From 873f6e2931da8556df27084665e0a6ad5177dc5d Mon Sep 17 00:00:00 2001 From: masaomi346 Date: Fri, 18 Aug 2023 17:45:05 +0900 Subject: [PATCH 1/5] add yml --- indicators/ETC-funccode.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 indicators/ETC-funccode.yml diff --git a/indicators/ETC-funccode.yml b/indicators/ETC-funccode.yml new file mode 100644 index 00000000..32697313 --- /dev/null +++ b/indicators/ETC-funccode.yml @@ -0,0 +1,20 @@ +title: ETC_PhishingDetection +description: | + Detects an ETC phishing targeting Japanese users.(etc-meisai.jp) + +references: + - https://urlscan.io/result/e623c655-a8f4-470d-9e83-be7bd8c201c6 + - https://urlscan.io/result/e33beca0-d6d7-4bfd-8a57-3818d079d504 + - https://urlscan.io/result/516e7e00-2ddb-4036-b44c-33456e3e195a + +detection: + ETCTitle: + title: 'ETC利用照会サービス' + pagePHP: + requests|contains: 'funccode.php' + + condition: ETCTitle and pagePHP + +tags: + - target.etc-meisai + - target_country.japan From d707a3d529d8d2547cee23bcaab34211cdcf2bdb Mon Sep 17 00:00:00 2001 From: masaomi346 Date: Sat, 19 Aug 2023 09:08:16 +0900 Subject: [PATCH 2/5] update yml --- indicators/ETC-funccode.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/indicators/ETC-funccode.yml b/indicators/ETC-funccode.yml index 32697313..16b099e4 100644 --- a/indicators/ETC-funccode.yml +++ b/indicators/ETC-funccode.yml @@ -1,4 +1,4 @@ -title: ETC_PhishingDetection +title: ETC_Phishing_funccode description: | Detects an ETC phishing targeting Japanese users.(etc-meisai.jp) @@ -16,5 +16,5 @@ detection: condition: ETCTitle and pagePHP tags: - - target.etc-meisai + - target.etc_meisai - target_country.japan From 43d2edfa420012a3fb074934e721c04558f16b41 Mon Sep 17 00:00:00 2001 From: masaomi346 Date: Tue, 22 Aug 2023 10:37:18 +0900 Subject: [PATCH 3/5] rename yml --- indicators/{ETC-funccode.yml => ETC-e623c655.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename indicators/{ETC-funccode.yml => ETC-e623c655.yml} (94%) diff --git a/indicators/ETC-funccode.yml b/indicators/ETC-e623c655.yml similarity index 94% rename from indicators/ETC-funccode.yml rename to indicators/ETC-e623c655.yml index 16b099e4..db22aadd 100644 --- a/indicators/ETC-funccode.yml +++ b/indicators/ETC-e623c655.yml @@ -1,4 +1,4 @@ -title: ETC_Phishing_funccode +title: ETC Phishing Kit e623c655 description: | Detects an ETC phishing targeting Japanese users.(etc-meisai.jp) From 48334d5055521d5b61eac9dfc8dfbf9367025197 Mon Sep 17 00:00:00 2001 From: masaomi346 Date: Wed, 23 Aug 2023 15:25:38 +0900 Subject: [PATCH 4/5] add yml --- indicators/smbc-acab82b5.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 indicators/smbc-acab82b5.yml diff --git a/indicators/smbc-acab82b5.yml b/indicators/smbc-acab82b5.yml new file mode 100644 index 00000000..400126aa --- /dev/null +++ b/indicators/smbc-acab82b5.yml @@ -0,0 +1,23 @@ +title: SMBC Phishing Kit acab82b5 +description: | + Detects a SMBC phishing kit targeting Japanese users. + +references: + - https://urlscan.io/result/acab82b5-6182-4cab-96b1-7e2af19b668b + - https://urlscan.io/result/a8a41bab-97ed-43d8-85d8-d760161ab317 + - https://urlscan.io/result/607f6acb-1301-4ca5-9e33-0e0ca5b7c359 + - https://urlscan.io/result/6c29c34f-1dac-433c-b2d9-005bd8db3ee1 + + +detection: + FormContains: + html|contains: + - 'method="post" id="tijiao" action="1.php"' + SMBCTitle: + title: '三井住友カード会員向けサービス「Vpass」ログイン' + + condition: FormContains and SMBCTitle + +tags: + - target.smbc + - target_country.japan \ No newline at end of file From 923e1efaee54e40d5b8b92b91874b26a8c66fd34 Mon Sep 17 00:00:00 2001 From: masaomi346 Date: Fri, 25 Aug 2023 10:44:24 +0900 Subject: [PATCH 5/5] update yml --- indicators/smbc-acab82b5.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/indicators/smbc-acab82b5.yml b/indicators/smbc-acab82b5.yml index 400126aa..faa2633c 100644 --- a/indicators/smbc-acab82b5.yml +++ b/indicators/smbc-acab82b5.yml @@ -8,15 +8,16 @@ references: - https://urlscan.io/result/607f6acb-1301-4ca5-9e33-0e0ca5b7c359 - https://urlscan.io/result/6c29c34f-1dac-433c-b2d9-005bd8db3ee1 - detection: FormContains: html|contains: - 'method="post" id="tijiao" action="1.php"' - SMBCTitle: - title: '三井住友カード会員向けサービス「Vpass」ログイン' - condition: FormContains and SMBCTitle + iframeContains: + html|contains: + - 'id="aMpc0Wu2zFxeefIt" style="display: none;"' + + condition: FormContains and iframeContains tags: - target.smbc