adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/59d4e235-c71c-4d0e-8ba3-920c950d210f.json

275 lines
No EOL
9.6 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2017-08-24",
"extends_uuid": "",
"info": "OSINT - Malicious Chrome Extensions Stealing Roblox In-Game Currency, Sending Cookies via Discord",
"publish_timestamp": "1507138118",
"published": true,
"threat_level_id": "3",
"timestamp": "1507138112",
"uuid": "59d4e235-c71c-4d0e-8ba3-920c950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": false,
"type": "link",
"uuid": "59d4e258-5a54-41aa-868e-ef0b950d210f",
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/",
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": false,
"type": "comment",
"uuid": "59d4e404-be44-4e16-b6c3-b83b950d210f",
"value": "We recently discussed how cyber criminals are using the popular voice/chat client Discord to steal cookies from the running Roblox process on a Windows PC. Since then, we\u00e2\u20ac\u2122ve noticed another attack going after the same information, only this time it is via Chrome extensions (CRX files).\r\n\r\nWhile it currently only targets Roblox users, the same technique can be used to steal cookies from any website. The stolen information is sent via Discord, but this could also be configured to use other chat platforms. We learned this particular Chrome extension was, in fact, for sale on the Dream Market underground marketplace for only 99 cents",
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "filename",
"uuid": "59d4e425-b328-4b76-b5e9-3f50950d210f",
"value": "ROBLOX BOT.zip"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "filename",
"uuid": "59d4e425-1144-47c5-8833-3f50950d210f",
"value": "Crm5extension.crx"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "filename",
"uuid": "59d4e425-0c38-4ed1-bd79-3f50950d210f",
"value": "Roblox Enhancer.crx"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "filename",
"uuid": "59d4e425-c98c-4588-8d41-3f50950d210f",
"value": "danktrades.zip"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "filename",
"uuid": "59d4e425-9594-474f-8ee1-3f50950d210f",
"value": "bgWork.js"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "domain",
"uuid": "59d4e425-836c-4050-95ca-3f50950d210f",
"value": "3rmillion.net"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "sha256",
"uuid": "59d4e425-63fc-4e16-bc14-3f50950d210f",
"value": "0061a5f52c5b577f679e81da3ab3ad3803c20e345c16ffc4dbc8b76386d42a00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "sha256",
"uuid": "59d4e425-07ec-4e8b-960b-3f50950d210f",
"value": "4c4af30a94cd25b23579e12b64191a056bda3c51b6e531a2202d3863b19432b3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "sha256",
"uuid": "59d4e425-5918-432e-a551-3f50950d210f",
"value": "d9f21e401ef0197a2af66133e3f7fc3a4ea3efb4437884a4383076bad4060b02"
},
{
"category": "Payload delivery",
"comment": "- Xchecked via VT: d9f21e401ef0197a2af66133e3f7fc3a4ea3efb4437884a4383076bad4060b02",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "sha1",
"uuid": "59d51a40-78a4-47e6-8d7d-45d702de0b81",
"value": "92d2ac44f7b11749fe040ab438ee736866edeafb"
},
{
"category": "Payload delivery",
"comment": "- Xchecked via VT: d9f21e401ef0197a2af66133e3f7fc3a4ea3efb4437884a4383076bad4060b02",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "md5",
"uuid": "59d51a40-f80c-419e-b758-4b6802de0b81",
"value": "98f2e06a90a8d762a05fc7deeb74093f"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: d9f21e401ef0197a2af66133e3f7fc3a4ea3efb4437884a4383076bad4060b02",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": false,
"type": "link",
"uuid": "59d51a40-6988-4a79-8984-481b02de0b81",
"value": "https://www.virustotal.com/file/d9f21e401ef0197a2af66133e3f7fc3a4ea3efb4437884a4383076bad4060b02/analysis/1503970956/"
},
{
"category": "Payload delivery",
"comment": "- Xchecked via VT: 4c4af30a94cd25b23579e12b64191a056bda3c51b6e531a2202d3863b19432b3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "sha1",
"uuid": "59d51a40-bd94-4247-bdc7-470f02de0b81",
"value": "aef1f023f744bb3fe1ab8616d9d44391d6a0a03e"
},
{
"category": "Payload delivery",
"comment": "- Xchecked via VT: 4c4af30a94cd25b23579e12b64191a056bda3c51b6e531a2202d3863b19432b3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "md5",
"uuid": "59d51a40-5020-4fac-b79f-484e02de0b81",
"value": "178e598baf688ca318482751d38b5f33"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: 4c4af30a94cd25b23579e12b64191a056bda3c51b6e531a2202d3863b19432b3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": false,
"type": "link",
"uuid": "59d51a40-c028-406c-a257-45a102de0b81",
"value": "https://www.virustotal.com/file/4c4af30a94cd25b23579e12b64191a056bda3c51b6e531a2202d3863b19432b3/analysis/1503951674/"
},
{
"category": "Payload delivery",
"comment": "- Xchecked via VT: 0061a5f52c5b577f679e81da3ab3ad3803c20e345c16ffc4dbc8b76386d42a00",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "sha1",
"uuid": "59d51a40-caa0-4640-8256-4c1702de0b81",
"value": "1bbf468286a00175ef032063f6b01c4c958a6b3a"
},
{
"category": "Payload delivery",
"comment": "- Xchecked via VT: 0061a5f52c5b577f679e81da3ab3ad3803c20e345c16ffc4dbc8b76386d42a00",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138112",
"to_ids": true,
"type": "md5",
"uuid": "59d51a40-2a00-40e0-9edb-469902de0b81",
"value": "0574437b0e697cf884726bb5e321be80"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: 0061a5f52c5b577f679e81da3ab3ad3803c20e345c16ffc4dbc8b76386d42a00",
"deleted": false,
"disable_correlation": false,
"timestamp": "1507138113",
"to_ids": false,
"type": "link",
"uuid": "59d51a41-d934-4f2c-8e76-44d802de0b81",
"value": "https://www.virustotal.com/file/0061a5f52c5b577f679e81da3ab3ad3803c20e345c16ffc4dbc8b76386d42a00/analysis/1504020369/"
}
]
}
}
Reference in a new issue View git blame Copy permalink