MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-training/exercises/scamcall-exercise/2855.json

2297 lines
3.3 MiB
JSON
Raw Normal View History

add: [exercices] added ransomware exercice from training 25 October 2023
2023-10-27 10:38:53 +02:00
{
"Event": {
"id": "2855",
"orgc_id": "1",
"org_id": "1",
"date": "2022-03-24",
"threat_level_id": "3",
"info": "Successful Scam call involving money transfer",
"published": false,
"uuid": "53d2f469-9f7f-4e40-8dc1-a721f1b223fb",
"attribute_count": "31",
"analysis": "2",
"timestamp": "1675788758",
"distribution": "3",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "0",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"event_creator_email": "sami.mokaddem@circl.lu",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
"local": true
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
"local": true
},
"Attribute": [
{
"id": "546729",
"type": "ip-src",
"category": "Payload delivery",
"to_ids": true,
"uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119510",
"comment": "IP address of the scammer collected from the RDP log file",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"first_seen": "2022-03-24T11:47:27.000000+00:00",
"last_seen": null,
"value": "194.78.89.250",
"Galaxy": [],
"ShadowAttribute": [],
"Sighting": [
{
"id": "81870",
"attribute_id": "546729",
"event_id": "2855",
"org_id": "1",
"date_sighting": "1657271154",
"uuid": "e94c1425-3d9a-4626-af95-b9e7b936e796",
"source": "",
"type": "0",
"attribute_uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
"Organisation": {
"id": "1",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
"name": "Training"
}
},
{
"id": "81871",
"attribute_id": "546729",
"event_id": "2855",
"org_id": "1",
"date_sighting": "1657271164",
"uuid": "bfa84e56-fcc7-41e5-a3e3-eecb641eada1",
"source": "",
"type": "0",
"attribute_uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
"Organisation": {
"id": "1",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
"name": "Training"
}
},
{
"id": "81872",
"attribute_id": "546729",
"event_id": "2855",
"org_id": "1",
"date_sighting": "1657271170",
"uuid": "e4a21c87-ca9b-440f-a7af-b60e248c8456",
"source": "",
"type": "0",
"attribute_uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
"Organisation": {
"id": "1",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
"name": "Training"
}
}
]
},
{
"id": "546740",
"type": "phone-number",
"category": "Financial fraud",
"to_ids": true,
"uuid": "38d27219-bfa1-43d9-a7c4-3769296e32d5",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119489",
"comment": "Phone number used by the scammer to call the victim",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"first_seen": "2022-03-24T11:42:43.000000+00:00",
"last_seen": null,
"value": "+12243359185",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"RelatedEvent": [
{
"Event": {
"id": "3659",
"date": "2023-08-31",
"threat_level_id": "3",
"info": "Scam call from a pretended Microsoft employee (JMP)",
"published": false,
"uuid": "dd4ae541-c7cc-418b-85dd-e9d60a97f034",
"analysis": "0",
"timestamp": "1693494978",
"distribution": "1",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3660",
"date": "2023-08-31",
"threat_level_id": "2",
"info": "Scam call pretending to be Microsoft support leading to Ransomware (JRK)",
"published": true,
"uuid": "a886fe7e-0e1d-4b75-8129-4b33cf19f20a",
"analysis": "1",
"timestamp": "1693494973",
"distribution": "3",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3324",
"date": "2023-02-07",
"threat_level_id": "1",
"info": "MISP Encoding Exercise: Scam call JD",
"published": false,
"uuid": "c2db89c3-f0fe-49d1-a6ea-a4c17e62c472",
"analysis": "1",
"timestamp": "1675785515",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3327",
"date": "2023-02-07",
"threat_level_id": "4",
"info": "Scam call",
"published": false,
"uuid": "e1054edc-0217-4e53-9a12-1ffa352fa4dc",
"analysis": "1",
"timestamp": "1675788656",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3077",
"date": "2022-12-06",
"threat_level_id": "1",
"info": "Scam call",
"published": false,
"uuid": "b5abc54c-7353-417d-9311-60014196e2fe",
"analysis": "0",
"timestamp": "1670336065",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3078",
"date": "2022-12-06",
"threat_level_id": "1",
"info": "Scam call Ressources",
"published": false,
"uuid": "61eb3ac1-5f65-4b8e-9985-3c2e298fa558",
"analysis": "0",
"timestamp": "1670335025",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3079",
"date": "2022-12-06",
"threat_level_id": "3",
"info": "Scam call for money transfer.",
"published": false,
"uuid": "5e662ab4-a6ba-463c-b142-25d14e078fd8",
"analysis": "1",
"timestamp": "1670337939",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3080",
"date": "2022-12-06",
"threat_level_id": "2",
"info": "Scam call - Attempt to transfer money to a novice scammer",
"published": false,
"uuid": "739d0647-eaaf-430b-b1e1-db8659bcd750",
"analysis": "1",
"timestamp": "1670337434",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3082",
"date": "2022-12-06",
"threat_level_id": "1",
"info": "scam call bt",
"published": false,
"uuid": "2fd61b74-6f22-446a-be92-0014a4144f99",
"analysis": "0",
"timestamp": "1670338817",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3083",
"date": "2022-12-06",
"threat_level_id": "2",
"info": "Scam call to transfer money",
"published": false,
"uuid": "ffa6021c-ec8f-488a-a8f6-9c31da2e40a4",
"analysis": "0",
"timestamp": "1670337074",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3084",
"date": "2022-12-06",
"threat_level_id": "1",
"info": "Scam call",
"published": false,
"uuid": "0e2749ef-631f-410c-8b7d-902c05319a06",
"analysis": "0",
"timestamp": "1670337202",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3085",
"date": "2022-12-06",
"threat_level_id": "2",
"info": "Scam call with potential malicious binary (JRK)",
"published": false,
"uuid": "f1bb7998-38d5-40cc-83e6-bee9d1a1daf9",
"analysis": "2",
