115 lines
No EOL
4 KiB
JSON
115 lines
No EOL
4 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-08-24",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - New multi platform malware/adware spreading via Facebook Messenger",
|
|
"publish_timestamp": "1504870931",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1504870925",
|
|
"uuid": "59b23683-c180-4b81-87c5-4610950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#3b7500",
|
|
"name": "circl:incident-classification=\"malware\""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504870919",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59b23694-301c-4273-a338-ec64950d210f",
|
|
"value": "https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-messenger/81590/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504870919",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "59b236b2-bf84-4f5c-a073-4ccd950d210f",
|
|
"value": "One good thing about having a lot of Facebook friends is that you simply act as a honey pot when your friends click on malicious things. A few days ago I got a message on Facebook from a person I very rarely speak to, and I knew that something fishy was going on.\r\n\r\nAfter just a few minutes analyzing the message, I understood that I was just peeking at the top of this iceberg. This malware was spreading via Facebook Messenger, serving multi platform malware/adware, using tons of domains to prevent tracking, and earning clicks. The code is advanced and obfuscated.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504870919",
|
|
"to_ids": true,
|
|
"type": "filename|md5",
|
|
"uuid": "59b236f8-3d18-4582-9dca-4610950d210f",
|
|
"value": "injection.js|ebc117c0cf03ad4b13184d1253862586"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: ebc117c0cf03ad4b13184d1253862586",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504870919",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59b28207-30a0-4bf4-bb9d-416a02de0b81",
|
|
"value": "ad1b11cb053df4e8cb890872fa4a25057d514a8c2778b6b745c5aaf5b3f984cd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: ebc117c0cf03ad4b13184d1253862586",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504870919",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59b28207-e048-4b59-9b17-4b4202de0b81",
|
|
"value": "a6f1d1e11c4399dd280fbdba3309357da94ec500"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: ebc117c0cf03ad4b13184d1253862586",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504870919",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59b28207-bd54-415b-ab47-4aff02de0b81",
|
|
"value": "https://www.virustotal.com/file/ad1b11cb053df4e8cb890872fa4a25057d514a8c2778b6b745c5aaf5b3f984cd/analysis/1504836659/"
|
|
}
|
|
]
|
|
}
|
|
} |