{ "type": "URL", "indicator": "https://hub.docker.com/u/buenosjiji662", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://hub.docker.com/u/buenosjiji662", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #3757", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain docker.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain docker.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3755757487, "indicator": "https://hub.docker.com/u/buenosjiji662", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6508bb49cffd303da59abe4a", "name": "AMBERSQUID Cryptojacking Campaign Sets Sights on Unusual AWS Services", "description": "A new cloud-native cryptojacking scheme has focused its attention on less common Amazon Web Services (AWS) services like AWS Amplify, AWS Fargate, and Amazon SageMaker for the unauthorized mining of cryptocurrency. Researchers have assigned the code name \"AMBERSQUID\" to the malicious cyber operations.", "modified": "2023-10-18T19:03:07.269000", "created": "2023-09-18T21:04:09.970000", "tags": [ "perl", "code language", "amplify", "docker hub", "fargate", "ambersquid", "aws amplify", "indonesian", "github account", "docker", "august", "virustotal", "glue" ], "references": [ "https://sysdig.com/blog/ambersquid/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 62, "domain": 4, "hostname": 25 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "957 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://sysdig.com/blog/ambersquid/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 92 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/docker.com", "whois": "http://whois.domaintools.com/docker.com", "domain": "docker.com", "hostname": "hub.docker.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6508bb49cffd303da59abe4a", "name": "AMBERSQUID Cryptojacking Campaign Sets Sights on Unusual AWS Services", "description": "A new cloud-native cryptojacking scheme has focused its attention on less common Amazon Web Services (AWS) services like AWS Amplify, AWS Fargate, and Amazon SageMaker for the unauthorized mining of cryptocurrency. Researchers have assigned the code name \"AMBERSQUID\" to the malicious cyber operations.", "modified": "2023-10-18T19:03:07.269000", "created": "2023-09-18T21:04:09.970000", "tags": [ "perl", "code language", "amplify", "docker hub", "fargate", "ambersquid", "aws amplify", "indonesian", "github account", "docker", "august", "virustotal", "glue" ], "references": [ "https://sysdig.com/blog/ambersquid/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 62, "domain": 4, "hostname": 25 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "957 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://hub.docker.com/u/buenosjiji662", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://hub.docker.com/u/buenosjiji662", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780344981.1565096 }