"timestamp": "1670337311",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3086",
"date": "2022-12-06",
"threat_level_id": "2",
"info": "Training Scam call",
"published": false,
"uuid": "a27d1e76-dc03-47e9-a3e6-62a313b98a33",
"analysis": "0",
"timestamp": "1670336125",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3090",
"date": "2022-12-06",
"threat_level_id": "2",
"info": "Scam Call from Wallace Breen",
"published": false,
"uuid": "6dfca20a-4b30-4264-9170-3835b0d6fed5",
"analysis": "2",
"timestamp": "1670336645",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3091",
"date": "2022-12-06",
"threat_level_id": "2",
"info": "Microsoft support scam call",
"published": false,
"uuid": "5ba99c07-21fc-48b0-93e3-b7efbda5e72d",
"analysis": "2",
"timestamp": "1670339466",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3092",
"date": "2022-12-06",
"threat_level_id": "3",
"info": "Fraud Event through scam call",
"published": false,
"uuid": "39deb907-731b-42e8-bace-ff1e9f2ea085",
"analysis": "0",
"timestamp": "1670335931",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
}
],
"Galaxy": [
{
"id": "25",
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
"name": "Attack Pattern",
"type": "mitre-attack-pattern",
"description": "ATT&CK Tactic",
"version": "9",
"icon": "map",
"namespace": "mitre-attack",
"enabled": true,
"local_only": false,
"kill_chain_order": {
"mitre-attack": [
"reconnaissance",
"resource-development",
"initial-access",
"execution",
"persistence",
"privilege-escalation",
"defense-evasion",
"credential-access",
"discovery",
"lateral-movement",
"collection",
"command-and-control",
"exfiltration",
"impact"
],
"mitre-mobile-attack": [
"initial-access",
"execution",
"persistence",
"privilege-escalation",
"defense-evasion",
"credential-access",
"discovery",
"lateral-movement",
"collection",
"command-and-control",
"exfiltration",
"impact",
"network-effects",
"remote-service-effects"
],
"mitre-pre-attack": [
"priority-definition-planning",
"priority-definition-direction",
"target-selection",
"technical-information-gathering",
"people-information-gathering",
"organizational-information-gathering",
"technical-weakness-identification",
"people-weakness-identification",
"organizational-weakness-identification",
"adversary-opsec",
"establish-&-maintain-infrastructure",
"persona-development",
"build-capabilities",
"test-capabilities",
"stage-capabilities"
]
},
"GalaxyCluster": [
{
"id": "64276",
"collection_uuid": "dcb864dc-775f-11e7-9fbb-1f41b4996683",
"type": "mitre-attack-pattern",
"value": "Phishing - T1566",
"tag_name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
"description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)",
"galaxy_id": "25",
"source": "https://github.com/mitre/cti",
"authors": [
"MITRE"
],
"version": "25",
"uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"distribution": "3",
"sharing_group_id": null,
"org_id": "0",
"orgc_id": "0",
"default": true,
"locked": false,
"extends_uuid": "",
"extends_version": "0",
"published": false,
"deleted": false,
"GalaxyClusterRelation": [],
"Org": {
"id": "0",
"name": "MISP",
"date_created": "",
"date_modified": "",
"description": "Automatically generated MISP organisation",
"type": "",
"nationality": "Not specified",
"sector": "",
"created_by": "0",
"uuid": "0",
"contacts": "",
"local": true,
"restricted_to_domain": [],
"landingpage": null
},
"Orgc": {
"id": "0",
"name": "MISP",
"date_created": "",
"date_modified": "",
"description": "Automatically generated MISP organisation",
"type": "",
"nationality": "Not specified",
"sector": "",
"created_by": "0",
"uuid": "0",
"contacts": "",
"local": true,
"restricted_to_domain": [],
"landingpage": null
},
"TargetingClusterRelation": [
{
"id": "82078",
"galaxy_cluster_id": "63601",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "subtechnique-of",
"galaxy_cluster_uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "82288",
"galaxy_cluster_id": "63935",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "subtechnique-of",
"galaxy_cluster_uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "82316",
"galaxy_cluster_id": "63963",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "subtechnique-of",
"galaxy_cluster_uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "82747",
"galaxy_cluster_id": "64392",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "mitigates",
"galaxy_cluster_uuid": "21da4fd4-27ad-4e9c-b93d-0b9b14d02c96",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "82810",
"galaxy_cluster_id": "64417",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "mitigates",
"galaxy_cluster_uuid": "12241367-a8b7-49b4-b86e-2236901ba50c",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "83469",
"galaxy_cluster_id": "64524",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "mitigates",
"galaxy_cluster_uuid": "2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "83620",
"galaxy_cluster_id": "64534",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "mitigates",
"galaxy_cluster_uuid": "b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "83748",
"galaxy_cluster_id": "64554",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "mitigates",
"galaxy_cluster_uuid": "a6a47a06-08fc-4ec4-bdc3-20373375ebb9",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "84796",
"galaxy_cluster_id": "64590",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "uses",
"galaxy_cluster_uuid": "c77c5576-ca19-42ed-a36f-4b4486a84133",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "85153",
"galaxy_cluster_id": "64608",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "uses",
"galaxy_cluster_uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "88974",
"galaxy_cluster_id": "64800",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "uses",
"galaxy_cluster_uuid": "95047f03-4811-4300-922e-1ba937d53a61",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "91910",
"galaxy_cluster_id": "65033",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "uses",
