adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/593a99c5-79cc-411c-ac6d-3089950d210f.json

682 lines
No EOL
24 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2017-06-09",
"extends_uuid": "",
"info": "OSINT - FIREBALL \u00e2\u20ac\u201c The Chinese Malware of 250 Million Computers Infected",
"publish_timestamp": "1497013733",
"published": true,
"threat_level_id": "3",
"timestamp": "1497013712",
"uuid": "593a99c5-79cc-411c-ac6d-3089950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013712",
"to_ids": false,
"type": "text",
"uuid": "593a99e3-6910-4bbb-b74f-4f14950d210f",
"value": "Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware, Fireball, takes over target browsers and turns them into zombies. Fireball has two main functionalities: the ability of running any code on victim computers\u00e2\u20ac\u201cdownloading any file or malware, and hijacking and manipulating infected users\u00e2\u20ac\u2122 web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.\r\n\r\nThis operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims\u00e2\u20ac\u2122 browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users\u00e2\u20ac\u2122 private information. Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks.\r\n\r\n \r\n\r\nKEY FINDINGS\r\n\r\n Check Point analysts uncovered a high volume Chinese threat operation which has infected over 250 million computers worldwide, and 20% of corporate networks.\r\n The malware, called Fireball, acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.\r\n Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user\u00e2\u20ac\u2122s consent.\r\n The operation is run by Chinese digital marketing agency.\r\n Top infected countries are India (10.1%) and Brazil (9.6%)",
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
},
{
"colour": "#075200",
"local": false,
"name": "admiralty-scale:source-reliability=\"b\"",
"relationship_type": ""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013711",
"to_ids": false,
"type": "link",
"uuid": "593a99f0-a2f0-4152-877d-597e950d210f",
"value": "http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/",
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
},
{
"colour": "#075200",
"local": false,
"name": "admiralty-scale:source-reliability=\"b\"",
"relationship_type": ""
}
]
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a1b-c56c-467d-9f20-4f14950d210f",
"value": "attirerpage.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a1c-e410-4d58-a926-4f14950d210f",
"value": "s2s.rafotech.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a1c-4020-40a5-b086-4f14950d210f",
"value": "trotux.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a1d-4244-41c5-a610-4f14950d210f",
"value": "startpageing123.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a1d-a358-44e3-a4ff-4f14950d210f",
"value": "funcionapage.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a1e-091c-4f20-8bf9-4f14950d210f",
"value": "universalsearches.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a1e-b6e4-4c2a-b979-4f14950d210f",
"value": "thewebanswers.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a1e-c744-4cb2-9fb2-4f14950d210f",
"value": "nicesearches.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a1f-cd2c-4825-a604-4f14950d210f",
"value": "youndoo.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a1f-da50-4eca-ba8e-4f14950d210f",
"value": "giqepofa.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a20-2264-4e78-a381-4f14950d210f",
"value": "mustang-browser.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a20-16d8-4e7f-94aa-4f14950d210f",
"value": "forestbrowser.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a21-6900-4070-8ff7-4f14950d210f",
"value": "luckysearch123.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a21-8810-45d8-9832-4f14950d210f",
"value": "ooxxsearch.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a22-e894-483c-95fb-4f14950d210f",
"value": "search2000s.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a22-6c10-4227-9615-4f14950d210f",
"value": "walasearch.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a22-6a64-4342-9a5a-4f14950d210f",
"value": "hohosearch.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "domain",
"uuid": "593a9a23-a6c4-4709-990e-4f14950d210f",
