422 lines
No EOL
19 KiB
JSON
422 lines
No EOL
19 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5b1e2aab-9e84-4908-9db2-4bb8950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:29:13.000Z",
|
|
"modified": "2018-06-13T07:29:13.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5b1e2aab-9e84-4908-9db2-4bb8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:29:13.000Z",
|
|
"modified": "2018-06-13T07:29:13.000Z",
|
|
"name": "OSINT - Goodfellas, the Brazilian carding scene is after you",
|
|
"published": "2018-06-13T15:40:52Z",
|
|
"object_refs": [
|
|
"observed-data--5b1e2b05-0db8-4b98-b0c7-41d7950d210f",
|
|
"url--5b1e2b05-0db8-4b98-b0c7-41d7950d210f",
|
|
"x-misp-attribute--5b1e2b50-9cc0-4415-876b-4a99950d210f",
|
|
"indicator--5b1e2bbb-576c-482a-b05c-41ef950d210f",
|
|
"indicator--5b1e2c0a-c3fc-406b-8feb-4b6e950d210f",
|
|
"indicator--5b1e2d11-43cc-4383-bb6d-41b5950d210f",
|
|
"indicator--5b1e324a-724c-4fb6-a9cb-4b4a950d210f",
|
|
"indicator--5b1e3263-e11c-42cf-b81e-4757950d210f",
|
|
"x-misp-object--11027696-51a5-490c-8a4f-473fd0489c29",
|
|
"x-misp-object--50c83155-900b-441a-83d6-2a391a274548",
|
|
"x-misp-object--5b136ef2-fa8b-46dc-b170-42ff816d565b",
|
|
"x-misp-object--aa90e50e-5831-4a40-90ff-abe012c776d8",
|
|
"x-misp-object--dda87322-1b8c-4646-bc31-7a076d5bc6b4",
|
|
"x-misp-object--25746874-1cb9-4718-ba55-35a0bd263c31",
|
|
"x-misp-object--7abef902-1194-4ec5-a86e-c8d67e3d6b4f",
|
|
"x-misp-object--205f50f6-77e7-43ac-a764-d13afc79e6b8",
|
|
"x-misp-object--d7dd0509-3912-4c63-846b-2d8511faaffd",
|
|
"x-misp-object--4a34ea3f-eb37-49e5-a937-c0fc11a122e9",
|
|
"relationship--87bc6ec2-a9ce-49f1-9737-22dfb8485c60",
|
|
"relationship--29d8a4b2-0e7f-4d6c-a9a0-3ee58c2cb9b4",
|
|
"relationship--23330dae-5577-4e64-84e7-d4746c225074",
|
|
"relationship--c72b1a4a-8088-4655-a39b-794c3308c794",
|
|
"relationship--6d080a81-d16b-4e03-b490-5b06ca2b2e64"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:tool=\"PRILEX\"",
|
|
"circl:incident-classification=\"malware\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5b1e2b05-0db8-4b98-b0c7-41d7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-11T07:57:17.000Z",
|
|
"modified": "2018-06-11T07:57:17.000Z",
|
|
"first_observed": "2018-06-11T07:57:17Z",
|
|
"last_observed": "2018-06-11T07:57:17Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5b1e2b05-0db8-4b98-b0c7-41d7950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5b1e2b05-0db8-4b98-b0c7-41d7950d210f",
|
|
"value": "https://securelist.com/goodfellas-the-brazilian-carding-scene-is-after-you/84263/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5b1e2b50-9cc0-4415-876b-4a99950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-11T07:57:10.000Z",
|
|
"modified": "2018-06-11T07:57:10.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "There are three ways of doing things in the malware business: the right way, the wrong way and the way Brazilians do it. From the early beginnings, using skimmers on ATMs, compromising point of sales systems, or even modifying the hardware of processing devices, Latin America has been a fertile ground for collecting credit and debit cards en masse.\r\n\r\nBrazil started the migration to EMV cards in 1999 and nowadays almost all cards issued in the country are chip-enabled. A small Java-based application lives inside this chip and can be easily manipulated in order to create a \u00e2\u20ac\u0153golden ticket\u00e2\u20ac\u009d card that will be valid in most (if not all) point of sale systems. Having this knowledge has enabled the criminals to update their activities, allowing them to create their own cards featuring this new technology and keeping them \u00e2\u20ac\u0153in the business.\u00e2\u20ac\u009d\r\n\r\nEnter the world of Brazilian malware development, incorporating every trick in the book and adding a custom made malware that can easily collect data from chip and PIN protected cards; all while offering a nicely designed interface for administering the ill-gotten information, validating numbers, and offering their \u00e2\u20ac\u0153customers\u00e2\u20ac\u009d an easy to use package to burn their cloned card."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b1e2bbb-576c-482a-b05c-41ef950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-11T07:58:51.000Z",
|
|
"modified": "2018-06-11T07:58:51.000Z",
|
|
"description": "Trojan.Win32.Prilex.b",
|
|
"pattern": "[file:hashes.MD5 = '7ab092ea240430f45264b5dcbd350156' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-06-11T07:58:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b1e2c0a-c3fc-406b-8feb-4b6e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-11T08:00:10.000Z",
|
|
"modified": "2018-06-11T08:00:10.000Z",
|
|
"description": "Trojan.Win32.Prilex.c",
|
|
