205 lines
No EOL
14 KiB
JSON
205 lines
No EOL
14 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2018-07-18",
|
|
"extends_uuid": "",
|
|
"info": "OVH Phishing",
|
|
"publish_timestamp": "1532095390",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1532095371",
|
|
"uuid": "5b4f5308-42c0-434a-a8c5-48ae950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1532095368",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "d64b0aa2-2712-440f-ae2d-405b02afe37f",
|
|
"value": "https://xyu7564.phpnet.org/?page0=rafi0t.fr#https://www.ovh.com/fr/cgi-bin/order/renew.cgi"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "ip-port",
|
|
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
|
|
"template_version": "7",
|
|
"timestamp": "1531925260",
|
|
"uuid": "8a483d15-8731-46eb-802a-4dad004e29ad",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "hostname",
|
|
"timestamp": "1532095368",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "11d55dd3-0574-492d-b330-2086770d3995",
|
|
"value": "xyu7564.phpnet.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1532095368",
|
|
"to_ids": false,
|
|
"type": "ip-dst",
|
|
"uuid": "9e69ba41-08f3-43bb-b2b6-5e81162ab394",
|
|
"value": "195.144.11.40"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Email object describing an email with meta-information",
|
|
"meta-category": "network",
|
|
"name": "email",
|
|
"template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
|
|
"template_version": "11",
|
|
"timestamp": "1531925264",
|
|
"uuid": "f5cfa131-4703-426c-a7b5-cbe616e76ea7",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "f5cfa131-4703-426c-a7b5-cbe616e76ea7",
|
|
"referenced_uuid": "d64b0aa2-2712-440f-ae2d-405b02afe37f",
|
|
"relationship_type": "contains",
|
|
"timestamp": "1531925263",
|
|
"uuid": "5b4f530f-027c-464b-bd45-4e94950d210f"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "f5cfa131-4703-426c-a7b5-cbe616e76ea7",
|
|
"referenced_uuid": "8a483d15-8731-46eb-802a-4dad004e29ad",
|
|
"relationship_type": "contains",
|
|
"timestamp": "1531925264",
|
|
"uuid": "5b4f5310-55b4-43f6-9dc1-41c4950d210f"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"data": "UmV0dXJuLVBhdGg6IDxzdXBwb3J0QG92aC5jb20+ClgtT3JpZ2luYWwtVG86IGNvbnRhY3RAcmFmaTB0LmZyCkRlbGl2ZXJlZC1Ubzogc3BhbUByYWZpMHQuZnIKWC1HcmV5bGlzdDogZGVsYXllZCA2MDAgc2Vjb25kcyBieSBwb3N0Z3JleS0xLjM1IGF0IHN0ZXJsaW5nOyBXZWQsIDE4IEp1bCAyMDE4CiAxNjozMzowMiBDRVNUClJlY2VpdmVkOiBmcm9tIHJkbnMwLmFubmFtYWV0LmZyICh1bmtub3duIFs4OS4zOC4xNDguNzVdKQoJYnkgc3RlcmxpbmcuZm9vLmJlIChQb3N0Zml4KSB3aXRoIEVTTVRQUyBpZCAyQ0Q1OTUwMDBDQgoJZm9yIDxjb250YWN0QHJhZmkwdC5mcj47IFdlZCwgMTggSnVsIDIwMTggMTY6MzM6MDIgKzAyMDAgKENFU1QpCkZyb206ICI9P3V0Zi04P0I/YzNWd2NHOXlkRUJ2ZG1ndVkyOXQ/PSIgPHN1cHBvcnRAb3ZoLmNvbT4KVG86IGNvbnRhY3RAcmFmaTB0LmZyClN1YmplY3Q6IFtPVkgtV0VCXSBTdXNwZW5zaW9uIGR1IG5vbSBkZSBkb21haW5lIHJhZmkwdC5mcgpEYXRlOiBXZWQsIDE4IEp1bCAyMDE4IDE0OjA3OjE5ICswMjAwCk1JTUUtVmVyc2lvbjogMS4wCk1lc3NhZ2UtSUQ6IDwxNTMxOTEwNTY2MWQ5MWE1MDg5NjZkY2M1ZjYwMmM3M2I0Zjk3ZmEzOTJfNTQwNDU1QG92aC5jb20+ClJlcGx5LVRvOiBzdXBwb3J0QG92aC5jb20KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9InV0Zi04IgpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBxdW90ZWQtcHJpbnRhYmxlCgo8IURPQ1RZUEUgSFRNTCBQVUJMSUMgIi0vL1czQy8vRFREIEhUTUwgNC4wIFRyYW5zaXRpb25hbC8vRU4iPgo8SFRNTD48SEVBRD48TUVUQSBodHRwLWVxdWl2PTNEIkNvbnRlbnQtVHlwZSIgY29udGVudD0zRCJ0ZXh0L2h0bWw7IGNoYXJzZXQ9Cj0zRHV0Zi04Ij4KPC9IRUFEPgo8Qk9EWT4KPERJVj48Rk9OVCBzaXplPTNEMiBmYWNlPTNEVGFob21hPlNBUyBPVkggLSA8L0ZPTlQ+PEEKaHJlZj0zRCJodHRwOi8vd3d3Lm92aC5jb20vIj48Rk9OVCBzaXplPTNEMgpmYWNlPTNEVGFob21hPmh0dHA6Ly93d3cub3ZoLmNvbTwvRk9OVD48L0E+PEJSPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+Mj0KIHJ1ZQpLZWxsZXJtYW5uPEJSPkJQIDgwMTU3PEJSPjU5MTAwIFJvdWJhaXg8L0ZPTlQ+PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+PEZPTlQgc2l6ZT0zRDIgZmFjZT0zRFRhaG9tYT5DaGVyKGUpIENsaWVudChlKSw8L0ZPTlQ+PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+PEZPTlQgc2l6ZT0zRDIgZmFjZT0zRFRhaG9tYT5Wb3RyZSBub20gZGUgZG9tYWluZSByYWZpMHQuZnIgZXN0PQogYWN0dWVsbGVtZW50CmVucmVnaXN0cj1DMz1BOSBjaGV6IE9WSC48QlI+Tm90cmUgc3lzdD1DMz1BOG1lIGRlIGZhY3R1cmF0aW9uIGEgZD1DMz1BOXRlY3Q9Cj1DMz1BOSBxdWUgY2Ugc2VydmljZQplc3QgZXhwaXI9QzM9QTksIG5vbiByZW5vdXZlbD1DMz1BOS48L0ZPTlQ+PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+PEZPTlQgc2l6ZT0zRDIgZmFjZT0zRFRhaG9tYT5Wb3RyZSBub20gZGUgZG9tYWluZSByYWZpMHQuZnIgYSBkb25jID1DMz0KPUE5dD1DMz1BOQpzdXNwZW5kdS48L0ZPTlQ+PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+PEJSPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+UG91ciBsZSByPUMzPUE5YWN0aXZlciwgaWwgdm91cyBzdWZmaXQ9CiBkZSB2b3VzCnJlbmRyZSBzdXIgbm90cmUgc2l0ZSwgZXQgZHV0aWxpc2VyIDxCUj5sYSBjb21tYW5kZSBkZSByZW5vdXZlbGxlbWVudCA6CjwvRk9OVD48L0RJVj4KPERJVj4mbmJzcDs8L0RJVj4KPERJVj48QQpocmVmPTNEImh0dHBzOi8veHl1NzU2NC5waHBuZXQub3JnLz9wYWdlMD0KPTNEcmFmaTB0LmZyI2h0dHBzOi8vd3d3Lm92aC5jb20vZnIvY2dpLWJpbi9vcmRlci9yZW5ldy5jZ2kiPjxGT05UCnNpemU9M0QyIGZhY2U9Cj0zRFRhaG9tYT5odHRwczovL3d3dy5vdmguY29tL2ZyL2NnaS1iaW4vb3JkZXIvcmVuZXcuY2dpPC9GT05UPjwvQT4KPC9ESVY+CjxESVY+PEJSPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+TGUgcj1DMz1BOGdsZW1lbnQgcGV1dCBzZSBmYWlyZSB2aWE9CiBsJ3VuIGRlcyBtb3llbnMKZGUgcGFpZW1lbnQgcHJvcG9zPUMzPUE5cy4gTWFpcyBub3VzIDxCUj5yZWNvbW1hbmRvbnMgZGUgcj1DMz1BOWdsZXIgcGFyPQogQ2FydGUgQmFuY2FpcmUKcG91ciBhY2M9QzM9QTlsPUMzPUE5cmVyIGxlIHRyYWl0ZW1lbnQgZXQgZG9uYyA8QlI+bGEgcj1DMz1BOW91dmVydHVyZSBkZT0KIHZvdHJlCnNlcnZpY2UuPC9GT05UPjwvRElWPgo8RElWPiZuYnNwOzwvRElWPgo8RElWPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+TGEgZmFjdHVyZSBhY3F1aXR0PUMzPUE5ZSB2b3VzIHBhcnZpZW5kcmE9CiBwZXUgYXByPUMzPUE4cwp2YWxpZGF0aW9uIGRlIGxhIGNvbW1hbmRlLCBjb25maXJtYW50IDxCUj5sZSByZW5vdXZlbGxlbWVudCBkZSB2b3RyZT0KIHJlZGV2YW5jZQpwb3VyIGxhIHA9QzM9QTlyaW9kZSBjaG9pc2llLjwvRk9OVD48L0RJVj4KPERJVj4mbmJzcDs8L0RJVj4KPERJVj48QlI+PEZPTlQgc2l6ZT0zRDIgZmFjZT0zRFRhaG9tYT5JTVBPUlRBTlQgOiBFbiBjYXMgZGUgbm9uIHI9QzM9Cj1BOGdsZW1lbnQgc291cyAyNCBILAp2b3RyZSBkb21haW5lIHBvdXJyYWl0ID1DMz1BQXRyZSBERUZJTklUSVZFTUVOVCBlZmZhYz1DMz1BOS48L0ZPTlQ+PC9ESVY+CjxESVY+Jm5ic3A7PC9ESVY+CjxESVY+PEZPTlQgc2l6ZT0zRDIgZmFjZT0zRFRhaG9tYT5Qb3VyIHRvdXRlIGluZm9ybWF0aW9uIGNvbXBsPUMzPUE5bWVudGFpcmUsPQogbm90cmUKc3VwcG9ydCByZXN0ZSA9QzM9QTAgdm90cmUgZGlzcG9zaXRpb24uPC9GT05UPjwvRElWPgo8RElWPiZuYnNwOzwvRElWPgo8RElWPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+TWVyY2kgZGUgdm90cmUgY29tcHI9QzM9Cj1BOWhlbnNpb24uPC9GT05UPjwvRElWPgo8RElWPiZuYnNwOzwvRElWPgo8RElWPiZuYnNwOzwvRElWPgo8RElWPiZuYnNwOzwvRElWPgo8RElWPjxGT05UIHNpemU9M0QyIGZhY2U9M0RUYWhvbWE+Q29yZGlhbGVtZW50LDwvRk9OVD48L0RJVj4KPERJVj4mbmJzcDs8L0RJVj4KPERJVj48Rk9OVCBzaXplPTNEMiBmYWNlPTNEVGFob21hPlZvdHJlIFNlcnZpY2UgQ2xpZW50IE9WSDxCUj5MdW4gLSBWZW5kIDogOGg9CiAtIDIwaAp8IFNhbWVkaSA6IDloID1DMz1BMCAxN2g8QlI+MTAwNzxCUj5OdW09QzM9QTlybyB1bmlxdWUgZ3JhdHVpdCBkZXB1aXMgdW49CiBwb3N0ZSBmaXhlLCBob3JzCnN1cmNvPUMzPUJCdCA9QzM9QTl2ZW50dWVsIHNlbG9uIG9wPUMzPUE5cmF0ZXVyIGRlcHVpcyB1bmUgbGlnbmUKbW9iaWxlPC9GT05UPjwvRElWPjwvQk9EWT48L0hUTUw+Cgo=",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "eml",
|
|
"timestamp": "1532095368",
|
|
"to_ids": false,
|
|
"type": "attachment",
|
|
"uuid": "6fad44d5-1eb8-4cd4-8c2a-85d411cf50ca",
|
|
"value": "Full email.eml"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "email-body",
|
|
"timestamp": "1532095368",
|
|
"to_ids": false,
|
|
"type": "email-body",
|
|
"uuid": "c8c233d6-a647-4f41-ad4e-9d2b08af045b",
|
|
"value": "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">\n<HTML><HEAD><META http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\">\n</HEAD>\n<BODY>\n<DIV><FONT size=2 face=Tahoma>SAS OVH - </FONT><A\nhref=\"http://www.ovh.com/\"><FONT size=2\nface=Tahoma>http://www.ovh.com</FONT></A><BR><FONT size=2 face=Tahoma>2 rue\nKellermann<BR>BP 80157<BR>59100 Roubaix</FONT></DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Cher(e) Client(e),</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Votre nom de domaine rafi0t.fr est actuellement\nenregistr\u00c3\u00a9 chez OVH.<BR>Notre syst\u00c3\u00a8me de facturation a d\u00c3\u00a9tect\u00c3\u00a9 que ce service\nest expir\u00c3\u00a9, non renouvel\u00c3\u00a9.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Votre nom de domaine rafi0t.fr a donc \u00c3\u00a9t\u00c3\u00a9\nsuspendu.</FONT></DIV>\n<DIV> </DIV>\n<DIV><BR><FONT size=2 face=Tahoma>Pour le r\u00c3\u00a9activer, il vous suffit de vous\nrendre sur notre site, et dutiliser <BR>la commande de renouvellement :\n</FONT></DIV>\n<DIV> </DIV>\n<DIV><A\nhref=\"https://xyu7564.phpnet.org/?page0=rafi0t.fr#https://www.ovh.com/fr/cgi-bin/order/renew.cgi\"><FONT\nsize=2 face=Tahoma>https://www.ovh.com/fr/cgi-bin/order/renew.cgi</FONT></A>\n</DIV>\n<DIV><BR><FONT size=2 face=Tahoma>Le r\u00c3\u00a8glement peut se faire via l'un des moyens\nde paiement propos\u00c3\u00a9s. Mais nous <BR>recommandons de r\u00c3\u00a9gler par Carte Bancaire\npour acc\u00c3\u00a9l\u00c3\u00a9rer le traitement et donc <BR>la r\u00c3\u00a9ouverture de votre\nservice.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>La facture acquitt\u00c3\u00a9e vous parviendra peu apr\u00c3\u00a8s\nvalidation de la commande, confirmant <BR>le renouvellement de votre redevance\npour la p\u00c3\u00a9riode choisie.</FONT></DIV>\n<DIV> </DIV>\n<DIV><BR><FONT size=2 face=Tahoma>IMPORTANT : En cas de non r\u00c3\u00a8glement sous 24 H,\nvotre domaine pourrait \u00c3\u00aatre DEFINITIVEMENT effac\u00c3\u00a9.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Pour toute information compl\u00c3\u00a9mentaire, notre\nsupport reste \u00c3\u00a0 votre disposition.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Merci de votre compr\u00c3\u00a9hension.</FONT></DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Cordialement,</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Votre Service Client OVH<BR>Lun - Vend : 8h - 20h\n| Samedi : 9h \u00c3\u00a0 17h<BR>1007<BR>Num\u00c3\u00a9ro unique gratuit depuis un poste fixe, hors\nsurco\u00c3\u00bbt \u00c3\u00a9ventuel selon op\u00c3\u00a9rateur depuis une ligne\nmobile</FONT></DIV></BODY></HTML>"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "reply-to",
|
|
"timestamp": "1532095368",
|
|
"to_ids": false,
|
|
"type": "email-reply-to",
|
|
"uuid": "51d315b4-595f-43fd-bc43-23c5f155ed88",
|
|
"value": "support@ovh.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "message-id",
|
|
"timestamp": "1532095368",
|
|
"to_ids": false,
|
|
"type": "email-message-id",
|
|
"uuid": "c0cae490-8619-453a-9ca0-10e1ffa78f30",
|
|
"value": "<15319105661d91a508966dcc5f602c73b4f97fa392_540455@ovh.com>"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "to",
|
|
"timestamp": "1532095368",
|
|
"to_ids": false,
|
|
"type": "email-dst",
|
|
"uuid": "334cb4ea-384c-43f2-ab65-de6c244bbe55",
|
|
"value": "contact@rafi0t.fr"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "subject",
|
|
"timestamp": "1532095368",
|
|
"to_ids": false,
|
|
"type": "email-subject",
|
|
"uuid": "faf7eabc-c367-4456-95be-dadbd90b1aa2",
|
|
"value": "[OVH-WEB] Suspension du nom de domaine rafi0t.fr"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "from",
|
|
"timestamp": "1532095368",
|
|
"to_ids": false,
|
|
"type": "email-src",
|
|
"uuid": "76432d08-a77d-4cdb-9fbb-3c2d12e7b6b9",
|
|
"value": "\"support@ovh.com\" <support@ovh.com>"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "return-path",
|
|
"timestamp": "1532095368",
|
|
"to_ids": false,
|
|
"type": "email-src",
|
|
"uuid": "8ae92ecb-ea5e-4674-9bd7-de2cdc2e05e8",
|
|
"value": "<support@ovh.com>"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |