adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/586ccbb7-3b08-4fdb-a034-4a8b950d210f.json

543 lines
No EOL
24 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--586ccbb7-3b08-4fdb-a034-4a8b950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:25:55.000Z",
"modified": "2017-01-04T10:25:55.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--586ccbb7-3b08-4fdb-a034-4a8b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:25:55.000Z",
"modified": "2017-01-04T10:25:55.000Z",
"name": "OSINT - Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan",
"published": "2017-01-04T10:26:01Z",
"object_refs": [
"x-misp-attribute--586ccbd5-0478-4d13-bcce-43c1950d210f",
"observed-data--586ccbf5-f54c-4456-b041-475b950d210f",
"url--586ccbf5-f54c-4456-b041-475b950d210f",
"indicator--586ccc86-8444-4cb1-9cb2-4172950d210f",
"indicator--586ccca0-1a7c-4d38-a541-4cdf950d210f",
"indicator--586cccb9-bf7c-4b6b-97f2-41da950d210f",
"indicator--586cccc9-c97c-4291-be73-4956950d210f",
"indicator--586cccda-f028-4aef-b394-4eb4950d210f",
"indicator--586cccf0-fdc0-4761-b125-4e99950d210f",
"indicator--586ccd03-db28-4afc-afb0-4b86950d210f",
"indicator--586ccd18-bd60-4870-af14-423b950d210f",
"indicator--586ccd2f-3a24-4a6d-8585-4bc1950d210f",
"indicator--586ccd4f-af68-4426-b9f6-4dbd02de0b81",
"indicator--586ccd4f-0104-4bb0-86e9-45fe02de0b81",
"observed-data--586ccd50-9fd8-4b0a-acd3-4b6d02de0b81",
"url--586ccd50-9fd8-4b0a-acd3-4b6d02de0b81",
"indicator--586ccd51-847c-452f-be60-48a202de0b81",
"indicator--586ccd51-357c-44b1-adcc-4b4e02de0b81",
"observed-data--586ccd52-ad44-487c-8b58-428e02de0b81",
"url--586ccd52-ad44-487c-8b58-428e02de0b81",
"indicator--586ccd53-4f1c-418a-881a-4efc02de0b81",
"indicator--586ccd53-ad1c-4728-8817-41ed02de0b81",
"observed-data--586ccd54-4b88-4996-b19d-49c702de0b81",
"url--586ccd54-4b88-4996-b19d-49c702de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"Chthonic\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:source-reliability=\"b\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--586ccbd5-0478-4d13-bcce-43c1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:17:57.000Z",
"modified": "2017-01-04T10:17:57.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "While many email providers, clients, and anti-spam engines have become adept at detecting spam, malicious messages sent via high-profile, legitimate providers are much harder to catch. Threat actors continue to look for new ways to bypass these engines and, in the latest example of innovative approaches to malware distribution, have managed to co-opt PayPal services in a small campaign.\r\n\r\nProofpoint analysts recently noticed an interesting abuse of legitimate service in order to deliver malicious content. Specifically, we observed emails with the subject \u00e2\u20ac\u0153You\u00e2\u20ac\u2122ve got a money request\u00e2\u20ac\u009d that came from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the portal to \u00e2\u20ac\u0153request money.\u00e2\u20ac\u009d We are not sure how much of this process was automated and how much manual, but the email volume was low."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--586ccbf5-f54c-4456-b041-475b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:18:29.000Z",
"modified": "2017-01-04T10:18:29.000Z",
"first_observed": "2017-01-04T10:18:29Z",
"last_observed": "2017-01-04T10:18:29Z",
"number_observed": 1,
"object_refs": [
"url--586ccbf5-f54c-4456-b041-475b950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--586ccbf5-f54c-4456-b041-475b950d210f",
"value": "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586ccc86-8444-4cb1-9cb2-4172950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:20:54.000Z",
"modified": "2017-01-04T10:20:54.000Z",
"description": "Chthonic 2nd Stage (AZORult)",
"pattern": "[file:hashes.SHA256 = '10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:20:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586ccca0-1a7c-4d38-a541-4cdf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:21:20.000Z",
"modified": "2017-01-04T10:21:20.000Z",
"description": "AZORult C&C",
"pattern": "[url:value = '91.215.154.202/AZORult/gate.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:21:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586cccb9-bf7c-4b6b-97f2-41da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:21:45.000Z",
"modified": "2017-01-04T10:21:45.000Z",
"description": "Chthonic 2nd Stage hosting",
"pattern": "[url:value = 'http://www.viscot.com/system/helper/bzr.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:21:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586cccc9-c97c-4291-be73-4956950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:22:01.000Z",
"modified": "2017-01-04T10:22:01.000Z",
"description": "Chthonic C&C",
"pattern": "[domain-name:value = 'kingstonevikte.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:22:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586cccda-f028-4aef-b394-4eb4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:22:18.000Z",
"modified": "2017-01-04T10:22:18.000Z",
"description": "flash.exe",
"pattern": "[file:hashes.SHA256 = '0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:22:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586cccf0-fdc0-4761-b125-4e99950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:22:40.000Z",
"modified": "2017-01-04T10:22:40.000Z",
"description": "JavaScript payload",
