209 lines
No EOL
6.9 KiB
JSON
209 lines
No EOL
6.9 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-04-29",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Over 100,000 South Korean Users Affected by BlackMoon Campaign",
|
|
"publish_timestamp": "1461934511",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1461934375",
|
|
"uuid": "57232f8f-c210-454d-ad75-4d11950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461923750",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "57232fa6-7414-40ab-98b4-4aea950d210f",
|
|
"value": "The FortiGuard Virtualization Execution X (VEX) system \u00e2\u20ac\u201c a behaviour-based, in-house framework designed to identify zero-day samples \u00e2\u20ac\u201c has detected a previously undiscovered iteration of the BlackMoon Trojan.\r\n\r\nBlackMoon Trojan is a banking trojan that is designed to phish user credentials from various South Korean banking institutions. It was discovered in early 2014 and was named after a debug string, \u00e2\u20ac\u0153BlackMoon\u00e2\u20ac\u009d, that was present in its code.\r\n\r\nWhile the BlackMoon malware code has been constantly updated by its perpetrators, the extent of the campaign's infection is previously unknown. This post intends to share the findings of the FortiGuard Lion Team on BlackMoon\u00e2\u20ac\u2122s prevalence and its latest code updates."
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461923777",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "57232fc1-fb14-40b0-8f7d-4357950d210f",
|
|
"value": "http://blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461923843",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "57233003-95fc-43c3-bca7-488d950d210f",
|
|
"value": "100.43.185.34"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461923843",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "57233003-4298-4f0e-bace-45dd950d210f",
|
|
"value": "174.139.0.211"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461923844",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "57233004-ae44-497e-b9de-4380950d210f",
|
|
"value": "107.151.158.196"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461923844",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "57233004-9498-43cd-b496-4377950d210f",
|
|
"value": "206.161.216.35"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461923845",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "57233005-5e14-43fa-bf3e-40b1950d210f",
|
|
"value": "207.226.136.14"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461923845",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "57233005-2eb4-4609-bc43-442a950d210f",
|
|
"value": "100.43.185.42"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461923845",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "57233005-ff28-4e9a-8ead-4e3d950d210f",
|
|
"value": "174.139.194.82"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461923846",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "57233006-5814-4ba8-b738-469a950d210f",
|
|
"value": "205.209.141.84"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461924381",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5723321d-338c-468a-b1c1-4421950d210f",
|
|
"value": "dfd4dc577d02b76efea004cd2c131ff7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461924382",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5723321e-de2c-45aa-bd9a-4dd2950d210f",
|
|
"value": "163f885cc88c0e69a4094122e5667190"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461924382",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5723321e-89dc-4a63-99d9-4504950d210f",
|
|
"value": "3cfd66340f204e1b8697e7a8514c00ab"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461924383",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5723321f-8a50-4e51-93b0-4747950d210f",
|
|
"value": "ee0def01d390ca7fd7ced414c83f9782"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461924383",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5723321f-f474-4f2b-b9b7-4b7f950d210f",
|
|
"value": "2aabd4fa21cca0f153f57ccc1f3c54c0"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461924383",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5723321f-2d2c-4d64-934e-43f9950d210f",
|
|
"value": "bbcbd3dc203829c9cdbf7d1b057f0e79"
|
|
}
|
|
]
|
|
}
|
|
} |