misp-circl-feed/feeds/circl/misp/57dff9a6-b4b0-4e79-9271-4a10950d210f.json

352 lines
No EOL
14 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2016-09-19",
"extends_uuid": "",
"info": "OSINT - Malicious Macros Add Sandbox Evasion Techniques to Distribute New Dridex",
"publish_timestamp": "1474296582",
"published": true,
"threat_level_id": "3",
"timestamp": "1474296530",
"uuid": "57dff9a6-b4b0-4e79-9271-4a10950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296309",
"to_ids": false,
"type": "link",
"uuid": "57dff9f5-8e50-47cc-a804-4513950d210f",
"value": "https://www.proofpoint.com/us/threat-insight/post/malicious-macros-add-to-sandbox-evasion-techniques-to-distribute-new-dridex"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296326",
"to_ids": false,
"type": "comment",
"uuid": "57dffa06-a2e0-4cf0-a86e-4f4e950d210f",
"value": "This week Proofpoint researchers observed several noteworthy changes in the macros used by an actor we refer to as TA530, who we previously examined in relation to large-scale personalized phishing campaigns [1] [2]. This new campaign included evasive macros, which, while not unusual for this group (earlier versions were analyzed by Mcafee [3] and Checkpoint [4]), demonstrated continued evolution in their latest iteration. Most notably their new macro looks up the public IP address of the client and does not download the payload if it finds that the IP address is associated with a security vendor, certain cloud services, or a sandbox environment.\r\n\r\nThis week, we observed TA530 using their evasive macros to deliver Nymaim, Ursnif, and Dridex 124. The Dridex payload with botnet ID 124 is a previously unseen sub-botnet which is targeting Swiss banking sites, while the Nymaim and Ursnif payloads targeted North America and Australia, respectively."
},
{
"category": "Payload delivery",
"comment": "Nymaim Document",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296365",
"to_ids": true,
"type": "sha256",
"uuid": "57dffa2d-edc8-443d-8ca8-4bdd950d210f",
"value": "a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369"
},
{
"category": "Payload delivery",
"comment": "Ursnif Document",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296366",
"to_ids": true,
"type": "sha256",
"uuid": "57dffa2e-0ca0-4410-bbdd-448c950d210f",
"value": "f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70"
},
{
"category": "Payload delivery",
"comment": "Dridex Document",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296367",
"to_ids": true,
"type": "sha256",
"uuid": "57dffa2f-b5e8-41b5-a6ff-41d9950d210f",
"value": "72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06"
},
{
"category": "Network activity",
"comment": "Example Ursnif Download",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296455",
"to_ids": true,
"type": "url",
"uuid": "57dffa87-f8a8-452f-babe-4de0950d210f",
"value": "http://britcart.com/britstar/office12.data"
},
{
"category": "Network activity",
"comment": "Example Nymaim Download",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296456",
"to_ids": true,
"type": "url",
"uuid": "57dffa88-2170-436e-938e-484a950d210f",
"value": "http://arabtradenet.com/info/content.dat"
},
{
"category": "Network activity",
"comment": "Example Dridex Download",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296456",
"to_ids": true,
"type": "url",
"uuid": "57dffa88-7840-4208-8208-476b950d210f",
"value": "http://onehealthpublishing.com/image/office.gif"
},
{
"category": "Payload delivery",
"comment": "Example Nymaim Payload",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296495",
"to_ids": true,
"type": "sha256",
"uuid": "57dffaaf-ff20-46d6-bb8f-49a8950d210f",
"value": "f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9"
},
{
"category": "Payload delivery",
"comment": "Example Ursnif Payload",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296496",
"to_ids": true,
"type": "sha256",
"uuid": "57dffab0-c890-4dbb-9467-4351950d210f",
"value": "6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879"
},
{
"category": "Payload delivery",
"comment": "Example Dridex Payload",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296496",
"to_ids": true,
"type": "sha256",
"uuid": "57dffab0-39b8-4880-bcc9-472c950d210f",
"value": "97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629"
},
{
"category": "Payload delivery",
"comment": "Example Dridex Payload - Xchecked via VT: 97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296531",
"to_ids": true,
"type": "sha1",
"uuid": "57dffad3-d5a8-4a68-880e-4a5d02de0b81",
"value": "50d2d8cceb257b074e37265da537cf493c805210"
},
{
"category": "Payload delivery",
"comment": "Example Dridex Payload - Xchecked via VT: 97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296531",
"to_ids": true,
"type": "md5",
"uuid": "57dffad3-efe4-4839-a28d-4b6b02de0b81",
"value": "59b569b8875fd3847ae0308af85e3440"
},
{
"category": "External analysis",
"comment": "Example Dridex Payload - Xchecked via VT: 97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296532",
"to_ids": false,
"type": "link",
"uuid": "57dffad4-d364-4f79-b4e9-453602de0b81",
"value": "https://www.virustotal.com/file/97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629/analysis/1465971238/"
},
{
"category": "Payload delivery",
"comment": "Example Ursnif Payload - Xchecked via VT: 6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296533",
"to_ids": true,
"type": "sha1",
"uuid": "57dffad5-63a4-45ab-a6e0-4af502de0b81",
"value": "61996a309d84daf441cd7a3e71ed45c8fe210824"
},
{
"category": "Payload delivery",
"comment": "Example Ursnif Payload - Xchecked via VT: 6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296533",
"to_ids": true,
"type": "md5",
"uuid": "57dffad5-2378-4608-b880-457b02de0b81",
"value": "86a50ac34b6e18b5bec0a24a1b4f12d3"
},
{
"category": "External analysis",
"comment": "Example Ursnif Payload - Xchecked via VT: 6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296534",
"to_ids": false,
"type": "link",
"uuid": "57dffad6-a830-41f2-adb9-480302de0b81",
"value": "https://www.virustotal.com/file/6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879/analysis/1473668183/"
},
{
"category": "Payload delivery",
"comment": "Example Nymaim Payload - Xchecked via VT: f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296535",
"to_ids": true,
"type": "sha1",
"uuid": "57dffad7-5278-4962-91b7-43a002de0b81",
"value": "c28bec7ce1d0bcfd1a007cefe086571d5d49b975"
},
{
"category": "Payload delivery",
"comment": "Example Nymaim Payload - Xchecked via VT: f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296535",
"to_ids": true,
"type": "md5",
"uuid": "57dffad7-ddb8-4af6-846a-457f02de0b81",
"value": "12abc10d3c37841f4f4f7e193b045f6b"
},
{
"category": "External analysis",
"comment": "Example Nymaim Payload - Xchecked via VT: f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296536",
"to_ids": false,
"type": "link",
"uuid": "57dffad8-dae4-4425-bf3b-410202de0b81",
"value": "https://www.virustotal.com/file/f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9/analysis/1465970739/"
},
{
"category": "Payload delivery",
"comment": "Dridex Document - Xchecked via VT: 72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296537",
"to_ids": true,
"type": "sha1",
"uuid": "57dffad9-de4c-44b7-a374-405102de0b81",
"value": "27c3ff564efbf5db343feba688236c180846b61b"
},
{
"category": "Payload delivery",
"comment": "Dridex Document - Xchecked via VT: 72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296537",
"to_ids": true,
"type": "md5",
"uuid": "57dffad9-6b2c-43de-883a-4dbe02de0b81",
"value": "64d133b98ab00c9f5409e4ab29a70250"
},
{
"category": "External analysis",
"comment": "Dridex Document - Xchecked via VT: 72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296538",
"to_ids": false,
"type": "link",
"uuid": "57dffada-9154-4c95-b067-43ea02de0b81",
"value": "https://www.virustotal.com/file/72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06/analysis/1466780189/"
},
{
"category": "Payload delivery",
"comment": "Ursnif Document - Xchecked via VT: f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296539",
"to_ids": true,
"type": "sha1",
"uuid": "57dffadb-7b64-4794-89dc-452502de0b81",
"value": "cfb624f1b220b96e51214a58a29e596334cf975d"
},
{
"category": "Payload delivery",
"comment": "Ursnif Document - Xchecked via VT: f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296539",
"to_ids": true,
"type": "md5",
"uuid": "57dffadb-5cf0-490d-8b2b-4b6402de0b81",
"value": "89968ce9689ffcf42cd5e8b1702ad6a3"
},
{
"category": "External analysis",
"comment": "Ursnif Document - Xchecked via VT: f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296540",
"to_ids": false,
"type": "link",
"uuid": "57dffadc-f574-41e3-8413-489f02de0b81",
"value": "https://www.virustotal.com/file/f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70/analysis/1465721182/"
},
{
"category": "Payload delivery",
"comment": "Nymaim Document - Xchecked via VT: a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296541",
"to_ids": true,
"type": "sha1",
"uuid": "57dffadd-6bf0-4f60-957a-422102de0b81",
"value": "f5249c827757e4ef4bc107e7ca0e8e5b3e361bdc"
},
{
"category": "Payload delivery",
"comment": "Nymaim Document - Xchecked via VT: a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296541",
"to_ids": true,
"type": "md5",
"uuid": "57dffadd-5800-46d8-a22a-472c02de0b81",
"value": "ad9c255868ab55652555e47d8985ea2f"
},
{
"category": "External analysis",
"comment": "Nymaim Document - Xchecked via VT: a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369",
"deleted": false,
"disable_correlation": false,
"timestamp": "1474296542",
"to_ids": false,
"type": "link",
"uuid": "57dffade-be88-4afb-a678-46f702de0b81",
"value": "https://www.virustotal.com/file/a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369/analysis/1465720444/"
}
]
}
}