389 lines
No EOL
15 KiB
JSON
389 lines
No EOL
15 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-02-12",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Attackers target dozens of global banks with new malware",
|
|
"publish_timestamp": "1486925838",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1486925790",
|
|
"uuid": "58a0ae18-4554-4af8-a66b-459802de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#13eb00",
|
|
"local": false,
|
|
"name": "misp-galaxy:threat-actor=\"Lazarus Group\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#6bd600",
|
|
"local": false,
|
|
"name": "circl:topic=\"finance\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00afd6",
|
|
"local": false,
|
|
"name": "veris:action:social:target=\"Finance\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925631",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58a0ae24-bedc-4399-8c2d-4fa002de0b81",
|
|
"value": "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#075200",
|
|
"local": false,
|
|
"name": "admiralty-scale:source-reliability=\"b\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925631",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "58a0ae39-1e30-42d6-b78a-20e102de0b81",
|
|
"value": "Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or \u00e2\u20ac\u0153watering holes\u00e2\u20ac\u009d to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.\r\n\r\nThe attacks came to light when a bank in Poland discovered previously unknown malware running on a number of its computers. The bank then shared indicators of compromise (IOCs) with other institutions and a number of other institutions confirmed that they too had been compromised.\r\n\r\nAs reported, the source of the attack appears to have been the website of the Polish financial regulator. The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets.\r\n\r\nSymantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland."
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Backdoor.Destover",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925631",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58a0ae50-a948-465d-8e9f-20e102de0b81",
|
|
"value": "4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Hacktool",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925631",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58a0ae6f-1010-4e03-ac4b-419802de0b81",
|
|
"value": "efa57ca7aa5f42578ab83c9d510393fcf4e981a3eb422197973c65b7415863e7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925631",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58a0ae8a-1364-42e1-82af-4ce102de0b81",
|
|
"value": "99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925631",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58a0ae8a-f9ac-4c37-8975-41c102de0b81",
|
|
"value": "825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925631",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58a0ae8b-c33c-4d49-b603-4ae702de0b81",
|
|
"value": "200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925631",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58a0ae8c-95e0-4ce6-b163-44c302de0b81",
|
|
"value": "95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925631",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58a0ae8d-56dc-4075-91bc-473902de0b81",
|
|
"value": "7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Command and control infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925631",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "58a0aea4-1d00-407f-9c35-20e102de0b81",
|
|
"value": "eye-watch.in"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Command and control infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925631",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58a0aea5-e9ac-4674-984b-20e102de0b81",
|
|
"value": "sap.misapor.ch"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Backdoor.Destover - Xchecked via VT: 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925640",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58a0af48-a1d4-4fa4-8a25-4c9602de0b81",
|
|
"value": "9876f8650d75938f8a2e4fb4df4321cc819d0f58"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Backdoor.Destover - Xchecked via VT: 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925641",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58a0af49-97c0-483e-9932-47b602de0b81",
|
|
"value": "7fe80cee04003fed91c02e3a372f4b01"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Backdoor.Destover - Xchecked via VT: 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925642",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58a0af4a-9fc0-4b59-a45f-4c4102de0b81",
|
|
"value": "https://www.virustotal.com/file/4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b/analysis/1486115878/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925643",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58a0af4b-69ac-4337-8996-400402de0b81",
|
|
"value": "178994ab2d4fc0a32a328e97d7d220c8bbb9150c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925643",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58a0af4b-4d18-4453-9182-4de602de0b81",
|
|
"value": "1f7897b041a812f96f1925138ea38c46"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925644",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58a0af4c-9a04-4f4a-af0e-445802de0b81",
|
|
"value": "https://www.virustotal.com/file/99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d/analysis/1486354947/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925645",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58a0af4d-b688-4c75-812b-403802de0b81",
|
|
"value": "09c1756064f15fcdd29ff8f239b3d5dcc22ac492"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925646",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58a0af4e-4d6c-4b97-8c12-476a02de0b81",
|
|
"value": "911de8d67af652a87415f8c0a30688b2"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925646",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58a0af4e-a2a8-422f-9ab8-40d902de0b81",
|
|
"value": "https://www.virustotal.com/file/825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc/analysis/1486355454/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925647",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58a0af4f-6ad4-4e25-a3f1-4c8302de0b81",
|
|
"value": "97a3698ffffdb63df79faeaf58169f9755db1f90"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925648",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58a0af50-a848-4477-8bb7-464202de0b81",
|
|
"value": "1507e7a741367745425e0530e23768e6"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925649",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58a0af51-cfe0-4a6c-a672-4f1202de0b81",
|
|
"value": "https://www.virustotal.com/file/200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22/analysis/1486354903/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925649",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58a0af51-c974-4bb5-abeb-40cf02de0b81",
|
|
"value": "2c6c244b3858ce06a0b646ae386f65e69ae5c046"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925650",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58a0af52-e68c-47d2-8f47-497a02de0b81",
|
|
"value": "cb52c013f7af0219d45953bae663c9a2"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925651",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58a0af53-5434-4242-a959-44b602de0b81",
|
|
"value": "https://www.virustotal.com/file/95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2/analysis/1486356061/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925652",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58a0af54-453c-46fb-989c-4af002de0b81",
|
|
"value": "da967dc59a7b61aeaeaee380b2c147c5bb1b3bc5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58a0af55-442c-4726-bad9-4dd702de0b81",
|
|
"value": "18a451d70f96a1335623b385f0993bcc"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Downloader.Ratankba - Xchecked via VT: 7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925653",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58a0af55-8fb4-4e48-bec2-464b02de0b81",
|
|
"value": "https://www.virustotal.com/file/7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836/analysis/1486760308/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Enriched via the dns module",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486925789",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "58a0afdd-1758-47f9-a269-447902de0b81",
|
|
"value": "54.235.197.176"
|
|
}
|
|
]
|
|
}
|
|
} |