adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5a391a35-45c8-4e0b-b580-4cdc950d210f.json

309 lines
No EOL
10 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2017-12-03",
"extends_uuid": "",
"info": "OSINT - The Emotet Banking Trojan: Analysis of Dropped Malware Morphing at Scale",
"publish_timestamp": "1514468151",
"published": true,
"threat_level_id": "3",
"timestamp": "1513825248",
"uuid": "5a391a35-45c8-4e0b-b580-4cdc950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:tool=\"Emotet\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:banker=\"Geodo\"",
"relationship_type": ""
},
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
},
{
"colour": "#002f76",
"local": false,
"name": "ms-caro-malware-full:malware-family=\"Banker\"",
"relationship_type": ""
},
{
"colour": "#284800",
"local": false,
"name": "malware_classification:malware-category=\"Trojan\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1513805859",
"to_ids": false,
"type": "link",
"uuid": "5a391a5b-1b48-4f03-ad50-18e3950d210f",
"value": "https://blogs.bromium.com/emotet-banking-trojan-malware-analysis/",
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1513805859",
"to_ids": false,
"type": "comment",
"uuid": "5a391b26-fa94-4cb9-b69d-1690950d210f",
"value": "Recently, the Bromium Lab team uncovered a series of samples containing the Emotet banking trojan, which indicates that malware authors are rapidly rewrapping their packed executables and the documents used to distribute them. Based on feedback and further monitoring, we investigated the polymorphic dropped executables in more detail. The results are quite interesting; the samples don\u00e2\u20ac\u2122t just feature trivial changes or the addition of random data. Rather, the sample appears like completely different software in many aspects. This allows the samples to avoid signature-based anti-virus as well as package detection and static analysis.",
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "8",
"timestamp": "1513692012",
"uuid": "5a391b6c-d4e4-4072-9d3c-1713950d210f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1513692012",
"to_ids": true,
"type": "sha256",
"uuid": "5a391b6c-32fc-460a-a833-1713950d210f",
"value": "906e9607b4ad68eb380a1bd55842b8a7c601a8108c16d1c3d3a1cf74eefeb180"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1513692012",
"to_ids": false,
"type": "text",
"uuid": "5a391b6c-6520-41e0-ab7d-1713950d210f",
"value": "Malicious"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1513692012",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5a391b6c-b2d4-4a78-85fa-1713950d210f",
"value": "229000"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "8",
"timestamp": "1513692037",
"uuid": "5a391b85-5068-4092-ba25-bfca950d210f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1513692037",
"to_ids": true,
"type": "sha256",
"uuid": "5a391b85-40f0-4ad0-8168-bfca950d210f",
"value": "bcc70a49fab005b4cdbe0cbd87863ec622c6b2c656987d201adbb0e05ec03e56"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1513692037",
"to_ids": false,
"type": "text",
"uuid": "5a391b85-a164-47f1-886a-bfca950d210f",
"value": "Malicious"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1513692038",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5a391b86-5070-45f7-99eb-bfca950d210f",
"value": "95000"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1513805862",
"uuid": "e3be9ae2-cc8e-4629-a7e7-266ea9e25610",
"ObjectReference": [
{
"comment": "",
"object_uuid": "e3be9ae2-cc8e-4629-a7e7-266ea9e25610",
"referenced_uuid": "c29a6f81-d269-48e2-8e91-585613d1fbd0",
"relationship_type": "analysed-with",
"timestamp": "1514468151",
"uuid": "5a3ad823-5800-47a5-b5ac-4b5402de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1513805859",
"to_ids": true,
"type": "sha1",
"uuid": "5a3ad823-fa48-4798-93cd-486702de0b81",
"value": "3a1f908941311fc357051b5c35fd2a4e0c834e37"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1513805859",
"to_ids": true,
"type": "md5",
"uuid": "5a3ad823-7b28-44f2-81be-4c7402de0b81",
"value": "16b3f663d0f0371a4706642c6ac04e42"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1513805859",
"to_ids": true,
"type": "sha256",
"uuid": "5a3ad823-26ec-4e9a-aefd-4e3002de0b81",
"value": "bcc70a49fab005b4cdbe0cbd87863ec622c6b2c656987d201adbb0e05ec03e56"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1513805859",
"uuid": "c29a6f81-d269-48e2-8e91-585613d1fbd0",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1513805859",
"to_ids": false,
"type": "link",
"uuid": "5a3ad823-da5c-4c1a-b078-406702de0b81",
"value": "https://www.virustotal.com/file/bcc70a49fab005b4cdbe0cbd87863ec622c6b2c656987d201adbb0e05ec03e56/analysis/1513344175/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1513805859",
"to_ids": false,
"type": "text",
"uuid": "5a3ad823-f67c-4a9a-b75a-4f2802de0b81",
"value": "53/67"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1513805859",
"to_ids": false,
"type": "datetime",
"uuid": "5a3ad823-6f14-43ea-a9e7-43e902de0b81",
"value": "2017-12-15T13:22:55"
}
]
}
]
}
}
Reference in a new issue View git blame Copy permalink