"value": "yessearches.com"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a23-a970-463a-8278-4f14950d210f",
"value": "d3l4qa0kmel7is.cloudfront.net"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a24-a83c-4f0d-b380-4f14950d210f",
"value": "d5ou3dytze6uf.cloudfront.net"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a24-9ac4-4c5d-adcf-4f14950d210f",
"value": "d1vh0xkmncek4z.cloudfront.net"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a25-891c-4b6e-829c-4f14950d210f",
"value": "d26r15y2ken1t9.cloudfront.net"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a25-2518-43ba-8caa-4f14950d210f",
"value": "d11eq81k50lwgi.cloudfront.net"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a25-bdd8-4c5b-bd83-4f14950d210f",
"value": "ddyv8sl7ewq1w.cloudfront.net"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a26-2cc4-412c-bd55-4f14950d210f",
"value": "d3i1asoswufp5k.cloudfront.net"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a26-d1b4-46b7-af14-4f14950d210f",
"value": "dc44qjwal3p07.cloudfront.net"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a27-69b4-4894-9d5c-4f14950d210f",
"value": "dv2m1uumnsgtu.cloudfront.net"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a27-63f0-40be-ae57-4f14950d210f",
"value": "d1mxvenloqrqmu.cloudfront.net"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a28-2494-400b-86f4-4f14950d210f",
"value": "dfrs12kz9qye2.cloudfront.net"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "hostname",
"uuid": "593a9a28-2fcc-4aa1-8c8c-4f14950d210f",
"value": "dgkytklfjrqkb.cloudfront.net"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "url",
"uuid": "593a9a50-78b8-4c74-85f6-0359950d210f",
"value": "dgkytklfjrqkb.cloudfront.net/main/trmz.exe"
},
{
"category": "Payload delivery",
"comment": "Sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "md5",
"uuid": "593a9d11-4cdc-494f-9114-9624950d210f",
"value": "fab40a7bde5250a6bc8644f4d6b9c28f"
},
{
"category": "Payload delivery",
"comment": "Sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "md5",
"uuid": "593a9d12-8e24-4c6f-9def-9624950d210f",
"value": "69ffdf99149d19be7dc1c52f33aaa651"
},
{
"category": "Payload delivery",
"comment": "Sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "md5",
"uuid": "593a9d12-7d80-4ec9-9400-9624950d210f",
"value": "b56d1d35d46630335e03af9add84b488"
},
{
"category": "Payload delivery",
"comment": "Sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "md5",
"uuid": "593a9d12-d488-4ca7-8c2c-9624950d210f",
"value": "8c61a6937963507dc87d8bf00385c0bc"
},
{
"category": "Payload delivery",
"comment": "Sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "md5",
"uuid": "593a9d13-8924-427b-827a-9624950d210f",
"value": "7adb7f56e81456f3b421c01ab19b1900"
},
{
"category": "Payload delivery",
"comment": "Sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013658",
"to_ids": true,
"type": "md5",
"uuid": "593a9d13-1e48-4d4c-b4c5-9624950d210f",
"value": "2b307e28ce531157611825eb0854c15f"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: fab40a7bde5250a6bc8644f4d6b9c28f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013673",
"to_ids": true,
"type": "sha256",
"uuid": "593a9da9-1880-4599-bdbd-4ebd02de0b81",
"value": "9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: fab40a7bde5250a6bc8644f4d6b9c28f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013673",
"to_ids": true,
"type": "sha1",
"uuid": "593a9da9-9870-477c-adf7-4b6a02de0b81",
"value": "8b6388810047db449d3699333eca9091568a094c"
},
{
"category": "External analysis",
"comment": "Sample - Xchecked via VT: fab40a7bde5250a6bc8644f4d6b9c28f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013674",
"to_ids": false,
"type": "link",
"uuid": "593a9daa-c17c-4188-ae4f-48e702de0b81",
"value": "https://www.virustotal.com/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/1497008302/"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: 69ffdf99149d19be7dc1c52f33aaa651",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013674",
"to_ids": true,
"type": "sha256",
"uuid": "593a9daa-7ae8-4ab8-bf77-4c2502de0b81",
"value": "e3f69a1fb6fcaf9fd93386b6ba1d86731cd9e5648f7cff5242763188129cd158"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: 69ffdf99149d19be7dc1c52f33aaa651",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013675",
"to_ids": true,
"type": "sha1",
"uuid": "593a9dab-eff4-4522-8ec8-4ee902de0b81",