"pattern": "[url:value = 'http://wasingo.info/2/flash.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:22:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586ccd03-db28-4afc-afb0-4b86950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:22:59.000Z",
"modified": "2017-01-04T10:22:59.000Z",
"description": "paypalTransactionDetails.jpeg.js",
"pattern": "[file:hashes.SHA256 = '865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:22:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586ccd18-bd60-4870-af14-423b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:23:20.000Z",
"modified": "2017-01-04T10:23:20.000Z",
"description": "URL after the goo.gl redirect (hosting the js)",
"pattern": "[url:value = 'http://katyaflash.com/pp.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:23:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586ccd2f-3a24-4a6d-8585-4bc1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:23:43.000Z",
"modified": "2017-01-04T10:23:43.000Z",
"description": "URL in the email message",
"pattern": "[url:value = 'http://goo.gl/G7z1aS?paypal-nonauthtransaction.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:23:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586ccd4f-af68-4426-b9f6-4dbd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:24:15.000Z",
"modified": "2017-01-04T10:24:15.000Z",
"description": "Chthonic 2nd Stage (AZORult) - Xchecked via VT: 10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a",
"pattern": "[file:hashes.SHA1 = 'c887916b08543cb3e3f112add117a9dfa790b9ee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:24:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586ccd4f-0104-4bb0-86e9-45fe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:24:15.000Z",
"modified": "2017-01-04T10:24:15.000Z",
"description": "Chthonic 2nd Stage (AZORult) - Xchecked via VT: 10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a",
"pattern": "[file:hashes.MD5 = 'd7c19ba47401f69aafed551138ad7e7c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:24:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--586ccd50-9fd8-4b0a-acd3-4b6d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:24:16.000Z",
"modified": "2017-01-04T10:24:16.000Z",
"first_observed": "2017-01-04T10:24:16Z",
"last_observed": "2017-01-04T10:24:16Z",
"number_observed": 1,
"object_refs": [
"url--586ccd50-9fd8-4b0a-acd3-4b6d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--586ccd50-9fd8-4b0a-acd3-4b6d02de0b81",
"value": "https://www.virustotal.com/file/10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a/analysis/1476464665/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586ccd51-847c-452f-be60-48a202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:24:17.000Z",
"modified": "2017-01-04T10:24:17.000Z",
"description": "flash.exe - Xchecked via VT: 0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141",
"pattern": "[file:hashes.SHA1 = '47bff3e98e086f821fff1721a8a4b2674102a2ff']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:24:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586ccd51-357c-44b1-adcc-4b4e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:24:17.000Z",
"modified": "2017-01-04T10:24:17.000Z",
"description": "flash.exe - Xchecked via VT: 0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141",
"pattern": "[file:hashes.MD5 = 'c136a0702442b8b02fbad5ed7e6203d7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:24:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--586ccd52-ad44-487c-8b58-428e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:24:18.000Z",
"modified": "2017-01-04T10:24:18.000Z",
"first_observed": "2017-01-04T10:24:18Z",
"last_observed": "2017-01-04T10:24:18Z",
"number_observed": 1,
"object_refs": [
"url--586ccd52-ad44-487c-8b58-428e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--586ccd52-ad44-487c-8b58-428e02de0b81",
"value": "https://www.virustotal.com/file/0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141/analysis/1470300877/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586ccd53-4f1c-418a-881a-4efc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:24:19.000Z",
"modified": "2017-01-04T10:24:19.000Z",
"description": "paypalTransactionDetails.jpeg.js - Xchecked via VT: 865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4",
"pattern": "[file:hashes.SHA1 = 'c53fca1e1fee6f0be377837f258ae671a7604677']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:24:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586ccd53-ad1c-4728-8817-41ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:24:19.000Z",
"modified": "2017-01-04T10:24:19.000Z",
"description": "paypalTransactionDetails.jpeg.js - Xchecked via VT: 865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4",
"pattern": "[file:hashes.MD5 = '04f75d12660b13d972ac4c8cbf143de9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-04T10:24:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--586ccd54-4b88-4996-b19d-49c702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-04T10:24:20.000Z",
"modified": "2017-01-04T10:24:20.000Z",
"first_observed": "2017-01-04T10:24:20Z",
"last_observed": "2017-01-04T10:24:20Z",
"number_observed": 1,
"object_refs": [
"url--586ccd54-4b88-4996-b19d-49c702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--586ccd54-4b88-4996-b19d-49c702de0b81",
"value": "https://www.virustotal.com/file/865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4/analysis/1476581905/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink