",
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--09799c14-87d6-4a36-9e61-f1353f49f50d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:11:09.000Z",
|
|
"modified": "2023-01-10T15:11:09.000Z",
|
|
"description": "0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8: Enriched via the virustotal module",
|
|
"pattern": "[file:hashes.MD5 = 'ec9f857999b4fc3dd007fdb786b7a8d1' AND file:hashes.SHA1 = '3fa48a36d22d848ad111b246ca94fa58088dbb7a' AND file:hashes.SHA256 = '0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8' AND file:hashes.SSDEEP = '98304:vDdInEpAOdLl2DfGjOmP34z09nmw3xAZMV8JiDQeZgUGdh0fr33dmh++0oEHi6Pz:5gE7tf3u09nmiOZmDid9h+CFZMXmwfXR' AND file:hashes.VHASH = 'ede26ab6fd89266ae46ad188b676ce54' AND file:x_misp_tlsh = 't1cb76125af718a86fc1f792324679522a66074c268743ea875968727c0dbbdc04f4bfcc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-01-10T15:11:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--344f2b3c-8c0a-49fe-867b-5b9c7dcf4166",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:14:14.000Z",
|
|
"modified": "2023-01-10T15:14:14.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070",
|
|
"category": "External analysis",
|
|
"uuid": "0514771e-3eee-4ab7-bda0-005ada4ce08c"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "22/66",
|
|
"category": "Other",
|
|
"uuid": "45c71feb-c0cf-41c7-ac50-eb21152dda6e"
|
|
}
|
|
],
|
|
"x_misp_comment": "9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070: Enriched via the virustotal module",
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--e6777be6-8b69-49a6-b286-521b557b108c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-01-10T15:17:23.000Z",
|
|
"modified": "2023-01-10T15:17:23.000Z",
|
|
"labels": [
|
|
"misp:name=\"report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "link",
|
|
"value": "https://blog.group-ib.com/godfather-trojan",
|
|
"category": "External analysis",
|
|
"uuid": "288a1ec3-7867-48fa-aeb0-6718edaae63c"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "summary",
|
|
"value": "The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges.\r\n\r\nFew people realize that hiding under Godfather\u2019s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers.",
|
|
"category": "Other",
|
|
"uuid": "76bfccf5-2126-4090-b782-fd2c85ba72db"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Blog",
|
|
"category": "Other",
|
|
"uuid": "c402c0b0-0a54-40b1-825d-3a8b21f33917"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "report"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |