491 lines
No EOL
18 KiB
JSON
491 lines
No EOL
18 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-03-15",
|
|
"extends_uuid": "",
|
|
"info": "Dridex botnet 222 (20160315)",
|
|
"publish_timestamp": "1458077736",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1458077708",
|
|
"uuid": "56e87ebe-7b6c-4008-bcfd-42a302de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077431",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56e87ef7-abb8-4ce0-8154-418602de0b81",
|
|
"value": "https://www.virustotal.com/en/file/4030b3b7393c61f25ebf225dc619f6bd4000f94d62a0c42c7b83e7460e0ed010/analysis/"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077445",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56e87f05-b4f8-49a2-b5c6-4be602de0b81",
|
|
"value": "4030b3b7393c61f25ebf225dc619f6bd4000f94d62a0c42c7b83e7460e0ed010"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "- Xchecked via VT: 4030b3b7393c61f25ebf225dc619f6bd4000f94d62a0c42c7b83e7460e0ed010",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077479",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56e87f27-eb34-4eb1-ab7b-4f5d02de0b81",
|
|
"value": "b1259b8287e38e79a2afc003471fe4750edefdaa"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "- Xchecked via VT: 4030b3b7393c61f25ebf225dc619f6bd4000f94d62a0c42c7b83e7460e0ed010",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077479",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56e87f27-02dc-4fa1-9c84-42c602de0b81",
|
|
"value": "f71977440032b680e91baef49d9ca7f8"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077480",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56e87f28-adfc-40e4-bada-4cb502de0b81",
|
|
"value": "https://www.virustotal.com/file/4030b3b7393c61f25ebf225dc619f6bd4000f94d62a0c42c7b83e7460e0ed010/analysis/1458053512/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077555",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f73-cfbc-449d-bbc3-4fde02de0b81",
|
|
"value": "https://158.255.193.15:4331/0/0/1/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077556",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f74-71f8-41d9-8ddb-4fa302de0b81",
|
|
"value": "https://158.255.193.15:4331/0/1/1/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077556",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f74-3050-4f11-b734-465b02de0b81",
|
|
"value": "https://158.255.193.15:4331/0/1/2/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077556",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f74-7e28-4ee0-8a54-424b02de0b81",
|
|
"value": "https://158.255.193.15:4331/0/1/3/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077557",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f75-8cc4-482b-b402-40fa02de0b81",
|
|
"value": "https://158.255.193.15:4331/0/2/1/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077557",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f75-a32c-4a93-87e0-4f4702de0b81",
|
|
"value": "https://158.255.193.15:4331/0/2/2/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077557",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f75-3c10-4dd6-8006-451502de0b81",
|
|
"value": "https://158.255.193.15:4331/0/3/1/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077558",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f76-d284-48e3-b743-496702de0b81",
|
|
"value": "https://158.255.193.15:4331/0/3/2/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077558",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f76-cc7c-4716-8e92-4e5602de0b81",
|
|
"value": "https://158.255.193.15:4331/0/3/3/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077558",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f76-ad90-4a2c-aa9a-4fec02de0b81",
|
|
"value": "https://158.255.193.15:4331/2/09Zpm2kAxBn6kzsP_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077559",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f77-2f48-43c4-9a30-4d9d02de0b81",
|
|
"value": "https://158.255.193.15:4331/2/5GKESykA88VV9kVk_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077559",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f77-9cdc-4bcc-b5f7-40a502de0b81",
|
|
"value": "https://158.255.193.15:4331/2/5vgOnl464R46YHaW_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077559",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f77-2bd0-47f5-a4bf-483902de0b81",
|
|
"value": "https://158.255.193.15:4331/2/bosbiz_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077559",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f77-cdb8-440e-9991-4e4002de0b81",
|
|
"value": "https://158.255.193.15:4331/2/cybiz_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077560",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f78-f264-43ad-8138-4a5d02de0b81",
|
|
"value": "https://158.255.193.15:4331/2/Euxx6OyGjUA92S6m_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077560",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f78-4298-44e3-b60a-42f702de0b81",
|
|
"value": "https://158.255.193.15:4331/2/Euxx6OyGjUA92S6m_logon/default_redirect.js"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077561",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f79-9b2c-4187-ba5a-437502de0b81",
|
|
"value": "https://158.255.193.15:4331/2/Euxx6OyGjUA92S6m_logon/files/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077561",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f79-571c-427a-b237-4e6402de0b81",
|
|
"value": "https://158.255.193.15:4331/2/hsbcnet_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077561",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f79-0104-4d80-a0f6-440002de0b81",
|
|
"value": "https://158.255.193.15:4331/2/lloydsbiz_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077562",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f7a-a3ec-41b7-a7fa-476002de0b81",
|
|
"value": "https://158.255.193.15:4331/2/lloydscorp_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077562",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f7a-64a0-4b59-9228-4a5602de0b81",
|
|
"value": "https://158.255.193.15:4331/2/lloydslink_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077562",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f7a-9030-44f7-bf32-439602de0b81",
|
|
"value": "https://158.255.193.15:4331/2/nationwide_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077563",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f7b-2050-481f-bd93-48f802de0b81",
|
|
"value": "https://158.255.193.15:4331/2/santacorp_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077563",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f7b-d670-4c97-b119-47b702de0b81",
|
|
"value": "https://158.255.193.15:4331/2/tsbbiz_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077563",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f7b-ab3c-4b61-817a-454702de0b81",
|
|
"value": "https://158.255.193.15:4331/2/XlxFi7aP7bK5w2vW_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077564",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f7c-7db8-4f24-b556-4a4f02de0b81",
|
|
"value": "https://158.255.193.15:4331/2/Ya4SYLq6fbMz712y_logon/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077564",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f7c-d510-45e7-a09b-4a8802de0b81",
|
|
"value": "https://5.152.201.6:4331/eatlightas"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077564",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f7c-a0bc-4e02-810f-49a002de0b81",
|
|
"value": "https://5.152.201.6:4331/humantangible"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077565",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e87f7d-4e9c-4555-a70c-415002de0b81",
|
|
"value": "https://93.186.184.135:4243/eatlightas"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "On port 643",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077593",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "56e87f99-ca78-4783-93a3-419f02de0b81",
|
|
"value": "210.209.89.107"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "On port 4113",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077593",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "56e87f99-4814-426d-99fc-40b402de0b81",
|
|
"value": "213.192.1.178"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "On port 4843",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077594",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "56e87f9a-2510-4bb9-8e43-42f502de0b81",
|
|
"value": "87.117.242.31"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "On port 443",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077614",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "56e87fae-b260-44f9-a932-4d1602de0b81",
|
|
"value": "154.66.148.52"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "On port 444",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077614",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "56e87fae-cd88-431e-8fa6-439a02de0b81",
|
|
"value": "212.183.20.78"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "On port 443",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077615",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "56e87faf-71cc-46ee-a650-41de02de0b81",
|
|
"value": "41.79.173.47"
|
|
},
|
|
{
|
|
"category": "Targeting data",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077670",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "56e87fe6-60d4-4af7-9f3d-4f2502de0b81",
|
|
"value": "^https://ibank1\\.bib\\.barclays\\.com/logon/bibapplication.+LOGON\\.VALIDATE\\.SIGNED\r\n^https://entreprises\\.secure\\.societegenerale\\.fr/authent\\.html\r\n^https://www\\.labanquepostale\\.fr/grands-institutionnels\\.html\r\n^http://barclays\\.tenalps\\.com\r\n^https://shavar\\.services\\.mozilla\\.com/\r\n^https://urs\\.microsoft\\.com/\r\n^https://localhost.*/skypectoc/\r\n^http://.+/workbench/\r\n^https?://www\\.ce-g3-enligne\\.credit-agricole\\.fr/\r\n^https://entreprises\\.societegenerale\\.fr/\r\n^https://entreprises\\.certif\\.societegenerale\\.fr/authent\\.html\r\n^http://.+/MULTIVERSA\r\n^https://www\\.labanquepostale\\.fr/grandes-entreprises\\.html\r\n^https?://www\\.ca-paris\\.fr/\r\n^https://www\\.labanquepostale\\.fr/professionnels\\.html\r\n^https://professionnels\\.secure.societegenerale\\.fr/$\r\n^https://professionnels\\.societegenerale\\.fr/$\r\n^https://entreprises\\.bnpparibas\\.net/NSAccess\r\n^https://www2\\.bancopopular\\.es/\r\n^https://www\\.normand-g3-enligne\\.credit-agricole\\.fr/stb/\r\n^https?://www\\.net\\d+\\.caisse-epargne\\.fr/\r\n^https://www\\.anjou-maine-ediweb\\.credit-agricole\\.fr\r\n^https://statso\\.par\\.societegenerale\\.fr\r\n^https://.+\\.fr/stb/entreeBam\r\n^https?://particuliers\\.secure\\.societegenerale\\.fr\r\n^https://rib\\.ecobank\\.com/ecobankburkina/internet\r\n^https://ibank\\.humebank\\.com\\.au/mvp/signon/login\\.asp\r\n^https://cashmanagement\\.barclays\\.net/portalservices/forms/login\\.pser\\?TYPE.+cashmanagement\r\n^https://corporate\\.santander\\.co\\.uk/LOGSCU_NS_ENS/BtoChannelDriver\\.bto\r\n^https://corporate\\.santander\\.co\\.uk/(SCU_AUTHOR_ENS|SCU_PAYMNT_ENS)/\r\n^https://professionnels\\.secure\\.lcl\\.fr/outil/UAUT/Accueil/preRoutageLogin\r\n^https://secure1\\.entreprises\\.bnpparibas\\.net/sommaire/jsp/identification\\.jsp\r\n^https://www\\.caisse-epargne\\.fr/particuliers/normandie/accueil\\.aspx"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1458077708",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "56e8800c-8fb4-4d45-b4da-4d1d02de0b81",
|
|
"value": "<botnet>222</botnet>\r\n<version>196796</version>"
|
|
}
|
|
]
|
|
}
|
|
} |