misp-training/exercises/flubot-exercise/misp.event.flutbot.json

{"response": [{"Event":{"id":"20","orgc_id":"1","org_id":"1","date":"2022-05-17","threat_level_id":"2","info":"Analysis of a Flubot malware captured by a honeypot","published":false,"uuid":"2683b27f-c509-4458-84f9-8980f60548df","attribute_count":"28","analysis":"1","timestamp":"1653490009","distribution":"0","proposal_email_lock":false,"locked":false,"publish_timestamp":"1653918102","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","protected":null,"event_creator_email":"admin@admin.test","Org":{"id":"1","name":"ORGNAME","uuid":"c5de83b4-36ba-49d6-9530-2a315caeece6","local":true},"Orgc":{"id":"1","name":"ORGNAME","uuid":"c5de83b4-36ba-49d6-9530-2a315caeece6","local":true},"Attribute":[{"id":"267","type":"vulnerability","category":"External analysis","to_ids":false,"uuid":"c6711737-b2f7-4202-b373-dedbda9ea248","event_id":"20","distribution":"5","timestamp":"1652816129","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"CVE-2022-27835","Galaxy":[],"ShadowAttribute":[]},{"id":"276","type":"yara","category":"Payload delivery","to_ids":true,"uuid":"b9270ced-fd60-45df-9035-3ed21378542e","event_id":"20","distribution":"5","timestamp":"1652816313","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"first_seen":null,"last_seen":null,"value":"rule android_flubot {\r\n    meta:\r\n        author = \"Thomas Barabosch, Telekom Security\"\r\n        version = \"20210720\"\r\n        description = \"matches on dumped, decrypted V/DEX files of Flubot version > 4.2\"\r\n        sample = \"37be18494cd03ea70a1fdd6270cef6e3\"\r\n\r\n    strings:\r\n        $dex = \"dex\"\r\n        $vdex = \"vdex\"\r\n        $s1 = \"LAYOUT_MANAGER_CONSTRUCTOR_SIGNATURE\"\r\n        $s2 = \"java/net/HttpURLConnection;\"\r\n        $s3 = \"java/security/spec/X509EncodedKeySpec;\"\r\n        $s4 = \"MANUFACTURER\"\r\n\r\n    condition:\r\n        ($dex at 0 or $vdex at 0)\r\n        and 3 of ($s*)\r\n}","Galaxy":[],"ShadowAttribute":[]}],"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[{"id":"30","uuid":"1d1c9af9-37fa-4deb-a928-f9b0abc7354a","name":"Malpedia","type":"malpedia","description":"Malware galaxy based on Malpedia archive.","version":"1","icon":"shield","namespace":"misp","enabled":true,"local_only":false,"GalaxyCluster":[{"id":"4379","uuid":"ef91833f-3334-4955-9218-f106494e9fc0","collection_uuid":"5fc98d08-90a4-498a-ad2e-0edf50ef374e","type":"malpedia","value":"FluBot","tag_name":"misp-galaxy:malpedia=\"FluBot\"","description":"PRODAFT describes FluBot as a banking malware, targeting Spain and potentially German-, Polish-, and English-speaking users. It uses a DGA for it's C&C.","galaxy_id":"30","source":"Malpedia","authors":["Davide Arcuri","Alexandre Dulaunoy","Steffen Enders","Andrea Garavaglia","Andras Iklody","Daniel Plohmann","Christophe Vandeplas"],"version":"8790","distribution":"3","sharing_group_id":null,"org_id":"0","orgc_id":"0","default":true,"locked":false,"extends_uuid":"","extends_version":"0","published":false,"deleted":false,"GalaxyClusterRelation":[],"Org":{"id":"0","name":"MISP","date_created":"","date_modified":"","description":"Automatically generated MISP organisation","type":"","nationality":"Not specified","sector":"","created_by":"0","uuid":"0","contacts":"","local":true,"restricted_to_domain":[],"landingpage":null},"Orgc":{"id":"0","name":"MISP","date_created":"","date_modified":"","description":"Automatically generated MISP organisation","type":"","nationality":"Not specified","sector":"","created_by":"0","uuid":"0","contacts":"","local":true,"restricted_to_domain":[],"landingpage":null},"meta":{"refs":["https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot","https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9","https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf"]},"tag_id":"65","local":false}]},{"id":"48","uuid":"c4e851fa-775f-11e7-8163-b77492209