"galaxy_cluster_uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "98619",
"galaxy_cluster_id": "66523",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "98698",
"galaxy_cluster_id": "66596",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "98809",
"galaxy_cluster_id": "66704",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "99142",
"galaxy_cluster_id": "66977",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "99607",
"galaxy_cluster_id": "67390",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "c27515df-97a9-4162-8a60-dc0eeb51b775",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "99691",
"galaxy_cluster_id": "67451",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "e8a95b5e-c891-46e2-b33a-93937d3abc31",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "99966",
"galaxy_cluster_id": "67698",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "100178",
"galaxy_cluster_id": "67917",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "b5de2919-b74a-4805-91a7-5049accbaefe",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "100200",
"galaxy_cluster_id": "67930",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "100222",
"galaxy_cluster_id": "67942",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "5039f3d2-406a-4c1a-9350-7a5a85dc84c2",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "100246",
"galaxy_cluster_id": "67959",
"referenced_galaxy_cluster_id": "64276",
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4",
"distribution": "3",
"sharing_group_id": null,
"default": true
}
],
"meta": {
"external_id": [
"T1566"
],
"kill_chain": [
"mitre-attack:initial-access"
],
"mitre_data_sources": [
"Application Log: Application Log Content",
"File: File Creation",
"Network Traffic: Network Traffic Content",
"Network Traffic: Network Traffic Flow"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows",
"SaaS",
"Office 365",
"Google Workspace"
],
"refs": [
"https://attack.mitre.org/techniques/T1566",
"https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends",
"https://blog.sygnia.co/luna-moth-false-subscription-scams",
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide",
"https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/",
"https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/",
"https://www.cisa.gov/uscert/ncas/alerts/aa23-025a",
"https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf",
"https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/",
"https://www.proofpoint.com/us/threat-reference/email-spoofing"
]
},
"tag_id": 1943,
"event_tag_id": "12605",
"local": false,
"relationship_type": false
},
{
"id": "64048",
"collection_uuid": "dcb864dc-775f-11e7-9fbb-1f41b4996683",
"type": "mitre-attack-pattern",
"value": "User Execution - T1204",
"tag_name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
"description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204). For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)",
"galaxy_id": "25",
"source": "https://github.com/mitre/cti",
"authors": [
"MITRE"
],
"version": "25",
"uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"distribution": "3",
"sharing_group_id": null,
"org_id": "0",
"orgc_id": "0",
"default": true,
"locked": false,
"extends_uuid": "",
"extends_version": "0",
"published": false,
"deleted": false,
"GalaxyClusterRelation": [],
"Org": {
"id": "0",
"name": "MISP",
"date_created": "",
"date_modified": "",
"description": "Automatically generated MISP organisation",
"type": "",
"nationality": "Not specified",
"sector": "",
"created_by": "0",
"uuid": "0",
"contacts": "",
"local": true,
"restricted_to_domain": [],
"landingpage": null
},
"Orgc": {
"id": "0",
"name": "MISP",
"date_created": "",
"date_modified": "",
"description": "Automatically generated MISP organisation",
"type": "",
"nationality": "Not specified",
"sector": "",
"created_by": "0",
"uuid": "0",
"contacts": "",
"local": true,
"restricted_to_domain": [],
"landingpage": null
},
"TargetingClusterRelation": [
{
"id": "82202",
"galaxy_cluster_id": "63849",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "subtechnique-of",
"galaxy_cluster_uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "82215",
"galaxy_cluster_id": "63862",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "subtechnique-of",
"galaxy_cluster_uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "82218",
"galaxy_cluster_id": "63865",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "subtechnique-of",
"galaxy_cluster_uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "82670",
"galaxy_cluster_id": "64333",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "mitigates",
"galaxy_cluster_uuid": "90f39ee1-d5a3-4aaa-9f28-3b42815b0d46",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "82745",
"galaxy_cluster_id": "64392",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "mitigates",
"galaxy_cluster_uuid": "21da4fd4-27ad-4e9c-b93d-0b9b14d02c96",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "82804",
"galaxy_cluster_id": "64417",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "mitigates",
"galaxy_cluster_uuid": "12241367-a8b7-49b4-b86e-2236901ba50c",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "83464",
"galaxy_cluster_id": "64524",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "mitigates",
"galaxy_cluster_uuid": "2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "83577",
"galaxy_cluster_id": "64533",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "mitigates",
"galaxy_cluster_uuid": "47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "85013",
"galaxy_cluster_id": "64601",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "uses",
"galaxy_cluster_uuid": "d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "97896",
"galaxy_cluster_id": "65898",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "ba6b9e43-1d45-4d3c-a504-1043a64c8469",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "98882",