"pattern": "[file:hashes.MD5 = '34fb450417471eba939057e903b25523' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-06-11T08:00:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b1e2d11-43cc-4383-bb6d-41b5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-11T08:04:33.000Z",
|
|
"modified": "2018-06-11T08:04:33.000Z",
|
|
"description": "Trojan.Win32.Prilex.h ",
|
|
"pattern": "[file:hashes.MD5 = '26dcd3aa4918d4b7438e8c0ebd9e1cfd' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-06-11T08:04:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b1e324a-724c-4fb6-a9cb-4b4a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-11T08:26:50.000Z",
|
|
"modified": "2018-06-11T08:26:50.000Z",
|
|
"description": "Trojan.Win32.Prilex.f",
|
|
"pattern": "[file:hashes.MD5 = 'f5ff2992bdb1979642599ee54cfbc3d3' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-06-11T08:26:50Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b1e3263-e11c-42cf-b81e-4757950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-11T08:27:15.000Z",
|
|
"modified": "2018-06-11T08:27:15.000Z",
|
|
"description": "Trojan.Win32.Prilex.m ",
|
|
"pattern": "[file:hashes.MD5 = '7ae9043778fee965af4f8b66721bdfab' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-06-11T08:27:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--11027696-51a5-490c-8a4f-473fd0489c29",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:28:15.000Z",
|
|
"modified": "2018-06-13T07:28:15.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--50c83155-900b-441a-83d6-2a391a274548",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:28:14.000Z",
|
|
"modified": "2018-06-13T07:28:14.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5b136ef2-fa8b-46dc-b170-42ff816d565b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:28:18.000Z",
|
|
"modified": "2018-06-13T07:28:18.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--aa90e50e-5831-4a40-90ff-abe012c776d8",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:28:16.000Z",
|
|
"modified": "2018-06-13T07:28:16.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--dda87322-1b8c-4646-bc31-7a076d5bc6b4",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:28:20.000Z",
|
|
"modified": "2018-06-13T07:28:20.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--25746874-1cb9-4718-ba55-35a0bd263c31",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:28:19.000Z",
|
|
"modified": "2018-06-13T07:28:19.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--7abef902-1194-4ec5-a86e-c8d67e3d6b4f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:28:22.000Z",
|
|
"modified": "2018-06-13T07:28:22.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--205f50f6-77e7-43ac-a764-d13afc79e6b8",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:28:21.000Z",
|
|
"modified": "2018-06-13T07:28:21.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--d7dd0509-3912-4c63-846b-2d8511faaffd",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:28:25.000Z",
|
|
"modified": "2018-06-13T07:28:25.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--4a34ea3f-eb37-49e5-a937-c0fc11a122e9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-13T07:28:23.000Z",
|
|
"modified": "2018-06-13T07:28:23.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--87bc6ec2-a9ce-49f1-9737-22dfb8485c60",
|
|
"created": "2018-06-13T07:28:24.000Z",
|
|
"modified": "2018-06-13T07:28:24.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "x-misp-object--11027696-51a5-490c-8a4f-473fd0489c29",
|
|
"target_ref": "x-misp-object--50c83155-900b-441a-83d6-2a391a274548"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--29d8a4b2-0e7f-4d6c-a9a0-3ee58c2cb9b4",
|
|
"created": "2018-06-13T07:28:25.000Z",
|
|
"modified": "2018-06-13T07:28:25.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "x-misp-object--5b136ef2-fa8b-46dc-b170-42ff816d565b",
|
|
"target_ref": "x-misp-object--aa90e50e-5831-4a40-90ff-abe012c776d8"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--23330dae-5577-4e64-84e7-d4746c225074",
|
|
"created": "2018-06-13T07:28:25.000Z",
|
|
"modified": "2018-06-13T07:28:25.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "x-misp-object--dda87322-1b8c-4646-bc31-7a076d5bc6b4",
|
|
"target_ref": "x-misp-object--25746874-1cb9-4718-ba55-35a0bd263c31"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--c72b1a4a-8088-4655-a39b-794c3308c794",
|
|
"created": "2018-06-13T07:28:25.000Z",
|
|
"modified": "2018-06-13T07:28:25.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "x-misp-object--7abef902-1194-4ec5-a86e-c8d67e3d6b4f",
|
|
"target_ref": "x-misp-object--205f50f6-77e7-43ac-a764-d13afc79e6b8"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--6d080a81-d16b-4e03-b490-5b06ca2b2e64",
|
|
"created": "2018-06-13T07:28:25.000Z",
|
|
"modified": "2018-06-13T07:28:25.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "x-misp-object--d7dd0509-3912-4c63-846b-2d8511faaffd",
|
|
"target_ref": "x-misp-object--4a34ea3f-eb37-49e5-a937-c0fc11a122e9"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |