├── Astrum_drop_2016-12-07.md ├── Fallout_EK_Pattern.md ├── IOCs ├── DarkCloud_misp.event.1953.599662ba-bb54-4a0a-8ec0-2cfac0a8a8de.json ├── Gootkit_2018-03-21_misp.event.2619.5ab28984-869c-434a-9a54-0d0fc0a8a8de.json ├── MISP_Adylkuzz_1731_NoAttachment.json ├── Magnitude_CVE-2018-4878_misp.event.2652.5ac10f16-8c28-4c22-991c-55e0c0a8a8de.json ├── Readme.md ├── Sandiflux_misp.event.2448.5a79fee6-96f0-4149-a656-2233c0a8a8de.json ├── SundownGF_misp.event.2556.5aa2f05c-4d1c-436f-9c5d-1199c0a8a8de.json ├── misp.event.2443.5a79b8fc-4460-4a3a-a6e6-2232c0a8a8de.xml ├── misp.event.2821.5b179a7f-2fa4-4464-8c85-4d87c0a8a8de.json ├── misp.event.2834.5b22c1bd-1ab8-4506-b4a6-1746c0a8a8de.json └── misp.event.2879.5b3544f7-1e20-4f39-8713-055ec0a8a8de.json ├── Nebula_URI ├── README.md ├── RIG_Pattern.md ├── ScriptJS.md ├── Sundown-N └── WordsJS.md /Astrum_drop_2016-12-07.md: -------------------------------------------------------------------------------- 1 | ###Some Astrum drops### 2 | 3 | >I have been asked for samples tied to Astrum EK (referered as Stegano EK by Eset in this [nice writeup](http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/)) mentionned in that screenshot of MISP: 4 | [![AdGholas - Campaign - MISP](https://pbs.twimg.com/media/Cy_rgPxW8AAgFdi.jpg)](https://twitter.com/kafeine/status/806122813966913536) 5 | https://twitter.com/kafeine/status/806122813966913536 6 | 7 | So I sent them to : [VT](https://www.virustotal.com/file/dc3840d3c0b7e04734d4a3440fe9e5291a84e02e8a5031217315b6344e3aac66/analysis/1481139747/) 8 | 9 | *I stored the zip [here](https://files.dontneedcoffee.com/index.php/s/sGVO9Wkqt2mHvUR) but please prefer VT link if you have access* 10 | 11 | ###zip content### 12 | * Name: 175760baa2bbca3fbdc4d8f30c993b89_aningik.kaf 13 | * File Size: 40448 Byte(s) (39.50 KB) 14 | * Version: 12.0.6606.1000 15 | * MD5: 175760baa2bbca3fbdc4d8f30c993b89 16 | * SHA1: ae35c375086970b7a20242eaa377e36f20b2e766 17 | * SHA256: cb9fbb444a6a0b8fd1984db02f9523f9914df2b0747fecc7a1076beee364eb99 18 | 19 | * Name: 6229795fa30ee413d1aaeb1619a89b8f_dreambot.kaf 20 | * File Size: 1869312 Byte(s) (1.78 MB) 21 | * Version: 7.8.0.0 22 | * MD5: 6229795fa30ee413d1aaeb1619a89b8f 23 | * SHA1: 2197c2632fb0f59ffffba2f26bcd6f12412793bc 24 | * SHA256: 70406966f853345efe978ecf6e5f15233aab11296cd71d7adfaee664f33ab6a1 25 | 26 | * Name: 9072591fd08526efe69572294a5a0c63_vawtrak_113.kaf 27 | * File Size: 134144 Byte(s) (131.00 KB) 28 | * MD5: 9072591fd08526efe69572294a5a0c63 29 | * SHA1: bab7a711f30e97caae04add267ddec743eea33cb 30 | * SHA256: d8c1ea29e6d5bc1ffbd735749237a7e03cd900fb94c94e2f6f18881479b67922 31 | 32 | * Name: a2fc4c3fbd4efd2c24d26b8ede001a10_dreambot.kaf 33 | * File Size: 491594 Byte(s) (480.07 KB) 34 | * Version: 2.0.1.0 35 | * MD5: a2fc4c3fbd4efd2c24d26b8ede001a10 36 | * SHA1: ea839998a9eb52c7c420bf9ca69c90807784ebfd 37 | * SHA256: b88cc172abb47f4a62706a474527bc14a768e8f72f63ae5383320e849b4d3e50 38 | 39 | * Name: a0144df5caa43684f733634d7937fe25_gootkit.kaf 40 | * File Size: 160768 Byte(s) (157.00 KB) 41 | * MD5: a0144df5caa43684f733634d7937fe25 42 | * SHA1: 231dc8c84a65804a69be351e52892bb7bf1532d9 43 | * SHA256: c58c97d8ff93eca30e69335cc7c6428fe00c0876e87cf643d025821d27dbd44f 44 | 45 | * Name: b2eead90d9cc54752b027e9a9f32741c_dreambot.kaf 46 | * File Size: 166392 Byte(s) (162.49 KB) 47 | * MD5: b2eead90d9cc54752b027e9a9f32741c 48 | * SHA1: bf8b2208d242bab61bde878053b2be7a116904eb 49 | * SHA256: 672f56545491108a5e710b727ee6268d7d9ff83612a573c716b02618e26a370f 50 | 51 | * Name: e96f2bfb9527e08fc5f82500ef96e487_vawtrak_114.kaf 52 | * File Size: 172032 Byte(s) (168.00 KB) 53 | * Version: 1.0.2.0 54 | * MD5: e96f2bfb9527e08fc5f82500ef96e487 55 | * SHA1: 281373b455c9d400e1e56e25e7dcd7cd174a7d65 56 | * SHA256: 70a4b312ceec1eb2c259913451c93c138465f3d70c74d0a61eb4c48c5aba0b51 57 | 58 | * Name: ecd1ad7ea3950f29a9afbc000d2b9b1a_dreambot.kaf 59 | * File Size: 699392 Byte(s) (683.00 KB) 60 | * Version: 3.1.8606.0 61 | * MD5: ecd1ad7ea3950f29a9afbc000d2b9b1a 62 | * SHA1: e9f0c59a2090e681e5d4b5166e6d60f9fb9db772 63 | * SHA256: 61b8655dfdb553d8fbd5afab7997e247da4b1e9dfc1bbb2474750617bcca5e0f 64 | 65 | * Name: f12cdb36588d661a0cd1c63808df3f20_ramnit.kaf 66 | * File Size: 275493 Byte(s) (269.04 KB) 67 | * Version: 14.0.1.2 68 | * MD5: f12cdb36588d661a0cd1c63808df3f20 69 | * SHA1: 50dc8a7e5df13f94dadbe48d81d136b82b19b131 70 | * SHA256: 57adba8dea8bd0eb8dab7a2e77a52823b60b6062df64c77af0f5bfd7eafb542c 71 | 72 | * Name: f9243ae7005815ff3e3fbe43505e22b3_godzilla.kaf 73 | * File Size: 233472 Byte(s) (228.00 KB) 74 | * Version: 7.6.0.0 75 | * MD5: f9243ae7005815ff3e3fbe43505e22b3 76 | * SHA1: bcfde94dcb4be8be69ca706c703de170956ffe0b 77 | * SHA256: be1652dbe9bb2fe035e29c8d341f7b54137e47f4d3d5b8a6f70ca7525a27f4c7 78 | 79 | * Name: fa495110b05f2bb572e46214a681e3f3_zloader.kaf 80 | * File Size: 127488 Byte(s) (124.50 KB) 81 | * Version: 10.6.6377.5032 82 | * MD5: fa495110b05f2bb572e46214a681e3f3 83 | * SHA1: e2da4e94a5ace245c0c0acde2660d342f6c00454 84 | * SHA256: f5abbc55f71a4df294a9dde70e41617e32a64e4ccf6a0c6baf7f4306ef0070b2 85 | 86 | * Name: 0b9e17cec5939bf3ea26bece55949b44_dreambot.kaf 87 | * File Size: 422912 Byte(s) (413.00 KB) 88 | * MD5: 0b9e17cec5939bf3ea26bece55949b44 89 | * SHA1: e471707419f31a876484df03f2fe84cdac230a8e 90 | * SHA256: f029a658e6b63e48d791310ffda403f0eb36f8a5108b14a87b85b5be01e18b86 91 | 92 | * Name: 0f048d74e11515a4eeee5a28e5eb93d3_dreambot.kaf 93 | * File Size: 626688 Byte(s) (612.00 KB) 94 | * Version: 1.8.0.39801 95 | * MD5: 0f048d74e11515a4eeee5a28e5eb93d3 96 | * SHA1: b2e4e5c38be5380558d2ada30c3e30b015cf5b16 97 | * SHA256: 8d58eb6316855492b689242d852908a9e9005bb950910fa7f3e1be6d8fe70895 98 | 99 | * Name: 1a03106ce5f67f2928d31dfea0f99d63_zloader.kaf 100 | * File Size: 3747328 Byte(s) (3.57 MB) 101 | * MD5: 1a03106ce5f67f2928d31dfea0f99d63 102 | * SHA1: 5eba3d5c01e404c965e4d51e34e7904b3686c488 103 | * SHA256: da781eb4c3d0bcfa77fa06ec0c0f1d40f1152580744e4d8cdfbf99de82c3f32e 104 | 105 | * Name: 7a85085f54f4e10a10a3270ccce67cc3_dreambot.kaf 106 | * File Size: 155136 Byte(s) (151.50 KB) 107 | * MD5: 7a85085f54f4e10a10a3270ccce67cc3 108 | * SHA1: 6f155e576bbe80703cf48246c2bea1e35e06acf5 109 | * SHA256: d5a492253d0a336a620b8447780ec8efee720f1b9575fb77d2d29b01fbf18ca9 110 | 111 | * Name: 97b764282ad33dc7fc19f5dbd7a3649a_gootkit.kaf 112 | * File Size: 335872 Byte(s) (328.00 KB) 113 | * Version: 15.4.0.0 114 | * MD5: 97b764282ad33dc7fc19f5dbd7a3649a 115 | * SHA1: bfbfa097560e84760201c90d8e4da6a7896c0067 116 | * SHA256: 1d8acc610c84233ecd91a373efa450e0719078c50d17eb927b465d4675d02e7f 117 | 118 | * Name: 3129c8b9ccf91f3349262c12be21d5ed_godzilla.kaf 119 | * File Size: 45568 Byte(s) (44.50 KB) 120 | * Version: 8.9.0.0 121 | * MD5: 3129c8b9ccf91f3349262c12be21d5ed 122 | * SHA1: d7688d0af073ad89051ca87d8ba31b18ea4f55e9 123 | * SHA256: 9ae69049018ddb938b454e55ffe75daa2e8a446d226ab3193ea0011870a5e445 124 | 125 | -------------------------------------------------------------------------------- /Fallout_EK_Pattern.md: -------------------------------------------------------------------------------- 1 | For Fallout see: https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html 2 | 3 | 2018-08-30&31 4 | 5 | Landing: 6 | /4aHf983/1953-02-05/08_09_1948/1991_04_12.jspx?5oBOE=Famose 7 | /9999/28_11_2019/11875?PEwX=TqLqSMK&IgUIqTeCIFs=EdTMxUm&FAwwIW=Sarcosoma-Pharyngic-plonko&Reprofess=bulbuls 8 | /0oH99W/dragomen_6614_Resharing/hj82tPSWH?O2387u9=N1U17Pd 9 | /5E2v/1998-10-03/Khkf0a9/T21fse.cfm 10 | /gordolobo-2117-11294-10135/Neophytes/9903.cfm 11 | /LOvSjqNK/burweed-macroptic-doater-11218/1551-pedimana-rollerman-Causeries.aspx 12 | /Freckened/j3l7.htm?Ugcwcq=Avasg&rcYSQj=GnizO&U6PcF7H=8018&Parochian=Prestamp_Gulfside&Dkkgeex=04_04_1962 13 | /15_08_1988/endplates-Grownup-Autarkies?YWPZopXhe=WcO5nEE&pICCG=Funniment 14 | /ZtPoO/muskiest_shaveable_malaperts/1949_08_04.phtml?repoll=hypnos&YE57eO6=Areole&bGdbUmMN=5847&xX90kPG=1980_08_16 15 | /lMSyGhD/Rejecters-5806/1974_03_05.jsp?L7eyJIb=WyfbEM&9p1iJf=palefaces_buffets_Praxithea_misgauges_Downsman&esteemed=YI4r&9R1CrX2=11473_cynipoid_decoding_9060&GpD4WDo=Unboxing&cBD7=8665 16 | /shoffroth-leeward-pelanos/LIiSgjI/1959-10-07.jsp?CH0IeSr=2012-12-26&oseoeec=Chisled-Bombloads-5529-2749 17 | /8723/7522/2017_08_26.cfml 18 | /8403/HlpQ/bIaMLT/27_01_1947 19 | 20 | Payload: 21 | /11965-Cravat-Carbamic-4628-3276/junctural/15_04_1975/Manlike_fricando_Casemate_afterguns.cfml?yataghan=Handgrips-Columbate-Creply&50xYiZ=ExwftFFu&VwdZS=banditry-Elytrin-coxswain&Evasion=1163 22 | /Fidfad-Delusive-Rotacism-3350/ziZGZM/nontruth-Misbills-prehumans/2020-05-28?Topsiders=09-04-1968 23 | /2018-05-27/bulder?WRiLTuKg9=IFqS 24 | /14639/agoroth_Pinkies_frizzer_tanaist_geraniols/Poloidal/6134 25 | /multitask-dauphine-cordages-Undevil/1966_01_22 26 | /Imprimis/Gedanite-arborical/tetraodon.cfm 27 | /5095/2155/12714.html 28 | /OvFOAe/3096-Murderess-Pozzolana/njuYocrh.phtml?Wrxz0kQK=7884_1101_7968 29 | /1956_03_11/2004_05_28?SzXirZ=hodads&9n0b2nd1=15878&CHw8xs6=agsquNNn&z955cl=GLcSO 30 | /0JWYS/attached-11841-Prisoners/glossina/9999.cfm 31 | /17-06-1950/8797/flintlock-10524-7713?yTPwTN=fRGtBH&midwise=stromboid-4871-11553-kaisers&AkTgJ6=3629 32 | /Overdyed_teariness_10501_Censing/8917/14542.cfml?tristich=10_01_1964 33 | /whippy_Delace_Woodpeck_Archaeol/efxwibl/Pietisms-Eavesdrop-endoss.php 34 | /6857/Kincob-8292-11464/5zD9/4107.xhtml?9ZJ1z=27_07_1958&agonothet=ucqwB&2Sekukyp=6405&ripplet=2001-06-27&Diasystem=Corindon 35 | /Stamindia/damasked-Inaugurer-Rekindle-Ballastic.cfm?IsPc6T=8266-Weasons-7816-7930&9Yopct=Seconded_5957_7118_12675&Filmmake=11930 36 | /adherent-malaxator-bidets/5394.dhtml?Nigricant=8306-trashery-6340&impletive=Fivesome-Pretaster-sketchier-Brunellia-Kialkee-10805&DfYkLgMS=3427&UxhUdl=Remail_bothered_akkadian_Fannia_Scottish&Nlp4Go=Pettiness_audivise_Hymenia_Furlane 37 | /lAwYK/poetwise/mya4sP/piacula/1961_01_15?QjsJ=Manlikely-stogeys&JOV44b=Milleress_teleodont_Upbinds&GqmQEwZnd=halobates 38 | /PoFKVX/Unibasal-Ulemas/Colauxe_Tempyo.shtml?FZRx=Sudoral&ApGopDy=GsGjn&MFVbzCl=Marechal-corometer-Sargonic-galloon&installed=2767 39 | /9375/rNGlD/hayshock?gqFuVOB=4038&gGtp6=Tirade&m3MQi5A9=10976&sVS2A=Trostera 40 | /Unusable-broccolis/1098_madarosis_Gadbush_15866/18_07_1990/ldkzcJZ.aspx?5ERjGlKJm=NvcKzgv&VM17075f=11325&TnpCRbJ=manation&pHoIIpa6c=Timaua&7Mt9d8=Cinnamene-Betatrons-2270-rebaited 41 | /unisons/jPFHf/4248.phtml?jpoM=associe-fabianist-terrie&kUQg=6108&uOT4a=Athort-Jacknives-Jaspilyte 42 | /kDCDQ/Allocable-Chawbuck-Chaluka-Chores-triplet?fleetness=896_4270_Runlet_8698_adinida&MOupir=bloater-orbite 43 | /tricolour_Skeough_fatihah/carbolic_Reveries_pyorrheal_Overruns_unconcern/10519/cptoaNraJM.phtml 44 | /uGKdECiB/08_02_1983.shtml 45 | /zwanziger/1985_10_06/MaHIK/3609?ZPJdtf=Glints&cYAO=yqmboz&TSha=abstricts-svante&xtxZyjRA=IN8M 46 | /7056/HmzaQ/Elodea/8uj1tm.jsp 47 | /Elisions-Riboza-Rigwiddy-Heapstead/8275tv9/PMJqV/Begirdle.cfml?2TV5pG=hOqeWMno&OIfd64x=Shallops_Summative_1050_Parvenu 48 | /6528/DJUUMGVJ?braata=XYBMX&Coenamors=Newshound 49 | /6273-3345/HEaa/pryler-Finched-bytime-Corvee/chainsmen 50 | /HpPZAPl/Indigogen 51 | /Eggnog/schiffli?AfHoE=24_03_2001&gOu5Mm4=4538&GNPDjR=3069&8wXBo12=Betrothal 52 | /7194/10-06-2000/8592-Streetlet-Dhaura-shadberry-secede 53 | /Voyeurs/gQPogsHO/Holystone-medianic/eucone-9272-7127-4597-8303/uru1z2c.cfm 54 | /quelling/2985.phtml?OQhWRh=1974-01-10&Triflers=26-04-1991&03lpO=piccage 55 | /5400/17-03-1940.dhtml?Windchill=18534&MjUcC=06_06_1950&sAnu=54ypqLY&GySAmBXvz=micron-lenape-lionel-bezzle 56 | /2930/eku0/1981_06_01?wWJIiY73=8910-5568-6343-10117-2268-8809&Perfix=Inbrought_Normocyte_Combatted&xSPQu=64kh7&Sideronym=14_05_1973 57 | /jbVa0CA/Apagogue_bluffs/busings_Katinka/tarentine-underlet-fritted-foisty-Boosters-Keftiu 58 | /3493/28-09-1945/7671/topatopa_Postboys/26_01_1975 59 | /Phacelia-jumboism-Sequest-Museums/thoriums/QOiHQsf/75416.htm 60 | /16-05-1944/WKWD/8845/2014_12_26?ECHN4zsA8=4667-6638&hoking=3121&5AOn=qjAwQuc&stockado=08_05_1982 61 | /Uvulitis_allying_vanload/retardee_oriently_unwalled?Rooftrees=JCTJzkBs&pKMvjw=Ja414qp8&xMlleWX=Folderol_Tombstone_Reforbid&EPHE=qnj5wq 62 | /9389_convents/ropeway/1973-05-13.shtml 63 | /AG0u5B/08-08-1948/Tailed/1959-08-27 64 | /22-02-1975/uGCEYg.shtml?8gXjuIgrQ=KDkzupg&Vitesses=Keratins_Spinodal_Technism_barehead_rakshasa&F1Enyb=machismos 65 | /Phallism-abduces-2687-Coffined/yScYGk0.html 66 | /HjuNrCAt/SXMlft/7ij51BDz9?saprine=Sleech_11241&Z7026k9A3=1956_08_14&BcyHFJs2j=9078 67 | /Pedicabs-Overtoil-everyone-niobid-Biovulate/ehtxpBusQUo/OpkNpr 68 | /1967_08_02/12040-11612-3453-Refuter/Unsanded-christly-Navigates-sparsile/Freakouts/996-12593-Bollixed-Thicksets.cfm?XkalV=9384&dignosle=raZT7&Forestial=Blandish 69 | /5625/Arbovirus-fowlers/1979_11_01/Gustful-jukebox-6670?57aa08E=KsmTHPq&g4K5D9vsM=antapocha&urodelous=cafardise&9fA5=Czechish&WJZKgeI=9938 70 | /lmaoJ6/18_02_1963/Epilogued_Pronomial_campaign/22-06-1985.htm 71 | /6462/Besoothes_mercaptal/snobbery-7475 72 | /chrysopa_didact_gigantism_paulism/2020_10_06/underbids-suspended 73 | /7601/Annats-7591-12580/pnRLvrk.htm 74 | /12539/TO3944/Solotink.cfm?cWTHFtWC=Kinoos_Halvah&fXGymfF=NuUcPJMVv&a4U1ej=22_03_1946 75 | /Faller/1995-08-06.cfm?qFDzEcQMy=Happened-simous&jMDfjT=Treats&TLDgCuaiD=cFjEDx&beduck=01-09-1962 76 | -------------------------------------------------------------------------------- /IOCs/Gootkit_2018-03-21_misp.event.2619.5ab28984-869c-434a-9a54-0d0fc0a8a8de.json: -------------------------------------------------------------------------------- 1 | {"response":[{ 2 | "Event": { 3 | "id": "2619", 4 | "orgc_id": "1", 5 | "org_id": "1", 6 | "date": "2018-03-21", 7 | "threat_level_id": "1", 8 | "info": "malspam_2018-03-21_2", 9 | "published": true, 10 | "uuid": "5ab28984-869c-434a-9a54-0d0fc0a8a8de", 11 | "attribute_count": "32", 12 | "analysis": "2", 13 | "timestamp": "1521651969", 14 | "distribution": "2", 15 | "proposal_email_lock": false, 16 | "locked": false, 17 | "publish_timestamp": "1521651999", 18 | "sharing_group_id": "0", 19 | "disable_correlation": false, 20 | "event_creator_email": "kafeine@dontneedcoffee.com", 21 | "Org": { 22 | "id": "1", 23 | "name": "DNC", 24 | "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de" 25 | }, 26 | "Orgc": { 27 | "id": "1", 28 | "name": "DNC", 29 | "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de" 30 | }, 31 | "Attribute": [ 32 | { 33 | "id": "58851", 34 | "type": "attachment", 35 | "category": "Payload delivery", 36 | "to_ids": false, 37 | "uuid": "5ab28a95-e288-4cbc-be16-649cc0a8a8de", 38 | "event_id": "2619", 39 | "distribution": "5", 40 | "timestamp": "1521650325", 41 | "comment": "Screenshot of the mail", 42 | "sharing_group_id": "0", 43 | "deleted": false, 44 | "disable_correlation": false, 45 | "object_id": "0", 46 | "object_relation": null, 47 | "value": "2018-03-21_15h45_42.png", 48 | "ShadowAttribute": [] 49 | }, 50 | { 51 | "id": "58852", 52 | "type": "url", 53 | "category": "Network activity", 54 | "to_ids": true, 55 | "uuid": "5ab28abe-c330-4a62-b5ef-649ec0a8a8de", 56 | "event_id": "2619", 57 | "distribution": "5", 58 | "timestamp": "1521650366", 59 | "comment": "Url to blackTDS in the mail", 60 | "sharing_group_id": "0", 61 | "deleted": false, 62 | "disable_correlation": false, 63 | "object_id": "0", 64 | "object_relation": null, 65 | "value": "http:\/\/alssoq.com\/facture", 66 | "ShadowAttribute": [] 67 | }, 68 | { 69 | "id": "58853", 70 | "type": "url", 71 | "category": "Network activity", 72 | "to_ids": true, 73 | "uuid": "5ab28abe-5d24-433d-91bb-649ec0a8a8de", 74 | "event_id": "2619", 75 | "distribution": "5", 76 | "timestamp": "1521650366", 77 | "comment": "Url to blackTDS in the mail", 78 | "sharing_group_id": "0", 79 | "deleted": false, 80 | "disable_correlation": false, 81 | "object_id": "0", 82 | "object_relation": null, 83 | "value": "http:\/\/buysolar-ups.com\/facture", 84 | "ShadowAttribute": [] 85 | }, 86 | { 87 | "id": "58854", 88 | "type": "url", 89 | "category": "Network activity", 90 | "to_ids": true, 91 | "uuid": "5ab28abe-49ac-435a-8958-649ec0a8a8de", 92 | "event_id": "2619", 93 | "distribution": "5", 94 | "timestamp": "1521650366", 95 | "comment": "Url to blackTDS in the mail", 96 | "sharing_group_id": "0", 97 | "deleted": false, 98 | "disable_correlation": false, 99 | "object_id": "0", 100 | "object_relation": null, 101 | "value": "http:\/\/franquiciasremax.com\/facture", 102 | "ShadowAttribute": [] 103 | }, 104 | { 105 | "id": "58855", 106 | "type": "url", 107 | "category": "Network activity", 108 | "to_ids": true, 109 | "uuid": "5ab28abe-e5a0-4041-9561-649ec0a8a8de", 110 | "event_id": "2619", 111 | "distribution": "5", 112 | "timestamp": "1521650366", 113 | "comment": "Url to blackTDS in the mail", 114 | "sharing_group_id": "0", 115 | "deleted": false, 116 | "disable_correlation": false, 117 | "object_id": "0", 118 | "object_relation": null, 119 | "value": "http:\/\/inkilinorecords.net\/facture", 120 | "ShadowAttribute": [] 121 | }, 122 | { 123 | "id": "58856", 124 | "type": "url", 125 | "category": "Network activity", 126 | "to_ids": true, 127 | "uuid": "5ab28abe-18c0-4e1a-b2e3-649ec0a8a8de", 128 | "event_id": "2619", 129 | "distribution": "5", 130 | "timestamp": "1521650366", 131 | "comment": "Url to blackTDS in the mail", 132 | "sharing_group_id": "0", 133 | "deleted": false, 134 | "disable_correlation": false, 135 | "object_id": "0", 136 | "object_relation": null, 137 | "value": "http:\/\/intervacpvtltd.com\/facture", 138 | "ShadowAttribute": [] 139 | }, 140 | { 141 | "id": "58857", 142 | "type": "url", 143 | "category": "Network activity", 144 | "to_ids": true, 145 | "uuid": "5ab28abe-d6b0-40b4-bd49-649ec0a8a8de", 146 | "event_id": "2619", 147 | "distribution": "5", 148 | "timestamp": "1521650366", 149 | "comment": "Url to blackTDS in the mail", 150 | "sharing_group_id": "0", 151 | "deleted": false, 152 | "disable_correlation": false, 153 | "object_id": "0", 154 | "object_relation": null, 155 | "value": "http:\/\/jabancheapflights.com\/facture", 156 | "ShadowAttribute": [] 157 | }, 158 | { 159 | "id": "58858", 160 | "type": "url", 161 | "category": "Network activity", 162 | "to_ids": true, 163 | "uuid": "5ab28abe-4b0c-43ec-9cc6-649ec0a8a8de", 164 | "event_id": "2619", 165 | "distribution": "5", 166 | "timestamp": "1521650366", 167 | "comment": "Url to blackTDS in the mail", 168 | "sharing_group_id": "0", 169 | "deleted": false, 170 | "disable_correlation": false, 171 | "object_id": "0", 172 | "object_relation": null, 173 | "value": "http:\/\/mandmaxconstructions.com\/facture", 174 | "ShadowAttribute": [] 175 | }, 176 | { 177 | "id": "58859", 178 | "type": "url", 179 | "category": "Network activity", 180 | "to_ids": true, 181 | "uuid": "5ab28abe-2bc0-4f6d-a1e9-649ec0a8a8de", 182 | "event_id": "2619", 183 | "distribution": "5", 184 | "timestamp": "1521650366", 185 | "comment": "Url to blackTDS in the mail", 186 | "sharing_group_id": "0", 187 | "deleted": false, 188 | "disable_correlation": false, 189 | "object_id": "0", 190 | "object_relation": null, 191 | "value": "http:\/\/reconnectedhealthservices.com\/facture", 192 | "ShadowAttribute": [] 193 | }, 194 | { 195 | "id": "58860", 196 | "type": "url", 197 | "category": "Network activity", 198 | "to_ids": true, 199 | "uuid": "5ab28abe-5144-44f3-b838-649ec0a8a8de", 200 | "event_id": "2619", 201 | "distribution": "5", 202 | "timestamp": "1521650366", 203 | "comment": "Url to blackTDS in the mail", 204 | "sharing_group_id": "0", 205 | "deleted": false, 206 | "disable_correlation": false, 207 | "object_id": "0", 208 | "object_relation": null, 209 | "value": "http:\/\/txnaturalhealthdoctor.com\/facture", 210 | "ShadowAttribute": [] 211 | }, 212 | { 213 | "id": "58861", 214 | "type": "url", 215 | "category": "Network activity", 216 | "to_ids": true, 217 | "uuid": "5ab28abe-53b4-4b11-87f3-649ec0a8a8de", 218 | "event_id": "2619", 219 | "distribution": "5", 220 | "timestamp": "1521650366", 221 | "comment": "Url to blackTDS in the mail", 222 | "sharing_group_id": "0", 223 | "deleted": false, 224 | "disable_correlation": false, 225 | "object_id": "0", 226 | "object_relation": null, 227 | "value": "http:\/\/varchausky.com.ar\/facture", 228 | "ShadowAttribute": [] 229 | }, 230 | { 231 | "id": "58862", 232 | "type": "url", 233 | "category": "Network activity", 234 | "to_ids": true, 235 | "uuid": "5ab28abe-be5c-47ae-8f88-649ec0a8a8de", 236 | "event_id": "2619", 237 | "distribution": "5", 238 | "timestamp": "1521650366", 239 | "comment": "Url to blackTDS in the mail", 240 | "sharing_group_id": "0", 241 | "deleted": false, 242 | "disable_correlation": false, 243 | "object_id": "0", 244 | "object_relation": null, 245 | "value": "http:\/\/xplorerblu.com\/facture", 246 | "ShadowAttribute": [] 247 | }, 248 | { 249 | "id": "58863", 250 | "type": "url", 251 | "category": "Network activity", 252 | "to_ids": true, 253 | "uuid": "5ab28add-0a10-490b-884a-5e8ac0a8a8de", 254 | "event_id": "2619", 255 | "distribution": "5", 256 | "timestamp": "1521650397", 257 | "comment": "BlackTDS redirector to Zipped-JS", 258 | "sharing_group_id": "0", 259 | "deleted": false, 260 | "disable_correlation": false, 261 | "object_id": "0", 262 | "object_relation": null, 263 | "value": "https:\/\/ownvictory.cf\/", 264 | "ShadowAttribute": [] 265 | }, 266 | { 267 | "id": "58864", 268 | "type": "url", 269 | "category": "Network activity", 270 | "to_ids": true, 271 | "uuid": "5ab28aff-dd94-4ea2-b7fc-649cc0a8a8de", 272 | "event_id": "2619", 273 | "distribution": "5", 274 | "timestamp": "1521650431", 275 | "comment": "Link to Zipped JS", 276 | "sharing_group_id": "0", 277 | "deleted": false, 278 | "disable_correlation": false, 279 | "object_id": "0", 280 | "object_relation": null, 281 | "value": "http:\/\/vinhomesland.org\/data\/Facture_FR-4016.zip", 282 | "ShadowAttribute": [] 283 | }, 284 | { 285 | "id": "58865", 286 | "type": "md5", 287 | "category": "Payload delivery", 288 | "to_ids": true, 289 | "uuid": "5ab28b0b-f714-4e26-afce-649ec0a8a8de", 290 | "event_id": "2619", 291 | "distribution": "5", 292 | "timestamp": "1521650443", 293 | "comment": "Facture_FR-4016.zip", 294 | "sharing_group_id": "0", 295 | "deleted": false, 296 | "disable_correlation": false, 297 | "object_id": "0", 298 | "object_relation": null, 299 | "value": "da5ecf4a10b96b8e2ee87ccf26aee925", 300 | "ShadowAttribute": [] 301 | }, 302 | { 303 | "id": "58866", 304 | "type": "sha1", 305 | "category": "Payload delivery", 306 | "to_ids": true, 307 | "uuid": "5ab28b0b-5230-458a-aa75-649ec0a8a8de", 308 | "event_id": "2619", 309 | "distribution": "5", 310 | "timestamp": "1521650443", 311 | "comment": "Facture_FR-4016.zip", 312 | "sharing_group_id": "0", 313 | "deleted": false, 314 | "disable_correlation": false, 315 | "object_id": "0", 316 | "object_relation": null, 317 | "value": "8027983e840f34fd8d928863de1aae30e72e7abe", 318 | "ShadowAttribute": [] 319 | }, 320 | { 321 | "id": "58867", 322 | "type": "sha256", 323 | "category": "Payload delivery", 324 | "to_ids": true, 325 | "uuid": "5ab28b0b-201c-409e-ba0f-649ec0a8a8de", 326 | "event_id": "2619", 327 | "distribution": "5", 328 | "timestamp": "1521650443", 329 | "comment": "Facture_FR-4016.zip", 330 | "sharing_group_id": "0", 331 | "deleted": false, 332 | "disable_correlation": false, 333 | "object_id": "0", 334 | "object_relation": null, 335 | "value": "45f9ad8d6154c0692eb3f4c0c67a1d60816016601349b1d2b08d9a67e0c1befc", 336 | "ShadowAttribute": [] 337 | }, 338 | { 339 | "id": "58868", 340 | "type": "url", 341 | "category": "Network activity", 342 | "to_ids": true, 343 | "uuid": "5ab28b54-34fc-4cd7-a0e4-0d0fc0a8a8de", 344 | "event_id": "2619", 345 | "distribution": "5", 346 | "timestamp": "1521650516", 347 | "comment": "JS callback (MZ - Gootkit)", 348 | "sharing_group_id": "0", 349 | "deleted": false, 350 | "disable_correlation": false, 351 | "object_id": "0", 352 | "object_relation": null, 353 | "value": "kontaktuhan.org\/book\/facture.pdf", 354 | "ShadowAttribute": [] 355 | }, 356 | { 357 | "id": "58869", 358 | "type": "url", 359 | "category": "Network activity", 360 | "to_ids": true, 361 | "uuid": "5ab28b54-4550-4029-a0a8-0d0fc0a8a8de", 362 | "event_id": "2619", 363 | "distribution": "5", 364 | "timestamp": "1521650516", 365 | "comment": "JS callback (MZ - Gootkit)", 366 | "sharing_group_id": "0", 367 | "deleted": false, 368 | "disable_correlation": false, 369 | "object_id": "0", 370 | "object_relation": null, 371 | "value": "venusagency.me\/data\/facture.pdf", 372 | "ShadowAttribute": [] 373 | }, 374 | { 375 | "id": "58870", 376 | "type": "md5", 377 | "category": "Payload delivery", 378 | "to_ids": true, 379 | "uuid": "5ab28b8d-c704-4526-a170-6525c0a8a8de", 380 | "event_id": "2619", 381 | "distribution": "5", 382 | "timestamp": "1521650573", 383 | "comment": "Gootkit", 384 | "sharing_group_id": "0", 385 | "deleted": false, 386 | "disable_correlation": false, 387 | "object_id": "0", 388 | "object_relation": null, 389 | "value": "b624b04f6c77f0d784313adddf868cbe", 390 | "ShadowAttribute": [] 391 | }, 392 | { 393 | "id": "58871", 394 | "type": "sha1", 395 | "category": "Payload delivery", 396 | "to_ids": true, 397 | "uuid": "5ab28b8d-3abc-423e-90a5-6525c0a8a8de", 398 | "event_id": "2619", 399 | "distribution": "5", 400 | "timestamp": "1521650573", 401 | "comment": "Gootkit", 402 | "sharing_group_id": "0", 403 | "deleted": false, 404 | "disable_correlation": false, 405 | "object_id": "0", 406 | "object_relation": null, 407 | "value": "9394679f7f5f5ad555e0319e3d7c74df1cd56ee9", 408 | "ShadowAttribute": [] 409 | }, 410 | { 411 | "id": "58872", 412 | "type": "sha256", 413 | "category": "Payload delivery", 414 | "to_ids": true, 415 | "uuid": "5ab28b8d-b278-4d2c-a328-6525c0a8a8de", 416 | "event_id": "2619", 417 | "distribution": "5", 418 | "timestamp": "1521650573", 419 | "comment": "Gootkit", 420 | "sharing_group_id": "0", 421 | "deleted": false, 422 | "disable_correlation": false, 423 | "object_id": "0", 424 | "object_relation": null, 425 | "value": "199ccd36e1ff2ca04dba65124a7202b2aa452506edaff313070ee001e6527d08", 426 | "ShadowAttribute": [] 427 | }, 428 | { 429 | "id": "58873", 430 | "type": "domain|ip", 431 | "category": "Network activity", 432 | "to_ids": true, 433 | "uuid": "5ab28bf8-8dc0-445c-8206-5e89c0a8a8de", 434 | "event_id": "2619", 435 | "distribution": "5", 436 | "timestamp": "1521650680", 437 | "comment": "GootKit C2 - 2018-03-21", 438 | "sharing_group_id": "0", 439 | "deleted": false, 440 | "disable_correlation": false, 441 | "object_id": "0", 442 | "object_relation": null, 443 | "value": "central.inner-heart.com|185.77.129.221", 444 | "ShadowAttribute": [] 445 | }, 446 | { 447 | "id": "58874", 448 | "type": "domain|ip", 449 | "category": "Network activity", 450 | "to_ids": true, 451 | "uuid": "5ab28bf8-e680-431a-afdb-5e89c0a8a8de", 452 | "event_id": "2619", 453 | "distribution": "5", 454 | "timestamp": "1521650680", 455 | "comment": "GootKit C2 - 2018-03-21", 456 | "sharing_group_id": "0", 457 | "deleted": false, 458 | "disable_correlation": false, 459 | "object_id": "0", 460 | "object_relation": null, 461 | "value": "denso.themessexpress.com|185.77.129.221", 462 | "ShadowAttribute": [] 463 | }, 464 | { 465 | "id": "58875", 466 | "type": "domain|ip", 467 | "category": "Network activity", 468 | "to_ids": false, 469 | "uuid": "5ab28c13-491c-48cd-b47f-649dc0a8a8de", 470 | "event_id": "2619", 471 | "distribution": "5", 472 | "timestamp": "1521650707", 473 | "comment": "Domain resolved by Gootkit - 2018-03-21", 474 | "sharing_group_id": "0", 475 | "deleted": false, 476 | "disable_correlation": false, 477 | "object_id": "0", 478 | "object_relation": null, 479 | "value": "stormsfronts.com|127.0.0.1", 480 | "ShadowAttribute": [] 481 | }, 482 | { 483 | "id": "58876", 484 | "type": "domain|ip", 485 | "category": "Network activity", 486 | "to_ids": false, 487 | "uuid": "5ab28c13-e040-4bdf-8985-649dc0a8a8de", 488 | "event_id": "2619", 489 | "distribution": "5", 490 | "timestamp": "1521650707", 491 | "comment": "Domain resolved by Gootkit - 2018-03-21", 492 | "sharing_group_id": "0", 493 | "deleted": false, 494 | "disable_correlation": false, 495 | "object_id": "0", 496 | "object_relation": null, 497 | "value": "pixmania.biz|104.238.170.189", 498 | "ShadowAttribute": [] 499 | }, 500 | { 501 | "id": "58877", 502 | "type": "url", 503 | "category": "Network activity", 504 | "to_ids": true, 505 | "uuid": "5ab28c6c-439c-4966-ae7c-5e8bc0a8a8de", 506 | "event_id": "2619", 507 | "distribution": "5", 508 | "timestamp": "1521650796", 509 | "comment": "Gootkit Callback", 510 | "sharing_group_id": "0", 511 | "deleted": false, 512 | "disable_correlation": false, 513 | "object_id": "0", 514 | "object_relation": null, 515 | "value": "denso.themessexpress.com\/rpersist4\/1737120684", 516 | "ShadowAttribute": [] 517 | }, 518 | { 519 | "id": "58878", 520 | "type": "domain|ip", 521 | "category": "Network activity", 522 | "to_ids": true, 523 | "uuid": "5ab28ef4-21d0-4f2e-9a57-649dc0a8a8de", 524 | "event_id": "2619", 525 | "distribution": "5", 526 | "timestamp": "1521651444", 527 | "comment": "Binary Server hosting js callback ( \/data\/facture.pdf - Gootkit)", 528 | "sharing_group_id": "0", 529 | "deleted": false, 530 | "disable_correlation": false, 531 | "object_id": "0", 532 | "object_relation": null, 533 | "value": "venusagency.me|74.220.207.144", 534 | "ShadowAttribute": [] 535 | }, 536 | { 537 | "id": "58879", 538 | "type": "link", 539 | "category": "External analysis", 540 | "to_ids": false, 541 | "uuid": "5ab28feb-58b4-403f-a5e4-5e8bc0a8a8de", 542 | "event_id": "2619", 543 | "distribution": "5", 544 | "timestamp": "1521651691", 545 | "comment": "Une vague massive de Trojan Bancaire frappe les entreprises fran\u00e7aises par email - 2018-03-21", 546 | "sharing_group_id": "0", 547 | "deleted": false, 548 | "disable_correlation": false, 549 | "object_id": "0", 550 | "object_relation": null, 551 | "value": "https:\/\/www.vadesecure.com\/fr\/une-vague-massive-de-trojan-bancaire-frappe-les-entreprises-francaises-par-email\/?utm_content=68900076&utm_medium=social&utm_source=twitter", 552 | "ShadowAttribute": [] 553 | }, 554 | { 555 | "id": "58880", 556 | "type": "domain|ip", 557 | "category": "Network activity", 558 | "to_ids": true, 559 | "uuid": "5ab29101-45c4-46d2-9502-5e8bc0a8a8de", 560 | "event_id": "2619", 561 | "distribution": "5", 562 | "timestamp": "1521651969", 563 | "comment": "Server hosting facture link (gootkit) but also hosting AU ursnif from other campaign)", 564 | "sharing_group_id": "0", 565 | "deleted": false, 566 | "disable_correlation": false, 567 | "object_id": "0", 568 | "object_relation": null, 569 | "value": "intervacpvtltd.com|173.244.161.21", 570 | "ShadowAttribute": [] 571 | }, 572 | { 573 | "id": "58881", 574 | "type": "attachment", 575 | "category": "Payload delivery", 576 | "to_ids": false, 577 | "uuid": "5ab29117-984c-4190-924b-5e89c0a8a8de", 578 | "event_id": "2619", 579 | "distribution": "5", 580 | "timestamp": "1521651991", 581 | "comment": "Opendir tied to AU Ursnif campaign", 582 | "sharing_group_id": "0", 583 | "deleted": false, 584 | "disable_correlation": false, 585 | "object_id": "0", 586 | "object_relation": null, 587 | "value": "2018-03-21_14h52_40.png", 588 | "ShadowAttribute": [] 589 | }, 590 | { 591 | "id": "58882", 592 | "type": "attachment", 593 | "category": "Payload delivery", 594 | "to_ids": false, 595 | "uuid": "5ab29117-6e1c-4ffa-b5ec-5e89c0a8a8de", 596 | "event_id": "2619", 597 | "distribution": "5", 598 | "timestamp": "1521651991", 599 | "comment": "Opendir tied to AU Ursnif campaign", 600 | "sharing_group_id": "0", 601 | "deleted": false, 602 | "disable_correlation": false, 603 | "object_id": "0", 604 | "object_relation": null, 605 | "value": "2018-03-21_15h02_35.png", 606 | "ShadowAttribute": [] 607 | } 608 | ], 609 | "ShadowAttribute": [], 610 | "RelatedEvent": [ 611 | { 612 | "Event": { 613 | "id": "2620", 614 | "date": "2018-03-21", 615 | "threat_level_id": "1", 616 | "info": "malspam_180321_3", 617 | "published": true, 618 | "uuid": "5ab2c6ae-e67c-47e0-9aa2-4f46c0a8a8de", 619 | "analysis": "2", 620 | "timestamp": "1521666309", 621 | "distribution": "2", 622 | "org_id": "1", 623 | "orgc_id": "1", 624 | "Org": { 625 | "id": "1", 626 | "name": "DNC", 627 | "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de" 628 | }, 629 | "Orgc": { 630 | "id": "1", 631 | "name": "DNC", 632 | "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de" 633 | } 634 | } 635 | } 636 | ], 637 | "Galaxy": [], 638 | "Object": [], 639 | "Tag": [ 640 | { 641 | "id": "205", 642 | "name": "dnc:driveby-type=\"Malspam\"", 643 | "colour": "#000000", 644 | "exportable": true, 645 | "hide_tag": false 646 | }, 647 | { 648 | "id": "477", 649 | "name": "dnc:malspam-type=\"url-to-zipped-js\"", 650 | "colour": "#390658", 651 | "exportable": true, 652 | "hide_tag": false 653 | }, 654 | { 655 | "id": "1599", 656 | "name": "dnc:tds=\"BlackTDS\"", 657 | "colour": "#ffffff", 658 | "exportable": true, 659 | "hide_tag": false 660 | }, 661 | { 662 | "id": "636", 663 | "name": "dnc:attrib-int=\"170007\"", 664 | "colour": "#5e5e5e", 665 | "exportable": true, 666 | "hide_tag": false 667 | }, 668 | { 669 | "id": "637", 670 | "name": "dnc:attrib=\"Sagrid\"", 671 | "colour": "#5e5e5e", 672 | "exportable": true, 673 | "hide_tag": false 674 | }, 675 | { 676 | "id": "107", 677 | "name": "dnc:country=\"FRA\"", 678 | "colour": "#0000f8", 679 | "exportable": true, 680 | "hide_tag": false 681 | }, 682 | { 683 | "id": "73", 684 | "name": "dnc:malware=\"Gootkit\"", 685 | "colour": "#f0f0f0", 686 | "exportable": true, 687 | "hide_tag": false 688 | } 689 | ] 690 | } 691 | }]} 692 | -------------------------------------------------------------------------------- /IOCs/Readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /IOCs/misp.event.2443.5a79b8fc-4460-4a3a-a6e6-2232c0a8a8de.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 2443112018-02-061Malspam_5449_18020615a79b8fc-4460-4a3a-a6e6-2232c0a8a8de215179283282151792901000kafeine@dontneedcoffee.com1DNC5749cdb1-1e74-450f-8baf-3ba5c0a8a8de1DNC5749cdb1-1e74-450f-8baf-3ba5c0a8a8de50048urlNetwork activity15a79b98a-6d2c-43f7-bd27-02f7c0a8a8de244351517926794JavaScript Payload (Ursnif)0000http://91.121.68.80/images/contact.png50049urlNetwork activity15a79b98a-c718-4445-90db-02f7c0a8a8de244351517926794JavaScript Payload (Ursnif)0000http://94.23.15.45/images/contact.png50050ip-dstNetwork activity15a79b9b2-5bc8-4f8a-b8d7-2352c0a8a8de244351517926834Binary Server hosting Gozi Payload (JS payload)000091.121.68.8050051ip-dstNetwork activity15a79b9b2-7f28-4cc3-b090-2352c0a8a8de244351517926834Binary Server hosting Gozi Payload (JS payload)000094.23.15.4550052urlNetwork activity15a79ba1e-20d4-45f4-b15b-02f7c0a8a8de244351517926942Link to Zipped JS0000http://mtfaustralia.com.au/renewal/Notification_1-QEM7S3P.zip50053urlNetwork activity15a79ba1e-f1c4-4f33-8c7c-02f7c0a8a8de244351517926942Link to Zipped JS0000http://fastbusinesscards.net.au/renewal/Notification_1-QEM7S3P.zip50054urlNetwork activity15a79ba1e-3d08-4ce7-b3b3-02f7c0a8a8de244351517926942Link to Zipped JS0000https://thesysad.com/wp-content/uploads/2018/01/Invoice%20INV-0782.zip50055md5Payload delivery15a79bc60-4780-40ec-a6e8-2232c0a8a8de244351517927520Ursnif00007610794b808281e2cc1dae26895fe10250056sha1Payload delivery15a79bc60-dba4-4654-ae08-2232c0a8a8de244351517927520Ursnif0000219415e1c6395d65224356cb8dd7b9b6bdf15f6b50057sha256Payload delivery15a79bc60-2a58-4dbc-88fe-2232c0a8a8de244351517927520Ursnif000006d4d572d22cad23b4bfbcfb043372aaaad71451b65093bb8d451f34349bb69b50058pattern-in-memoryPayload installation05a79bc9c-02b0-4830-b99b-2233c0a8a8de244351517927580Injects (source Francine)0000https://banking?.anz.com/IBAU/BANKAWAY*jsessionid* 4 | https://banking?.anz.com/IBAU/web/L001/script/common.js 5 | https://banking?.anz.com/*/bootstrap/jquery-*.min.js 6 | https://banking?.anz.com/IBAU/web/L001/script/menu/jquery-1.3.2.min.js 7 | https://static.my.commbank.com.au/static/core/js/core-merge.*.js 8 | https://www?.my.commbank.com.au/netbank/PaymentHub/PaymentReceipt.aspx?RID=* 9 | https://www?.my.commbiz.commbank.com.au? 10 | https://www?.my.commbiz.commbank.com.au/client/*.aspx* 11 | https://www?.my.commbiz.commbank.com.au/online/*.aspx* 12 | https://www?.my.commbiz.commbank.com.au/Accounts/*.aspx* 13 | https://www?.my.commbiz.commbank.com.au/Fintran/*.aspx* 14 | https://www?.my.commbiz.commbank.com.au/static/core/js/core-merge.*.js* 15 | https://www?.my.commbiz.commbank.com.au/Common/Common.Web/javascript/Cbiz/baseLib.js* 16 | https://www?.my.commbiz.commbank.com.au/Common/Common.Web/javascript/func.js* 17 | https://ib.nab.com.au/nabib/index.jsp* 18 | https://ib.nab.com.au/nabib/*.ctl* 19 | https://ib.nab.com.au/nabib/scripts/jquery/jquery*.js* 20 | https://talent.seek.com.au/Home/Welcom* 21 | https://talent.seek.com.au/Job/Index/* 22 | https://advertisers.careerone.com.au/login.asp* 23 | https://www.adzuna.com.a* 24 | https://ibanking.*.au/InternetBankingResources/ibank2/javascript/util/jquery-1.7.1.min.js 25 | https://ibanking.*.com.au/InternetBankingResources/ibank2/javascript/util/utils.js 26 | https://ibanking.stgeorge.com.au/ibank/* 27 | https://ibanking.banksa.com.au/ibank/* 28 | https://ibanking.bankofmelbourne.com.au/ibank/* 29 | https://bbo.*.com.au/dist/Release/packaging/payments2.js 30 | https://internetbanking.suncorpbank.com.au/StaticContent/CombineJs* 31 | https://internetbanking.suncorpbank.com.au/*/* 32 | https://banking.westpac.com.au/*/banking/Scripts/Desktop/Core/SkipAutoRegistration/modernizr.js* 33 | https://banking.westpac.com.au/secure/banking/overview/payments/confirmation*IsNewPayee=true 34 | https://banking.westpac.com.au/*/payeelist* 35 | https://banking.westpac.com.au/*/paymentlist* 36 | https://banking.westpac.com.au/*/paymentreceipt* 37 | https://banking.westpac.com.au/*/Pay/To.aspx 38 | https://banking.westpac.com.au/*/bpd_pmnmodify.asp* 39 | https://banking.westpac.com.au/*/bpd_pmpendinglist.asp* 40 | https://banking.westpac.com.au/*/bsd_aiestmtlist.asp* 41 | https://www.anz.com/INETBANK/* 42 | https://*.commbank.com.au/netbank/* 43 | https://*commbiz.commbank.com.au/* 44 | https://ib.nab.com.au/* 45 | https://ibanking.*.au/ibank/* 46 | https://bbo.stgeorge.com.au/* 47 | https://internetbanking.suncorpbank.com.au/* 48 | https://online.westpac.com.au/* 49 | https://bbonline.banksa.com.au/html/cbank.asp* 50 | https://bbonline.stgeorge.com.au/html/cbank.asp* 51 | https://bbonline.bankofmelbourne.com.au/html/cbank.asp* 52 | https://ibs.bankwest.com.au/BWLogin/bib.aspx*50059md5Payload delivery15a79bd52-1f74-40b8-893f-2232c0a8a8de244351517927762Notification_1-QEM7S3P.js (Js in the Zip)00002f7f7b35aa9ff638362b7f45a63a943150060sha1Payload delivery15a79bd52-0ad0-4353-863b-2232c0a8a8de244351517927762Notification_1-QEM7S3P.js (Js in the Zip)0000a16fbe56f9b8a285b60903a6719303156c7d359e50061sha256Payload delivery15a79bd52-ffb8-4296-a934-2232c0a8a8de244351517927762Notification_1-QEM7S3P.js (Js in the Zip)00009ea2ca045970ddd7dc5ebe5ed159d5f80b4a9fb65919aaa411d32712f9d832f850062pattern-in-memoryPayload installation05a79bdf9-e574-472a-81cd-2235c0a8a8de244351517927929Ursnif Config0000id: 1290118 53 | version: 3.0.547 54 | soft: 2 55 | key: UGMo0Mj5U83xyrN3 56 | c2: https://185.24.232.164 57 | uri: index.html50063ip-dstNetwork activity15a79bf88-4964-45b7-90f7-2234c0a8a8de244351517928328Ursnif C20000185.24.232.16424382018-02-061Notes_Sagrid05a799b8b-38f4-49c4-baba-2235c0a8a8de015179197932111DNC5749cdb1-1e74-450f-8baf-3ba5c0a8a8de1DNC5749cdb1-1e74-450f-8baf-3ba5c0a8a8de205dnc:driveby-type="Malspam"#00000010477dnc:malspam-type="url-to-zipped-js"#39065810636dnc:attrib-int="170007"#5e5e5e10637dnc:attrib="Sagrid"#5e5e5e10102dnc:country="AUS"#00277610111dnc:malware="Dreambot/ISFB"#4bc7cf101623dnc:dreambot-key="UGMo0Mj5U83xyrN3"#84c4cf10 58 | -------------------------------------------------------------------------------- /IOCs/misp.event.2834.5b22c1bd-1ab8-4506-b4a6-1746c0a8a8de.json: -------------------------------------------------------------------------------- 1 | {"response":[{ 2 | "Event": { 3 | "id": "2834", 4 | "orgc_id": "1", 5 | "org_id": "1", 6 | "date": "2018-06-14", 7 | "threat_level_id": "1", 8 | "info": "malspam_2018-06-14_3", 9 | "published": true, 10 | "uuid": "5b22c1bd-1ab8-4506-b4a6-1746c0a8a8de", 11 | "attribute_count": "38", 12 | "analysis": "2", 13 | "timestamp": "1529005516", 14 | "distribution": "2", 15 | "proposal_email_lock": false, 16 | "locked": false, 17 | "publish_timestamp": "1529005535", 18 | "sharing_group_id": "0", 19 | "disable_correlation": false, 20 | "extends_uuid": "", 21 | "event_creator_email": "kafeine@dontneedcoffee.com", 22 | "Org": { 23 | "id": "1", 24 | "name": "DNC", 25 | "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de" 26 | }, 27 | "Orgc": { 28 | "id": "1", 29 | "name": "DNC", 30 | "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de" 31 | }, 32 | "Attribute": [ 33 | { 34 | "id": "69262", 35 | "type": "url", 36 | "category": "Network activity", 37 | "to_ids": true, 38 | "uuid": "5b22c231-bf54-42cf-bf4c-34cdc0a8a8de", 39 | "event_id": "2834", 40 | "distribution": "5", 41 | "timestamp": "1529004593", 42 | "comment": "Example of URL in spam", 43 | "sharing_group_id": "0", 44 | "deleted": false, 45 | "disable_correlation": false, 46 | "object_id": "0", 47 | "object_relation": null, 48 | "value": "http:\/\/www.floramae.tk\/wp-content\/plugins\/joycazino\/A_misfigure_gallicolous.html", 49 | "ShadowAttribute": [] 50 | }, 51 | { 52 | "id": "69263", 53 | "type": "url", 54 | "category": "Network activity", 55 | "to_ids": true, 56 | "uuid": "5b22c231-4208-4fe5-b7c8-34cdc0a8a8de", 57 | "event_id": "2834", 58 | "distribution": "5", 59 | "timestamp": "1529004593", 60 | "comment": "Example of URL in spam", 61 | "sharing_group_id": "0", 62 | "deleted": false, 63 | "disable_correlation": false, 64 | "object_id": "0", 65 | "object_relation": null, 66 | "value": "http:\/\/www.klassicwaterproofing.com\/images\/resource\/products\/Y_List_Bare.html", 67 | "ShadowAttribute": [] 68 | }, 69 | { 70 | "id": "69264", 71 | "type": "url", 72 | "category": "Network activity", 73 | "to_ids": true, 74 | "uuid": "5b22c231-b364-4a22-b33c-34cdc0a8a8de", 75 | "event_id": "2834", 76 | "distribution": "5", 77 | "timestamp": "1529004593", 78 | "comment": "Example of URL in spam", 79 | "sharing_group_id": "0", 80 | "deleted": false, 81 | "disable_correlation": false, 82 | "object_id": "0", 83 | "object_relation": null, 84 | "value": "http:\/\/www.akariem.com\/wp-content\/themes\/zenwater\/U_scratchlike_renewment.html", 85 | "ShadowAttribute": [] 86 | }, 87 | { 88 | "id": "69265", 89 | "type": "url", 90 | "category": "Network activity", 91 | "to_ids": true, 92 | "uuid": "5b22c25a-73bc-4b1c-9b26-1742c0a8a8de", 93 | "event_id": "2834", 94 | "distribution": "5", 95 | "timestamp": "1529004634", 96 | "comment": "Intermediate Redirector", 97 | "sharing_group_id": "0", 98 | "deleted": false, 99 | "disable_correlation": false, 100 | "object_id": "0", 101 | "object_relation": null, 102 | "value": "http:\/\/kingerosses.top\/", 103 | "ShadowAttribute": [] 104 | }, 105 | { 106 | "id": "69266", 107 | "type": "url", 108 | "category": "Network activity", 109 | "to_ids": true, 110 | "uuid": "5b22c25a-919c-4db7-a8f1-1742c0a8a8de", 111 | "event_id": "2834", 112 | "distribution": "5", 113 | "timestamp": "1529004634", 114 | "comment": "BlackTDS", 115 | "sharing_group_id": "0", 116 | "deleted": false, 117 | "disable_correlation": false, 118 | "object_id": "0", 119 | "object_relation": null, 120 | "value": "https:\/\/darksoulshere.gq\/", 121 | "ShadowAttribute": [] 122 | }, 123 | { 124 | "id": "69267", 125 | "type": "url", 126 | "category": "Network activity", 127 | "to_ids": true, 128 | "uuid": "5b22c25a-6e44-4a88-a699-1742c0a8a8de", 129 | "event_id": "2834", 130 | "distribution": "5", 131 | "timestamp": "1529004634", 132 | "comment": "URL to JS", 133 | "sharing_group_id": "0", 134 | "deleted": false, 135 | "disable_correlation": false, 136 | "object_id": "0", 137 | "object_relation": null, 138 | "value": "http:\/\/vunteriseffe.top\/corps\/get.php", 139 | "ShadowAttribute": [] 140 | }, 141 | { 142 | "id": "69268", 143 | "type": "url", 144 | "category": "Network activity", 145 | "to_ids": true, 146 | "uuid": "5b22c25a-04d0-4387-863b-1742c0a8a8de", 147 | "event_id": "2834", 148 | "distribution": "5", 149 | "timestamp": "1529004634", 150 | "comment": "JS callback (Ursnif)", 151 | "sharing_group_id": "0", 152 | "deleted": false, 153 | "disable_correlation": false, 154 | "object_id": "0", 155 | "object_relation": null, 156 | "value": "http:\/\/vunteriseffe.top\/get.php?lBHLYrp", 157 | "ShadowAttribute": [] 158 | }, 159 | { 160 | "id": "69281", 161 | "type": "domain", 162 | "category": "Network activity", 163 | "to_ids": true, 164 | "uuid": "5b22c313-4cb4-4e29-a778-1ea9c0a8a8de", 165 | "event_id": "2834", 166 | "distribution": "5", 167 | "timestamp": "1529004819", 168 | "comment": "Ursnif C2 from Config", 169 | "sharing_group_id": "0", 170 | "deleted": false, 171 | "disable_correlation": false, 172 | "object_id": "0", 173 | "object_relation": null, 174 | "value": "theformthefollbinretain.club", 175 | "ShadowAttribute": [] 176 | }, 177 | { 178 | "id": "69282", 179 | "type": "domain", 180 | "category": "Network activity", 181 | "to_ids": true, 182 | "uuid": "5b22c313-6058-43fa-9df9-1ea9c0a8a8de", 183 | "event_id": "2834", 184 | "distribution": "5", 185 | "timestamp": "1529004819", 186 | "comment": "Ursnif C2 from Config", 187 | "sharing_group_id": "0", 188 | "deleted": false, 189 | "disable_correlation": false, 190 | "object_id": "0", 191 | "object_relation": null, 192 | "value": "thisdocumentationcopy.club", 193 | "ShadowAttribute": [] 194 | }, 195 | { 196 | "id": "69283", 197 | "type": "domain", 198 | "category": "Network activity", 199 | "to_ids": true, 200 | "uuid": "5b22c313-4bc0-4e82-bca5-1ea9c0a8a8de", 201 | "event_id": "2834", 202 | "distribution": "5", 203 | "timestamp": "1529004819", 204 | "comment": "Ursnif C2 from Config", 205 | "sharing_group_id": "0", 206 | "deleted": false, 207 | "disable_correlation": false, 208 | "object_id": "0", 209 | "object_relation": null, 210 | "value": "featttfolldisclaimer.club", 211 | "ShadowAttribute": [] 212 | }, 213 | { 214 | "id": "69284", 215 | "type": "domain", 216 | "category": "Network activity", 217 | "to_ids": true, 218 | "uuid": "5b22c313-1dc4-444d-b67d-1ea9c0a8a8de", 219 | "event_id": "2834", 220 | "distribution": "5", 221 | "timestamp": "1529004819", 222 | "comment": "Ursnif C2 from Config", 223 | "sharing_group_id": "0", 224 | "deleted": false, 225 | "disable_correlation": false, 226 | "object_id": "0", 227 | "object_relation": null, 228 | "value": "whetherbutthiscode.club", 229 | "ShadowAttribute": [] 230 | }, 231 | { 232 | "id": "69285", 233 | "type": "pattern-in-memory", 234 | "category": "Payload installation", 235 | "to_ids": false, 236 | "uuid": "5b22c3a0-a9dc-4e4b-bb22-1742c0a8a8de", 237 | "event_id": "2834", 238 | "distribution": "5", 239 | "timestamp": "1529004960", 240 | "comment": "Ursnif Config", 241 | "sharing_group_id": "0", 242 | "deleted": false, 243 | "disable_correlation": false, 244 | "object_id": "0", 245 | "object_relation": null, 246 | "value": "type: isfb\r\nbctimeout: 10\r\nbotnet: 2002\r\ncompilation_date: Apr 9 2018\r\nconfigfailtimeout: 30\r\nconfigtimeout: 360\r\ndga_base_url: www.openssl.org\/source\/license.txt\r\ndga_count: 5\r\ndga_crc: 1178005749\r\ndga_lsa_seed: 3988359472\r\ndga_season: 5\r\ndga_seed: 1\r\ndga_tld: .club\r\ndomains: otherwiselist.at, aaxvkah7dudzoloq.onion\r\nexe_type: worker\r\nip_service: curlmyip.net\r\nkey: Gu9foUnsY506KSJ1\r\nknockertimeout: 120\r\nobfuscation_method: random-picture-path\r\npanel_type: dreambot\r\npublic_key: 27128630415765994040955744015030070035596412432263378648451342271896999564591778392380252218629171292393835044846760473972123898033112684033003992892755637641333031709989882836572683552148935712373385829601241246843039177999788343130062892018522696242710077005694634582129152392241934085107745034082445602130862004358119025920663040324744350770368639811520570222557121492480646961107837256814943238176846221993809348278287890366938945719572043524471423913911112015173484009855057342010816848643375839718028796037662372254268324634815343900592089617456027459527165881639074855043692671009442219068102732790893211474593, 65537\r\nsendtimeout: 300\r\nserver: 12\r\nssl: true\r\ntasktimeout: 120\r\ntimer: 60\r\ntor32_dll: providedatheyfromyouthe.club\/key\/x32.bin file:\/\/%appdata%\/system32.dll\r\ntor64_dll: providedatheyfromyouthe.club\/key\/x64.bin file:\/\/%appdata%\/system64.dll\r\nversion: 2.16.994\r\nxcookie: 1936486000", 247 | "ShadowAttribute": [] 248 | }, 249 | { 250 | "id": "69296", 251 | "type": "url", 252 | "category": "Network activity", 253 | "to_ids": true, 254 | "uuid": "5b22c43f-39b4-4f9b-a295-45f7c0a8a8de", 255 | "event_id": "2834", 256 | "distribution": "5", 257 | "timestamp": "1529005119", 258 | "comment": "Tor Module for Dreambot", 259 | "sharing_group_id": "0", 260 | "deleted": false, 261 | "disable_correlation": false, 262 | "object_id": "0", 263 | "object_relation": null, 264 | "value": "providedatheyfromyouthe.club\/key\/x32.bin", 265 | "ShadowAttribute": [] 266 | }, 267 | { 268 | "id": "69297", 269 | "type": "url", 270 | "category": "Network activity", 271 | "to_ids": true, 272 | "uuid": "5b22c43f-5d54-49ad-ad8b-45f7c0a8a8de", 273 | "event_id": "2834", 274 | "distribution": "5", 275 | "timestamp": "1529005119", 276 | "comment": "Tor Module for Dreambot", 277 | "sharing_group_id": "0", 278 | "deleted": false, 279 | "disable_correlation": false, 280 | "object_id": "0", 281 | "object_relation": null, 282 | "value": "providedatheyfromyouthe.club\/key\/x64.bin", 283 | "ShadowAttribute": [] 284 | }, 285 | { 286 | "id": "69321", 287 | "type": "pattern-in-file", 288 | "category": "Network activity", 289 | "to_ids": false, 290 | "uuid": "5b22c5bc-89ac-478f-9bc5-1745c0a8a8de", 291 | "event_id": "2834", 292 | "distribution": "5", 293 | "timestamp": "1529005500", 294 | "comment": "Response from BlackTDS", 295 | "sharing_group_id": "0", 296 | "deleted": false, 297 | "disable_correlation": false, 298 | "object_id": "0", 299 | "object_relation": null, 300 | "value": "HTTP\/1.1 200 OK\r\nServer: nginx\/1.12.2\r\nDate: Thu, 14 Jun 2018 14:54:52 GMT\r\nContent-Type: text\/html; charset=UTF-8\r\nConnection: keep-alive\r\nSet-Cookie: g_ptsn=darksoulshere.gq; expires=Fri, 24-Jan-2020 21:00:00 GMT; Max-Age=50911508\r\nSet-Cookie: g_sessn=1528988092; expires=Fri, 24-Jan-2020 21:00:00 GMT; Max-Age=50911508\r\nVary: Accept-Encoding\r\nContent-Length: 121\r\n\r\n \r\ndocument.write('\\