"galaxy_cluster_id": "66761",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "1412aa78-a24c-4abd-83df-767dfb2c5bbe",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "99406",
"galaxy_cluster_id": "67207",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "99961",
"galaxy_cluster_id": "67694",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "100250",
"galaxy_cluster_id": "67959",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4",
"distribution": "3",
"sharing_group_id": null,
"default": true
},
{
"id": "100268",
"galaxy_cluster_id": "67974",
"referenced_galaxy_cluster_id": "64048",
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"referenced_galaxy_cluster_type": "related-to",
"galaxy_cluster_uuid": "234dc5df-40b5-49d1-bf53-0d44ce778eca",
"distribution": "3",
"sharing_group_id": null,
"default": true
}
],
"meta": {
"external_id": [
"T1204"
],
"kill_chain": [
"mitre-attack:execution"
],
"mitre_data_sources": [
"Application Log: Application Log Content",
"Command: Command Execution",
"Container: Container Creation",
"Container: Container Start",
"File: File Creation",
"Image: Image Creation",
"Instance: Instance Creation",
"Instance: Instance Start",
"Network Traffic: Network Connection Creation",
"Network Traffic: Network Traffic Content",
"Process: Process Creation"
],
"mitre_platforms": [
"Linux",
"Windows",
"macOS",
"IaaS",
"Containers"
],
"refs": [
"https://attack.mitre.org/techniques/T1204",
"https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery"
]
},
"tag_id": 1259,
"event_tag_id": "12606",
"local": false,
"relationship_type": false
}
]
}
],
"Object": [
{
"id": "34232",
"name": "file",
"meta-category": "file",
"description": "File object describing a file with meta-information",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"event_id": "2855",
"uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
"timestamp": "1648119667",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"first_seen": "2022-03-24T12:08:18.000000+00:00",
"last_seen": null,
"ObjectReference": [
{
"id": "11815",
"uuid": "e58d9caa-35cb-4d1a-85c7-b469b1551ea8",
"timestamp": "1648119667",
"object_id": "34232",
"referenced_uuid": "8a571393-5eeb-4b95-a781-247f49dc6a51",
"referenced_id": "34233",
"referenced_type": "1",
"relationship_type": "downloaded-from",
"comment": "",
"deleted": false,
"event_id": "2855",
"source_uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
"Object": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "8a571393-5eeb-4b95-a781-247f49dc6a51",
"name": "url",
"meta-category": "network"
}
}
],
"Attribute": [
{
"id": "546723",
"type": "malware-sample",
"category": "Payload installation",
"to_ids": true,
"uuid": "a80ce85b-8da9-49d0-9380-8c7d87b32673",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119411",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34232",
"object_relation": "malware-sample",
"first_seen": null,
"last_seen": null,
"value": "bin.exe|06596279d333d831e0b62265563a13ef",
"Galaxy": [],
"data": "UEsDBBQACQAIAMBGeFTr7QSccUcmALjnTwAgABwAMDY1OTYyNzlkMzMzZDgzMWUwYjYyMjY1NTYzYTEzZWZVVAkAA6gxPGKoMTxidXgLAAEEIQAAAAQhAAAAp8jqJ1DyColTPMb/IBbZoBe/NvB1FV5jPrSYHGtYHkkF67D9ZxnvAGwHxN7eWpnf5P2IldhWatiP2ITaYOAl1mdm9OYmcesEi49L38N083jKVvyL3moFLqJdefbT/OK1EFQ0mrM3e7p1T6y7hO61839/lQ9fUjn+YqYr0+cwZF268oQBkyIl6uaZfU5jBh9hQYaogMuXcHzPFC5bNvP2mu/j25MANVczD9Lnx/YK3HRNUI38s8W5g31NzMD76Kpi00cbsR6jZFMWxLGt05Uph/b+vXQgjsKSWeoXjOA2p8q3+dVgpy+1UMomtyivbOeO1ZfnWfm7gmhWHGKcdktoIQf41L4jXiDdN5HhwmVyPHeAVLI+NNVtZzUE+RINKvneNbP4H/NzsSCSkfGTpZGb6ha1YlvTBbFg/Gtwwvb9jDmcXDOuX9DcIk4xVO0eDMFhDuzF94CkO8Yis8gVjU4ygFVKTchTkplD7TOdQL6va0d3Tx7QPIKYYORJ48tr+OVT798R8xCRYWrbTn7qiOtLl/Ryo6ezyHFHVmuhoXMg5GaIeRgq7XMQcbeh96QJE/Djgw4dQ9mjh4yYAAGHd5LZwzDGB3OEmZPGVynD33XflQ6aAteSixcrwQGvY5L3nzFqxHZy23aU8UZnpvMj+RaSYAZ4NM8CYSnz87ysgVMIZaWQmRcinZX0BOHowJ4clhbwC8NX050FFsn01S+duW3pnVTREqGNLY1pEbHh8aDlOykhpTE3PXormPmn7VZFaIJ8UI7DTFPQmRRlECaNgMDMFEQAGjas/tYFVklS402E/iY7x4HWjgJ1QsyfbEPos2q1C06I8pgWngsXfRsLk/fEgZVX5uXbjnJhpvnYiXMF3ASP+bJtj8l99kGkWHDB/jOoBFokrI3S/Qwe+ZAIr+ISWNHhVlFinnPHELX8QYFiZIUmJIJ2hN1+JbGX4gbs/AL98rQzSCh1GVoLiBTVrPnVBq2HhkjuxpF59iR3LKf+Sumeg2vPRDpZGlmPtMrRnyPwLtSDqkMzkOoeTGRs2RFh/IwpPd4VisfrpFL8Ux50LMrYERIVsAwdMWeZtw/3uM0EKMsQSY7dMAjRIfinkWorSeX2G16TJo7BzPuHDidrdcyNwpLLIq7jj3/Z73EuyFoLZu83QgIPYIk8W0zUvVpCsT4JOHV6JJoNqxN66O7/ViBnYUWIdVPmqT9TcRpIpwz315skt6ihYdjvycn9ctDVsdsD9QIFvPrVyJxvivuN4HAjwus7UEoff589XIExs7bHMS68KA9IqF63L6IfF664HvTdxNc6uEuby8GeJmDKQApC8vpAeznmnIRMRxMjneDrn6kUYJq4JMcfg0LjvibDQVBvFt9+31+MA6OEi99ctIl9cFK3pIuzCXIGi0jph5J/1lCELvpJTGpFGgJK2tTRKK+LZYNpg3P4BPAkSLyQYAp5U3+ktEE5O71EoNRiWtTw1Zed3fj+bCAqzKy1vGsfnWnEqOpPLYiA2//Kj3wYCzpZHnthRuUxnvPP6M9MBWq6vL8yi58VAijeJp+ppfzbnv2sP3Q5w6pSlizY8ZmRhcg7gV+gcYP804N0VmKF5ETrjzJXCLRHL6Bf+MBDMZM55coYLgfc3OpnJY04G9OVIcqfJaXrQrRH2obMnKQn1D5iO08B7/K3JzyxrwRaviijVAzCuple0KrZOV4bnqGsig4tJS2vL3+W5WmMDWNmhl5ky6NUNZfxkrReOp7+4ZTW4hpPKeocaKP4AH3QASD6POQfoEpm3R4Gw+sFxASsOn//ThbJSa9M/PaLpvPeyLTd9PPbpDqVxUqEzJXpmHhUDOaB61XEDylJKX9UiJCfvo5V6ouop9ILNsc/uWjo6TYAZcxPCPzmPOqSdk+Q5m4DXGDz0YxO8Avq4aRXtlHFRa8aFMdw8XApPTAa9YL09J5PvWzAzbzpWcJwPB9ZZZmqkAtOK+IpT3RoqZdgotkVa3g3usOQROtIc+PxWybXYl3Mb5iS33tWzz9HuePKDrEA8/iE1Hw7XuuTSAR/aHcEImCc5Pyp0U/sNE1fJNAh5NjFu5geapy6xx1u3GpDkxNQAY40MHC6kbtgt0PNpxTfgPmj519nJ06HRdGF856p82A/JWG9kgWM7YM5Q7cflrsp/kQisufaLEFU+nLfG+cex1V5t9576/THDIEU/DjqXTF1JqOkozF5LdSJ+q8fyRlVXPn1NXFZG60VRyp6vlfsD9PBIRRyF9ZWbuFpO+U8EBwe1UdGEJlDbbDsm8o0wJruV1H/yc3GC0I1cQwFIqtEslmPcOaTnWZ5bxcxg5Tx+EFDxJcduRcYmIz+GZrPjTHeLZTfC6u72LO6iJedLHLCA+t6pU/P8N3mGeRP3ByDdGOAAy7g9MKEzsKqkTCQQ5yDFd2XIc+XZiubiortz+YSfGGYF50uRzOk0PIFF/3O99TlOrQElZiySrL2nVo7/HcgvbvBWgATQrrII7vHHbwIdrymT3Ix5Gi3wTwV0sSvkdZrghoiRvn4ahkOKmB0JQkWz99tO7xYINnjma/rlEh73wzfIuhybMEWtJUfCeJtZkcJcttlJhOEyMmF+jayF/HuezQrA7QNb8VvWIFC9Z+meuiGlWYJwAzGDyeEVLuquKsibCtVltGuf55Uo5pNLnThV3f+clRji+fG/oHYhgCHIwJAHxCC59J8YSBhc8bXpbNEZa78SSTbFzpF/4eD6iqmSzXDRfcz6G2MHdf577iqfsKhh/ORZxcfvg5odBM0VEFPte+Qq/0URzxhbwQzODOz4vbBVtNZBBTNj+9ublx3j1cbP1dS3DrDkcLxL/zXytR13sWuLJtpLn8Kl8Hhv6MbWLRmTfHnTOPK1Z5jsnZT9BwwwJlSdLVxN5pYzWglRKjOqhuivRcJzKtxS23PhikOF+PgDNRTe5frWNnpyDlF8Ghpgf/bpT7MODKy704h1mrP+NLzsAesskj8dEGSLE3re62AXyXi0ZIpDkMiVUI70F6gzL9xRYqtifxtaUr4IcU36nb3z0v4R5gI4m4PSAoME8b+OTZcoDDrzA1kFgCVCdH5ap+lBnRT5qWZ0baLr2l+CxEXjuK2F5Pco5bC7Psse3n/LWX9aLmB5TnjwI0ujVyZ6gpldJbJXlBEryxzzfjKvMKQ7FFWk4B3ZfV4cohJuv7C6XCaywuR1MWVydrbsVd5vZ0Ub80eczYDugGUoVcZjCi8vWB5YRuBeSKPAQ9hgtkq3aJ3EK6GnHgQCCcpGhRhRfvUsAdunRU71MHxRMRiAbSEPKHY9QELP1G9EIukpMTE3OqU+y5JAM/2eE6MPfis8e7kZod9r/WZAiEmyjGYtT+0nerpjqbZ5N73OJuN85fIp6Zj6oHMarydDfLibtkZblyChhPiax3arzAAloHKQjBfoUK+IKstDMaia0mOpD/5bEGWpc2iOFWOj2AzQTXQOlSemuZJv/xXHWQEY2yzxXaEgfpvzNC+S6Sy8YlH3i3LHU9CZ6E4uwzh/YixJzCue2uFRQb0/XV7OP1OkKxSAObhPusmwzneJbbrqhbKUM4O9cC0bnu+sJ3r1GWjWLXMJfXEppUGlOdSFu5Y+SkwPmPBdDPyFrZysicqbK10BJ/jZqHHbLEQtY7+Umrc9yK2skMyXPogEiKFw9F/e8G9ECPqOIG4kdoNcAXGOug1cB1GMTlMsilI6CHcf/YYZMwcw25QX3RLb3k3z1Hbj4KRbQjwi4CYB957WHugAYd+a10zkfcVEznXGmq/EvCFut+fko/QcTYC047aG3xoFK5UQBPPxjbkK8nSdmbMvnakMcADFf3xIPUCGZPbKPFHMFqRHonBj4fZjekRDszfPs6jH3npHXvAfyEpNjRLQ/5+LvMzU6JHFZhQ3FF94BDxTjfgGnz4RLhmEfd0xB+IQ9zd6jWeSdRsStxNJV1PXX
"ShadowAttribute": []
},
{
"id": "546724",
"type": "filename",
"category": "Payload installation",
"to_ids": false,
"uuid": "c45388c1-58be-4e48-aa90-b2445da50711",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119411",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34232",
"object_relation": "filename",
"first_seen": null,
"last_seen": null,
"value": "bin.exe",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546725",
"type": "md5",
"category": "Payload installation",
"to_ids": true,
"uuid": "377e9258-8dd5-4322-9820-5d563893e151",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119411",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34232",
"object_relation": "md5",
"first_seen": null,
"last_seen": null,
"value": "06596279d333d831e0b62265563a13ef",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546726",
"type": "sha1",
"category": "Payload installation",
"to_ids": true,
"uuid": "1bc2a5e0-bc92-4425-bd4e-781bd022f45f",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119411",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34232",
"object_relation": "sha1",
"first_seen": null,
"last_seen": null,
"value": "514328c420f87ef4d920f08620395915d45e6eaf",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546727",
"type": "sha256",
"category": "Payload installation",
"to_ids": true,
"uuid": "4fd7fc0b-dec8-4953-9bb5-0c6a1bedbbd8",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119411",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34232",
"object_relation": "sha256",
"first_seen": null,
"last_seen": null,
"value": "fdb8bf01985f33c301dc2bb6bf19fd864f62bae92bc09cce9378859dbb5a0846",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546728",
"type": "size-in-bytes",
"category": "Other",
"to_ids": false,
"uuid": "3f0763ef-cdaf-47be-b68c-e96a68c665ce",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119411",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34232",
"object_relation": "size-in-bytes",
"first_seen": null,
"last_seen": null,
"value": "5236664",
"Galaxy": [],
"ShadowAttribute": []
}
]
},
{
"id": "34233",
"name": "url",
"meta-category": "network",
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"event_id": "2855",
"uuid": "8a571393-5eeb-4b95-a781-247f49dc6a51",
"timestamp": "1648119431",
"distribution": "5",
"sharing_group_id": "0",
"comment": "URL used by the scammer to download the binary",
"deleted": false,
"first_seen": "2022-03-24T12:06:32.000000+00:00",
"last_seen": null,
"ObjectReference": [],
"Attribute": [
{
"id": "546730",
"type": "url",
"category": "Network activity",
"to_ids": true,
"uuid": "3cab98f1-53cd-47a0-8829-0e7b7d00734f",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119431",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34233",
"object_relation": "url",
"first_seen": null,
"last_seen": null,
"value": "https://zdgyot.ugic0k.ru/assets/bin.exe",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546731",
"type": "domain",
"category": "Network activity",
"to_ids": true,
"uuid": "34060945-e8a7-4f7a-865d-bcdb60ab926e",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119431",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34233",
"object_relation": "domain",
"first_seen": null,
"last_seen": null,
"value": "zdgyot.ugic0k.ru",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546732",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "04678f67-5a50-40f8-8ad1-72de41a0c03d",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119431",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34233",
"object_relation": "domain_without_tld",
"first_seen": null,
"last_seen": null,
"value": "zdgyot.ugic0k",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546733",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "fb5e1ba0-d452-4411-9fd0-840c562d0962",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119431",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34233",
"object_relation": "resource_path",
"first_seen": null,
"last_seen": null,
"value": "/assets/bin.exe",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546734",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "d28f3a71-0f97-43fd-a48b-bfe45fc94e68",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119431",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34233",
"object_relation": "scheme",
"first_seen": null,
"last_seen": null,
"value": "https",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546735",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "467f8165-6a94-4949-83be-a0bb5dc71bc2",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119431",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34233",
"object_relation": "tld",
"first_seen": null,
"last_seen": null,
"value": "ru",
"Galaxy": [],
"ShadowAttribute": []
}
]
},
{
"id": "34234",
"name": "bank-account",
"meta-category": "financial",
"description": "An object describing bank account information based on account description from goAML 4.0.",
"template_uuid": "b4712203-95a8-4883-80e9-b566f5df11c9",
"template_version": "3",
"event_id": "2855",
"uuid": "809be621-e949-4eff-83f8-b95b1fcf834a",
"timestamp": "1648119391",
"distribution": "5",
"sharing_group_id": "0",
"comment": "Bank account that received the money. Supposed to belong to the scammer",
"deleted": false,
"first_seen": null,
"last_seen": null,
"ObjectReference": [],
"Attribute": [
{
"id": "546736",
"type": "iban",
"category": "Financial fraud",
"to_ids": true,
"uuid": "d0d61385-c8dc-473b-81b2-5e0b9f691d43",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119391",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34234",
"object_relation": "iban",
"first_seen": null,
"last_seen": null,
"value": "GB29NWBK60161331926819",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546737",
"type": "bic",
"category": "Financial fraud",
"to_ids": true,
"uuid": "e67fb353-31e4-49a9-8452-e98828ea2c55",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119391",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34234",
"object_relation": "swift",
"first_seen": null,
"last_seen": null,
"value": "NWBK",
"Galaxy": [],
"validationIssue": true,
"ShadowAttribute": []
},
{
"id": "546738",
"type": "bank-account-nr",
"category": "Financial fraud",
"to_ids": true,
"uuid": "acd69ba0-2258-4c6b-bf20-910d72f4c16f",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119391",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34234",
"object_relation": "account",
"first_seen": null,
"last_seen": null,
"value": "31926819",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546739",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "07c77e9b-11ae-46b7-9a2c-c4e1f91f40b9",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119391",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34234",
"object_relation": "currency-code",
"first_seen": null,
"last_seen": null,
"value": "GBP",
"Galaxy": [],
"ShadowAttribute": []
}
]
},
{
"id": "34235",
"name": "person",
"meta-category": "misc",
"description": "An object which describes a person or an identity.",
"template_uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",
"template_version": "16",
"event_id": "2855",
"uuid": "e1691da4-7737-4410-a817-f3f8f4419ff1",
"timestamp": "1648119654",
"distribution": "5",
"sharing_group_id": "0",
"comment": "Name of the scammer given to the victim. Name confirmed to be the owner of the bank account and phone number",
"deleted": false,
"first_seen": null,
"last_seen": null,
"ObjectReference": [
{
"id": "11811",
"uuid": "f0897b0d-63c2-4a7e-8036-e1d6409d369e",
"timestamp": "1648119613",
"object_id": "34235",
"referenced_uuid": "38d27219-bfa1-43d9-a7c4-3769296e32d5",
"referenced_id": "546740",
"referenced_type": "0",
"relationship_type": "owner-of",
"comment": "",
"deleted": false,
"event_id": "2855",
"source_uuid": "e1691da4-7737-4410-a817-f3f8f4419ff1",
"Attribute": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "38d27219-bfa1-43d9-a7c4-3769296e32d5",
"value": "+12243359185",
"type": "phone-number",
"category": "Financial fraud",
"to_ids": true
}
},
{
"id": "11812",
"uuid": "6e7b12b8-ca97-4a4d-a993-15a471b24123",
"timestamp": "1648119626",
"object_id": "34235",
"referenced_uuid": "809be621-e949-4eff-83f8-b95b1fcf834a",
"referenced_id": "34234",
"referenced_type": "1",
"relationship_type": "owner-of",
"comment": "",
"deleted": false,
"event_id": "2855",
"source_uuid": "e1691da4-7737-4410-a817-f3f8f4419ff1",
"Object": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "809be621-e949-4eff-83f8-b95b1fcf834a",
"name": "bank-account",
"meta-category": "financial"
}
},
{
"id": "11813",
"uuid": "69dd6c18-74ad-4e78-8a4a-e0a2dae9b698",
"timestamp": "1648119640",
"object_id": "34235",
"referenced_uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
"referenced_id": "34232",
"referenced_type": "1",
"relationship_type": "downloaded",
"comment": "",
"deleted": false,
"event_id": "2855",
"source_uuid": "e1691da4-7737-4410-a817-f3f8f4419ff1",
"Object": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
"name": "file",
"meta-category": "file"
}
},
{
"id": "11814",
"uuid": "f6a61320-6e1c-4462-9767-09a5a8620cfd",
"timestamp": "1648119654",
"object_id": "34235",
"referenced_uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
"referenced_id": "34232",
"referenced_type": "1",
"relationship_type": "installed",
"comment": "",
"deleted": false,
"event_id": "2855",
"source_uuid": "e1691da4-7737-4410-a817-f3f8f4419ff1",
"Object": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
"name": "file",
"meta-category": "file"
}
}
],
"Attribute": [
{
"id": "546741",
"type": "last-name",
"category": "Person",
"to_ids": false,
"uuid": "081bbab8-1b17-4883-b0cf-4ac8ee88bd87",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648114902",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34235",
"object_relation": "last-name",
"first_seen": null,
"last_seen": null,
"value": "Breen",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546742",
"type": "full-name",
"category": "Person",
"to_ids": false,
"uuid": "1512fe92-9c44-4282-9a59-939defe50226",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648114902",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34235",
"object_relation": "full-name",
"first_seen": null,
"last_seen": null,
"value": "Wallace Breen",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546743",
"type": "first-name",
"category": "Person",
"to_ids": false,
"uuid": "6e0ab22d-f7dc-4f6d-92ad-f32567b65d9d",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648114902",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34235",
"object_relation": "first-name",
"first_seen": null,
"last_seen": null,
"value": "Wallace",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546744",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "ca995c18-c86d-47f0-88ed-a0db5da89cc5",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648114902",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34235",
"object_relation": "role",
"first_seen": null,
"last_seen": null,
"value": "Accused",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546745",
"type": "gender",
"category": "Person",
"to_ids": false,
"uuid": "2387f01f-959e-4438-9e0f-8c1b2b397ddb",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648114902",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34235",
"object_relation": "gender",
"first_seen": null,
"last_seen": null,
"value": "Male",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546746",
"type": "nationality",
"category": "Person",
"to_ids": false,
"uuid": "c4bcdac5-7876-4657-871d-9d199f5abb8a",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648114902",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34235",
"object_relation": "nationality",
"first_seen": null,
"last_seen": null,
"value": "British",
"Galaxy": [],
"ShadowAttribute": []
}
]
},
{
"id": "34236",
"name": "geolocation",
"meta-category": "misc",
"description": "An object to describe a geographic location.",
"template_uuid": "cd6f2238-ba55-4888-82c4-104e6e1acf21",
"template_version": "7",
"event_id": "2855",
"uuid": "ec290bb1-e339-4a03-bb78-93cc43c39ccf",
"timestamp": "1648119890",
"distribution": "5",
"sharing_group_id": "0",
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
"deleted": false,
"first_seen": null,
"last_seen": null,
"ObjectReference": [
{
"id": "11816",
"uuid": "8232c0b7-a475-4116-94d6-a481c3f3000b",
"timestamp": "1648119891",
"object_id": "34236",
"referenced_uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
"referenced_id": "546729",
"referenced_type": "0",
"relationship_type": "related-to",
"comment": "",
"deleted": false,
"event_id": "2855",
"source_uuid": "ec290bb1-e339-4a03-bb78-93cc43c39ccf",
"Attribute": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
"value": "194.78.89.250",
"type": "ip-src",
"category": "Payload delivery",
"to_ids": true
}
}
],
"Attribute": [
{
"id": "546747",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "dede9764-3d1f-4487-998b-3cd0ff4946e6",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119891",
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34236",
"object_relation": "country",
"first_seen": null,
"last_seen": null,
"value": "Belgium",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546748",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "59587e01-fdf4-4a9b-9224-974c3a99a5ed",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119891",
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34236",
"object_relation": "countrycode",
"first_seen": null,
"last_seen": null,
"value": "BE",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546749",
"type": "float",
"category": "Other",
"to_ids": false,
"uuid": "d7b26734-a0ce-465a-9a80-c735e1e01068",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119891",
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34236",
"object_relation": "latitude",
"first_seen": null,
"last_seen": null,
"value": "50.8333",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546750",
"type": "float",
"category": "Other",
"to_ids": false,
"uuid": "054ce836-6a3f-433e-af9b-6ead75854af1",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119891",
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34236",
"object_relation": "longitude",
"first_seen": null,
"last_seen": null,
"value": "4",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546751",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "45e0807b-9495-49f2-919f-23d1e0642332",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119891",
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34236",
"object_relation": "text",
"first_seen": null,
"last_seen": null,
"value": "db_source: GeoOpen-Country-ASN. build_db: 2022-02-06 09:30:25. Latitude and longitude are country average.",
"Galaxy": [],
"ShadowAttribute": []
}
]
},
{
"id": "34237",
"name": "asn",
"meta-category": "network",
"description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.",
"template_uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587",
"template_version": "4",
"event_id": "2855",
"uuid": "2535a80f-03f7-4bce-81b4-251419327fa6",
"timestamp": "1648119891",
"distribution": "5",
"sharing_group_id": "0",
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
"deleted": false,
"first_seen": null,
"last_seen": null,
"ObjectReference": [
{
"id": "11817",
"uuid": "e86d355c-1991-41b3-bffa-d22382c92c98",
"timestamp": "1648119891",
"object_id": "34237",
"referenced_uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
"referenced_id": "546729",
"referenced_type": "0",
"relationship_type": "related-to",
"comment": "",
"deleted": false,
"event_id": "2855",
"source_uuid": "2535a80f-03f7-4bce-81b4-251419327fa6",
"Attribute": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
"value": "194.78.89.250",
"type": "ip-src",
"category": "Payload delivery",
"to_ids": true
}
}
],
"Attribute": [
{
"id": "546752",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "a4757a19-2db2-4747-885d-70a2c4472586",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119891",
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "34237",
"object_relation": "asn",
"first_seen": null,
"last_seen": null,
"value": "5432",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "546753",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "4fb09589-4c4d-4b5d-bf42-b7a9429432de",
"event_id": "2855",
"distribution": "5",
"timestamp": "1648119891",
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "34237",
"object_relation": "description",
"first_seen": null,
"last_seen": null,
"value": "ASNOrganization: PROXIMUS-ISP-AS. db_source: GeoOpen-Country-ASN. build_db: 2022-02-06 09:30:25.",
"Galaxy": [],
"ShadowAttribute": []
}
]
}
],
"EventReport": [
{
"id": "71",
"uuid": "ae25f4a2-f35d-4adb-bb03-b6ce21115117",
"event_id": "2855",
"name": "Executive summary of the case",
"content": "# Executive summary of the case\r\nA victim was called by the suspected scammer @[object](e1691da4-7737-4410-a817-f3f8f4419ff1) using the following number: @[attribute](38d27219-bfa1-43d9-a7c4-3769296e32d5).\r\nThe scammer prentended to be a a microsoft employee, managed to convince the victim that he could help by using remote desktop assistance.\r\n\r\nOnce he had access, the scammer downloaded a binary @[object](d3297d1c-f80f-4542-8b36-d45a301e9072) from the following url @[object](8a571393-5eeb-4b95-a781-247f49dc6a51). He then proceed to install the binary, probably to use it a backdoor for future access.\r\n\r\nAfter the installation, he asked the victim to transfer money to the scammer bank account: @[attribute](d0d61385-c8dc-473b-81b2-5e0b9f691d43)\r\n\r\nThe day after, the victim suspecting a scam contacted the police.\r\n\r\n# Technique used\r\n\r\n| | |\r\n| -------- | -------- |\r\n| Social vector | @[tag](veris:action:social:vector=\"Phone\") |\r\n| Potential hacking vector | @[tag](veris:action:hacking:vector=\"Desktop sharing\") |\r\n| Actor motive | @[tag](veris:actor:external:motive=\"Financial\") |\r\n| Impacted loss | @[tag](veris:impact:loss:variety=\"Asset and fraud\") |\r\n| Loss rating | @[tag](veris:impact:loss:rating=\"Minor\") |\r\n\r\n# Information collected after analysis\r\n- According to the phone number, IP address and bank account, the scammer @[object](e1691da4-7737-4410-a817-f3f8f4419ff1) is very likely based in @[attribute](dede9764-3d1f-4487-998b-3cd0ff4946e6).\r\n\r\n# Timeline\r\n- **2022-03-25 11:42:43 UTC+0**: Scammer called the victim pretending to be a microsoft employee\r\n- **2022-03-25 11:47:27 UTC+0**: Scammer convinced the victim to be helped via remote desktop assistance\r\n- **2022-03-25 12:06:32 UTC+0**: Scammer downladed the binary on the victim's computer\r\n- **2022-03-25 12:08:18 UTC+0**: Scammer installed the binary on the victim's computer\r\n- **2022-03-25 12:17:51 UTC+0**: Scammer asked the victim to transfer money on a bank account for the help he provided\r\n- **2022-03-25 12:25:04 UTC+0**: Victim executed the money transfer\r\n- **2022-03-25 08:39:21 UTC+0**: Victim contacted police",
"distribution": "5",
"sharing_group_id": "0",
"timestamp": "1648133481",
"deleted": false
},
{
"id": "178",
"uuid": "49fc95e7-ebe4-4a69-98a5-cac2c31276b3",
"event_id": "2855",
"name": "Event report (1675788758)",
"content": "## Successful Scam call involving money transfer\n - *Date*: 2022-03-24\n - *Last update*: 2022-06-30 15:24:18\n - *Threat level*: Low\n - *Attribute count*: 31\n#### Tags\n - @[tag](workflow:state=\"complete\")\n - @[tag](tlp:green)\n - @[tag](veris:action:hacking:vector=\"Desktop sharing\")\n - @[tag](veris:action:social:variety=\"Scam\")\n - @[tag](veris:action:social:vector=\"Phone\")\n - @[tag](veris:actor:external:motive=\"Financial\")\n - @[tag](veris:impact:loss:rating=\"Minor\")\n - @[tag](veris:impact:loss:variety=\"Asset and fraud\")\n - @[tag](social-engineering-attack-vectors:non-technical=\"technical-expert\")\n - @[tag](social-engineering-attack-vectors:technical=\"vishing\")\n#### Galaxies\n - *Name*: Attack Pattern\n - *Description*: ATT&CK Tactic\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\")\n#### Correlations\n - MISP Encoding Exercise: Scam call JD\n - Scam call\n - Scam call\n - Scam call Ressources\n - Scam call for money transfer.\n - Scam call - Attempt to transfer money to a novice scammer\n - scam call bt\n - Scam call to transfer money\n - Scam call\n - Scam call with potential malicious binary (JRK)\n - Training Scam call\n - Scam Call from Wallace Breen\n - Microsoft support scam call\n - Fraud Event through scam call\n### Objects\n - @[object](d3297d1c-f80f-4542-8b36-d45a301e9072)\n - @[object](8a571393-5eeb-4b95-a781-247f49dc6a51)\n - @[object](809be621-e949-4eff-83f8-b95b1fcf834a)\n - @[object](e1691da4-7737-4410-a817-f3f8f4419ff1)\n - @[object](ec290bb1-e339-4a03-bb78-93cc43c39ccf)\n - @[object](2535a80f-03f7-4bce-81b4-251419327fa6)\n### Attributes\n - @[attribute](8d651574-d18d-489b-ad8c-e04d586bebef)\n - @[attribute](38d27219-bfa1-43d9-a7c4-3769296e32d5)\n### ATT&CK Matrix\n@[galaxymatrix](c4e851fa-775f-11e7-8163-b774922098cd)",
"distribution": "5",
"sharing_group_id": "0",
"timestamp": "1675788758",
"deleted": false
}
],
"CryptographicKey": [],
"Tag": [
{
"id": "261",
"name": "workflow:state=\"complete\"",
"colour": "#e2007a",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "9",
"name": "tlp:green",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "2263",
"name": "veris:action:hacking:vector=\"Desktop sharing\"",
"colour": "#00748d",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "587",
"name": "veris:action:social:variety=\"Scam\"",
"colour": "#00b2d9",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "2266",
"name": "veris:action:social:vector=\"Phone\"",
"colour": "#00809c",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "2267",
"name": "veris:actor:external:motive=\"Financial\"",
"colour": "#0096b7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "2268",
"name": "veris:impact:loss:rating=\"Minor\"",
"colour": "#00bde6",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "2269",
"name": "veris:impact:loss:variety=\"Asset and fraud\"",
"colour": "#00bde7",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "2262",
"name": "social-engineering-attack-vectors:non-technical=\"technical-expert\"",
"colour": "#00c643",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "2270",
"name": "social-engineering-attack-vectors:technical=\"vishing\"",
"colour": "#003e15",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "1943",
"name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": true,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "1259",
"name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": true,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
}
]
}
}