Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
1 lines (1 sloc) 18.3 KB
{"response": [{"Event":{"id":"7949","orgc_id":"22","org_id":"22","date":"2020-01-15","threat_level_id":"3","info":".Club Phishing, kits using Google reCaptcha","published":false,"uuid":"5e1e6e00-b998-451f-b9d5-43e10a0a020f","attribute_count":"36","analysis":"0","timestamp":"1579053382","distribution":"3","proposal_email_lock":false,"locked":false,"publish_timestamp":"0","sharing_group_id":"0","disable_correlation":false,"extends_uuid":"","event_creator_email":"brian@laskowski-tech.com","Org":{"id":"22","name":"laskowski-tech.com","uuid":"5e157d76-c92c-4acd-a54e-4a01950d210f","local":true},"Orgc":{"id":"22","name":"laskowski-tech.com","uuid":"5e157d76-c92c-4acd-a54e-4a01950d210f","local":true},"Attribute":[{"id":"2846254","type":"domain","category":"Payload delivery","to_ids":true,"uuid":"5e1e6e6c-fb40-4933-9c52-44e174656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"apps.secureservers.club","Galaxy":[],"ShadowAttribute":[]},{"id":"2846255","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-7594-4c8b-81a1-4df674656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/apps.secureservers.club\/?e=","Galaxy":[],"ShadowAttribute":[]},{"id":"2846256","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-2668-412b-b77c-403074656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"main landing page for phishing kit after completing captcha","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/apps.secureservers.club\/main\/main.php","Galaxy":[],"ShadowAttribute":[]},{"id":"2846257","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-3288-4db5-8914-4f8b74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"POST for creds is sent to this URL on site","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/apps.secureservers.club\/\/main\/action.php","Galaxy":[],"ShadowAttribute":[]},{"id":"2846258","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-b0c0-44a3-bf71-41da74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"IP hosting apps.secureservers.club phishing site","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"172.245.36.114","Galaxy":[],"ShadowAttribute":[]},{"id":"2846259","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-4f38-45b6-b344-405374656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/notmsg.esms1.xyz?e=","Galaxy":[],"ShadowAttribute":[]},{"id":"2846260","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-cb18-45f4-a696-4d6574656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"main landing page for phishing kit after completing captcha","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/notmsg.esms1.xyz\/main\/main.php","Galaxy":[],"ShadowAttribute":[]},{"id":"2846261","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-f208-40dc-9c11-494874656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"POST for creds is sent to this URL on site","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"http:\/\/notmsg.esms1.xyz\/main\/action.php","Galaxy":[],"ShadowAttribute":[]},{"id":"2846262","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-2d50-413e-9da4-45c074656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"hosting notmsg.esms1.xyz and msgvoip.esms1.xyz phishing sites","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"192.119.111.226","Galaxy":[],"ShadowAttribute":[]},{"id":"2846263","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-2ec8-4305-84a2-435774656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/msgvoip.esms1.xyz\/main\/action.php","Galaxy":[],"ShadowAttribute":[]},{"id":"2846264","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-b830-4d92-ad36-444574656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/msgvoip.esms1.xyz\/main\/main.php","Galaxy":[],"ShadowAttribute":[]},{"id":"2846265","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-0654-4fdc-86a6-4f8674656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/msgvoip.esms1.xyz\/?e=","Galaxy":[],"ShadowAttribute":[]},{"id":"2846266","type":"domain","category":"Payload delivery","to_ids":true,"uuid":"5e1e6e6c-1788-4d4c-82e4-451c74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"msgvoip.esms1.xyz","Galaxy":[],"ShadowAttribute":[]},{"id":"2846267","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-e9d8-4f76-bd4c-451874656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/audionote.vsms1.xyz\/?e=","Galaxy":[],"ShadowAttribute":[]},{"id":"2846268","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-c2e8-4110-b0a5-4fe674656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/notevoip.vsms1.xyz\/?e=","Galaxy":[],"ShadowAttribute":[]},{"id":"2846269","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-867c-45a9-840a-4e1d74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/voicmg.vm-c.xyz\/?e=","Galaxy":[],"ShadowAttribute":[]},{"id":"2846270","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-bc28-4cd7-a2ed-4b7f74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/geraldojuniorpalestrante.com.br\/?e=","Galaxy":[],"ShadowAttribute":[]},{"id":"2846271","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-eb0c-4921-987e-42b074656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/apps.extensioncalls.online\/?e=","Galaxy":[],"ShadowAttribute":[]},{"id":"2846272","type":"url","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-9560-4326-a8e8-408374656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/voicemanager.businessconnects.online\/?e=","Galaxy":[],"ShadowAttribute":[]},{"id":"2846273","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-a078-439a-af03-465c74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"hosting phishing site voicemanager.businessconnects.online","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"107.174.253.208","Galaxy":[],"ShadowAttribute":[]},{"id":"2846274","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-c10c-4acf-bc71-42cf74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"hosting phishing site for geraldojuniorpalestrante.com.br","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"162.241.203.20","Galaxy":[],"ShadowAttribute":[]},{"id":"2846275","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-8014-423e-a588-4c0674656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"hosting phishing site for apps.extensioncalls.online","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"192.3.1.146","Galaxy":[],"ShadowAttribute":[]},{"id":"2846276","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-391c-4a1c-b3e2-443a74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"hosting phishing sites notevoip.vsms1.xyz and audionote.vsms1.xyz","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"192.119.111.230","Galaxy":[],"ShadowAttribute":[]},{"id":"2846277","type":"ip-dst","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-0f14-4578-bb2b-47a874656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"hosting phishing site for voicmg.vm-c.xyz","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"104.168.136.214","Galaxy":[],"ShadowAttribute":[]},{"id":"2846278","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-d07c-4a9c-a847-408c74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"apps.extensioncalls.online","Galaxy":[],"ShadowAttribute":[]},{"id":"2846279","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-d8d8-4948-b9f5-494274656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"geraldojuniorpalestrante.com.br","Galaxy":[],"ShadowAttribute":[]},{"id":"2846280","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-6978-4962-a777-441074656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"notmsg.esms1.xyz","Galaxy":[],"ShadowAttribute":[]},{"id":"2846281","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-6fa0-4717-a991-477c74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"voicemanager.businessconnects.online","Galaxy":[],"ShadowAttribute":[]},{"id":"2846282","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-66cc-412b-90d0-41b774656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"www.geraldojuniorpalestrante.com.br","Galaxy":[],"ShadowAttribute":[]},{"id":"2846283","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-4774-4c19-ac62-419774656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"app.audioserv.club","Galaxy":[],"ShadowAttribute":[]},{"id":"2846284","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-de5c-4351-aae6-49d974656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"mail.seversync.club","Galaxy":[],"ShadowAttribute":[]},{"id":"2846285","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-f2f8-43f7-963c-4b5874656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"ted.mecoreing.com","Galaxy":[],"ShadowAttribute":[]},{"id":"2846286","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-5c58-44e2-affb-43dc74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"voice-app.audioservice.club","Galaxy":[],"ShadowAttribute":[]},{"id":"2846287","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-d35c-46be-a71c-472c74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"voiceapp-resource.msvoicewave.club","Galaxy":[],"ShadowAttribute":[]},{"id":"2846288","type":"domain","category":"Network activity","to_ids":true,"uuid":"5e1e6e6c-2ba0-45fa-9055-4d8e74656a8a","event_id":"7949","distribution":"5","timestamp":"1579052652","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"voip.vpreviews.club","Galaxy":[],"ShadowAttribute":[]},{"id":"2846289","type":"link","category":"External analysis","to_ids":false,"uuid":"5e1e7146-13d0-47ca-918d-c0d70a0a020f","event_id":"7949","distribution":"5","timestamp":"1579053382","comment":"","sharing_group_id":"0","deleted":false,"disable_correlation":false,"object_id":"0","object_relation":null,"value":"https:\/\/laskowski-tech.com\/2020\/01\/15\/club-phish\/","Galaxy":[],"ShadowAttribute":[]}],"ShadowAttribute":[],"RelatedEvent":[],"Galaxy":[{"id":"2","uuid":"c4e851fa-775f-11e7-8163-b774922098cd","name":"Attack Pattern","type":"mitre-attack-pattern","description":"ATT&CK Tactic","version":"8","icon":"map","namespace":"mitre-attack","kill_chain_order":{"mitre-attack":["initial-access","execution","persistence","privilege-escalation","defense-evasion","credential-access","discovery","lateral-movement","collection","command-and-control","exfiltration","impact"],"mitre-mobile-attack":["initial-access","persistence","privilege-escalation","defense-evasion","credential-access","discovery","lateral-movement","effects","collection","exfiltration","command-and-control","network-effects","remote-service-effects"],"mitre-pre-attack":["priority-definition-planning","priority-definition-direction","target-selection","technical-information-gathering","people-information-gathering","organizational-information-gathering","technical-weakness-identification","people-weakness-identification","organizational-weakness-identification","adversary-opsec","establish-&-maintain-infrastructure","persona-development","build-capabilities","test-capabilities","stage-capabilities"]},"GalaxyCluster":[{"id":"6161","collection_uuid":"dcb864dc-775f-11e7-9fbb-1f41b4996683","type":"mitre-attack-pattern","value":"Spearphishing Attachment - T1193","tag_name":"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"","description":"Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https:\/\/attack.mitre.org\/techniques\/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.","galaxy_id":"2","source":"https:\/\/github.com\/mitre\/cti","authors":["MITRE"],"version":"9","uuid":"6aac77c4-eaf2-4366-8c13-ce50ab951f38","tag_id":"562","meta":{"external_id":["CAPEC-163"],"kill_chain":["mitre-attack:initial-access"],"mitre_data_sources":["File monitoring","Packet capture","Network intrusion detection system","Detonation chamber","Email gateway","Mail server"],"mitre_platforms":["Windows","macOS","Linux"],"refs":["https:\/\/attack.mitre.org\/techniques\/T1193","https:\/\/capec.mitre.org\/data\/definitions\/163.html"]},"local":false}]}],"Object":[],"Tag":[{"id":"452","name":"Phishing","colour":"#856c13","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"3","name":"tlp:white","colour":"#ffffff","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"1076","name":"reCaptcha","colour":"#21a6a6","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null},{"id":"562","name":"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"","colour":"#0088cc","exportable":true,"user_id":"0","hide_tag":false,"numerical_value":null}]}}]}
You can’t perform that action at this time.