misp-circl-feed/feeds/circl/stix-2.1/585bd19b-43a4-4b35-9023-4d60950d210f.json

241 lines
13 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--585bd19b-43a4-4b35-9023-4d60950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T13:19:19.000Z",
"modified": "2016-12-22T13:19:19.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--585bd19b-43a4-4b35-9023-4d60950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T13:19:19.000Z",
"modified": "2016-12-22T13:19:19.000Z",
"name": "OSINT - Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units",
"published": "2016-12-22T13:19:34Z",
"object_refs": [
"x-misp-attribute--585bd1c0-3154-4180-ad13-19c8950d210f",
"indicator--585bd1dc-9354-4c00-b6a6-19c8950d210f",
"observed-data--585bd1ed-a290-48d1-be47-49fa950d210f",
"url--585bd1ed-a290-48d1-be47-49fa950d210f",
"indicator--585bd286-c11c-4b6e-a08e-4e1f950d210f",
"indicator--585bd2b3-1e1c-462f-b7e4-473f950d210f",
"indicator--585bd2d7-d830-46c3-a138-471502de0b81",
"indicator--585bd2d8-a480-435c-b1bb-461802de0b81",
"observed-data--585bd2d8-8c28-442d-8e18-474a02de0b81",
"url--585bd2d8-8c28-442d-8e18-474a02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:threat-actor=\"Sofacy\"",
"misp-galaxy:tool=\"X-Agent\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--585bd1c0-3154-4180-ad13-19c8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T13:14:40.000Z",
"modified": "2016-12-22T13:14:40.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "In June CrowdStrike identified and attributed a series of targeted intrusions at the Democratic National Committee (DNC), and other political organizations that utilized a well known implant commonly called X-Agent. X-Agent is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple\u00e2\u20ac\u2122s iOS, and likely the MacOS. Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the use of X-Agent with an actor we call FANCY BEAR. This actor to date is the exclusive operator of the malware, and has continuously developed the platform for ongoing operations which CrowdStrike assesses is likely tied to Russian Military Intelligence (GRU). The source code to this malware has not been observed in the public domain and appears to have been developed uniquely by FANCY BEAR.\r\n\r\nLate in the summer of 2016, CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named \u00e2\u20ac\u02dc\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk\u00e2\u20ac\u2122 (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature. Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s but still in use today. In-depth reverse engineering revealed the APK contained an Android variant of X-Agent, the command and control protocol was closely linked to observed Windows variants of X-Agent, and utilized a cryptographic algorithm called RC4 with a very similar 50 byte base key."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585bd1dc-9354-4c00-b6a6-19c8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T13:15:08.000Z",
"modified": "2016-12-22T13:15:08.000Z",
"description": "CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named \u00e2\u20ac\u02dc\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk\u00e2\u20ac\u2122 (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature.",
"pattern": "[file:hashes.MD5 = '6f7523d3019fa190499f327211e01fcb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T13:15:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585bd1ed-a290-48d1-be47-49fa950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T13:15:25.000Z",
"modified": "2016-12-22T13:15:25.000Z",
"first_observed": "2016-12-22T13:15:25Z",
"last_observed": "2016-12-22T13:15:25Z",
"number_observed": 1,
"object_refs": [
"url--585bd1ed-a290-48d1-be47-49fa950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585bd1ed-a290-48d1-be47-49fa950d210f",
"value": "https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585bd286-c11c-4b6e-a08e-4e1f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T13:17:58.000Z",
"modified": "2016-12-22T13:17:58.000Z",
"description": "Late in the summer of 2016, CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named \u00e2\u20ac\u02dc\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk\u00e2\u20ac\u2122 (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature.",
"pattern": "[file:name = '\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T13:17:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585bd2b3-1e1c-462f-b7e4-473f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T13:18:43.000Z",
"modified": "2016-12-22T13:18:43.000Z",
"description": "Snort rule matches on the X-Agent-Android C2 beacon request",
"pattern": "[alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (\\\r\nmsg: \u00e2\u20ac\u0153CrowdStrike FANCY BEAR X-Agent Android C2 Request\u00e2\u20ac\u009d; \\\r\nflow: established,to_server; \\\r\ncontent: \u00e2\u20ac\u0153lm=\u00e2\u20ac\u009d; http_uri; \\\r\npcre: \u00e2\u20ac\u0153/^\\/(watch|search|find|results|open|close)\\/\\?/U\u00e2\u20ac\u009d; \\\r\npcre: \u00e2\u20ac\u0153/[\\?\\&](text|from|ags|oe|aq|btnG|oprnd)=/U\u00e2\u20ac\u009d; \\\r\nclasstype: trojan-activity; metadata: service http; \\\r\nsid: XXXX; rev: 20160815;)]",
"pattern_type": "snort",
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
2023-04-21 14:44:17 +00:00
"valid_from": "2016-12-22T13:18:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585bd2d7-d830-46c3-a138-471502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T13:19:19.000Z",
"modified": "2016-12-22T13:19:19.000Z",
"description": "CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named \u00e2\u20ac\u02dc\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk\u00e2\u20ac\u2122 (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature. - Xchecked via VT: 6f7523d3019fa190499f327211e01fcb",
"pattern": "[file:hashes.SHA256 = '02de72e43d578c45d9d6359299cb2d47771081617ff01363b736414eb831deea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T13:19:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585bd2d8-a480-435c-b1bb-461802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T13:19:20.000Z",
"modified": "2016-12-22T13:19:20.000Z",
"description": "CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named \u00e2\u20ac\u02dc\u00d0\u0178\u00d0\u00be\u00d0\u00bf\u00d1\u20ac-\u00d0\u201d30.apk\u00e2\u20ac\u2122 (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature. - Xchecked via VT: 6f7523d3019fa190499f327211e01fcb",
"pattern": "[file:hashes.SHA1 = 'c492d80fc6797b06105a20b98a0263b239d2ea27']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T13:19:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585bd2d8-8c28-442d-8e18-474a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T13:19:20.000Z",
"modified": "2016-12-22T13:19:20.000Z",
"first_observed": "2016-12-22T13:19:20Z",
"last_observed": "2016-12-22T13:19:20Z",
"number_observed": 1,
"object_refs": [
"url--585bd2d8-8c28-442d-8e18-474a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585bd2d8-8c28-442d-8e18-474a02de0b81",
"value": "https://www.virustotal.com/file/02de72e43d578c45d9d6359299cb2d47771081617ff01363b736414eb831deea/analysis/1482411451/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}