279 lines
No EOL
10 KiB
JSON
279 lines
No EOL
10 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2019-05-25",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Sorpresa! JasperLoader targets Italy with a new bag of tricks",
|
|
"publish_timestamp": "1558772089",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1558772061",
|
|
"uuid": "5ce8f7f8-8584-40c3-b33b-4660950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": false,
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": false,
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"JasperLoader\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771718",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5ce8f806-78c4-4413-8b6b-467a950d210f",
|
|
"value": "https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771747",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5ce8f823-d814-4298-8f6b-47e9950d210f",
|
|
"value": "052c9895383eb10e4ad5bec37822f624e443bbe01700b1fe5abeeea757456aed"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771747",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5ce8f823-90e0-4cda-9aa5-46c8950d210f",
|
|
"value": "54666103a3c8221cf3d7d39035b638f3c3bcc233e1916b015aeee2539f38f719"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771747",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5ce8f823-69ec-4718-87ec-4a42950d210f",
|
|
"value": "ee3601c6e111c42d02c83b58b4fc70265b937e9d4d153203a4111f51a8a08aab"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771773",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5ce8f83d-6a58-408b-8bbf-49cd950d210f",
|
|
"value": "185.158.251.171"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771773",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5ce8f83d-a420-4c97-ba2c-472d950d210f",
|
|
"value": "185.158.249.116"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771800",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5ce8f858-6bf8-4378-804b-47d5950d210f",
|
|
"value": "breed.wanttobea.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771800",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5ce8f858-4c48-42e1-8be1-4c6f950d210f",
|
|
"value": "zzi.aircargox.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771800",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5ce8f858-2a8c-493c-a9b6-4ca1950d210f",
|
|
"value": "nono.littlebodiesbigsouls.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771800",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5ce8f858-ddd8-44c9-b9e3-4f6e950d210f",
|
|
"value": "tribunaledinapoli.recsinc.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771800",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5ce8f858-4e58-4777-9799-4b4e950d210f",
|
|
"value": "tribunaledinapoli.prepperpillbox.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771800",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5ce8f858-1b08-469f-bde2-4810950d210f",
|
|
"value": "tribunaledinapoli.lowellunderwood.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains observed to be associated with JasperLoader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771800",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5ce8f858-2530-4f92-b6f3-48c3950d210f",
|
|
"value": "tribunaledinapoli.rntman.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Attribute #5945959 enriched by dns.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771814",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "5ce8f866-7abc-4168-a664-459fe387cbd9",
|
|
"value": "185.158.251.171"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Attribute #5945960 enriched by dns.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771814",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "5ce8f866-1cf0-423a-993a-431ce387cbd9",
|
|
"value": "185.158.248.110"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Attribute #5945961 enriched by dns.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771814",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "5ce8f866-a36c-4e78-a62d-41b1e387cbd9",
|
|
"value": "185.212.47.163"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Attribute #5945962 enriched by dns.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771814",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "5ce8f866-b738-4d0f-a1d2-4d6be387cbd9",
|
|
"value": "185.212.44.126"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771850",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5ce8f88a-bdb0-437e-a975-40ad950d210f",
|
|
"value": "Over the past few months, a new malware loader called JasperLoader has emerged that targets Italy and other European countries with banking trojans such as Gootkit. We recently released a comprehensive analysis of the functionality associated with JasperLoader. Shortly after the publication of our analysis, the distribution activity associated with these campaigns halted. But after several weeks of relatively low volumes of activity, we discovered a new version of JasperLoader being spread. This new version features several changes and improvements from the initial version we analyzed. JasperLoader is typically used to infect systems with additional malware payloads which can be used to exfiltrate sensitive information, damage systems or otherwise negatively impact organizations.\r\n\r\nThe attackers behind this specific threat have implemented additional mechanisms to control where the malware can spread and are now taking steps to avoid analysis by sandboxes and antivirus companies. There's also a new command and control (C2) mechanism to facilitate communications between infected systems and the infrastructure being used to control them. The campaigns that are currently distributing JasperLoader continue to target Italian victims and further demonstrate that while JasperLoader is a relatively new threat, the developers behind it are continuing to actively refine and improve upon this malware at a rapid pace and introduce sophistication that is not commonly seen in financially motivated malware."
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771983",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5ce8f90f-8dbc-42f7-b48a-49af950d210f",
|
|
"value": "http://tribunaledinapoli.recsinc.com/documento.zip",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1558771983",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5ce8f90f-95c0-4e47-9ae3-4de5950d210f",
|
|
"value": "http://tribunaledinapoli.recsinc.com/documento.zip?214299"
|
|
}
|
|
]
|
|
}
|
|
} |