"value": "b6bbe04238834126043610115c253788f0cb8a39"
},
{
"category": "External analysis",
"comment": "Sample - Xchecked via VT: 69ffdf99149d19be7dc1c52f33aaa651",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013675",
"to_ids": false,
"type": "link",
"uuid": "593a9dab-389c-47e3-895e-41a002de0b81",
"value": "https://www.virustotal.com/file/e3f69a1fb6fcaf9fd93386b6ba1d86731cd9e5648f7cff5242763188129cd158/analysis/1497008303/"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: b56d1d35d46630335e03af9add84b488",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013675",
"to_ids": true,
"type": "sha256",
"uuid": "593a9dab-a0dc-416e-a4f0-4b7402de0b81",
"value": "c7244d139ef9ea431a5b9cc6a2176a6a9908710892c74e215431b99cd5228359"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: b56d1d35d46630335e03af9add84b488",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013676",
"to_ids": true,
"type": "sha1",
"uuid": "593a9dac-6998-4642-bbd1-468702de0b81",
"value": "cc725869679e5c8c4b7fcdffe98bcd4d612a909a"
},
{
"category": "External analysis",
"comment": "Sample - Xchecked via VT: b56d1d35d46630335e03af9add84b488",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013676",
"to_ids": false,
"type": "link",
"uuid": "593a9dac-72d0-4754-aa32-480002de0b81",
"value": "https://www.virustotal.com/file/c7244d139ef9ea431a5b9cc6a2176a6a9908710892c74e215431b99cd5228359/analysis/1497008303/"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: 8c61a6937963507dc87d8bf00385c0bc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013676",
"to_ids": true,
"type": "sha256",
"uuid": "593a9dac-102c-43c3-8b27-4e2e02de0b81",
"value": "14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: 8c61a6937963507dc87d8bf00385c0bc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013677",
"to_ids": true,
"type": "sha1",
"uuid": "593a9dad-78dc-4c7f-8feb-46d102de0b81",
"value": "0312325d31072afaac87f3aafff58261b549db5d"
},
{
"category": "External analysis",
"comment": "Sample - Xchecked via VT: 8c61a6937963507dc87d8bf00385c0bc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013677",
"to_ids": false,
"type": "link",
"uuid": "593a9dad-2538-4934-823d-4c4602de0b81",
"value": "https://www.virustotal.com/file/14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3/analysis/1497008304/"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: 7adb7f56e81456f3b421c01ab19b1900",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013677",
"to_ids": true,
"type": "sha256",
"uuid": "593a9dad-3fa0-4af2-b973-443f02de0b81",
"value": "fff2818caa9040486a634896f329b8aebaec9121bdf9982841f0646763a1686b"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: 7adb7f56e81456f3b421c01ab19b1900",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013678",
"to_ids": true,
"type": "sha1",
"uuid": "593a9dae-268c-415b-9f65-4aed02de0b81",
"value": "30a176dde7aff87ee73c967d4f70d1b834a62dd4"
},
{
"category": "External analysis",
"comment": "Sample - Xchecked via VT: 7adb7f56e81456f3b421c01ab19b1900",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013678",
"to_ids": false,
"type": "link",
"uuid": "593a9dae-b794-4840-b539-4e0302de0b81",
"value": "https://www.virustotal.com/file/fff2818caa9040486a634896f329b8aebaec9121bdf9982841f0646763a1686b/analysis/1497008304/"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: 2b307e28ce531157611825eb0854c15f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013679",
"to_ids": true,
"type": "sha256",
"uuid": "593a9daf-307c-4d9d-826d-44d502de0b81",
"value": "7d68386554e514f38f98f24e8056c11c0a227602ed179d54ed08f2251dc9ea93"
},
{
"category": "Payload delivery",
"comment": "Sample - Xchecked via VT: 2b307e28ce531157611825eb0854c15f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013679",
"to_ids": true,
"type": "sha1",
"uuid": "593a9daf-69f8-4635-8694-488602de0b81",
"value": "f7df2b019b5640c66e40b1cecbb327d1c9192560"
},
{
"category": "External analysis",
"comment": "Sample - Xchecked via VT: 2b307e28ce531157611825eb0854c15f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013679",
"to_ids": false,
"type": "link",
"uuid": "593a9daf-1c44-42ce-8440-483b02de0b81",
"value": "https://www.virustotal.com/file/7d68386554e514f38f98f24e8056c11c0a227602ed179d54ed08f2251dc9ea93/analysis/1497008376/"
}
]
}
}
Reference in a new issue View git blame Copy permalink