misp-circl-feed/feeds/circl/stix-2.1/58724cbf-5508-4425-ab89-4f61950d210f.json

330 lines
256 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--58724cbf-5508-4425-ab89-4f61950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-09T07:25:11.000Z",
"modified": "2017-01-09T07:25:11.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58724cbf-5508-4425-ab89-4f61950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-09T07:25:11.000Z",
"modified": "2017-01-09T07:25:11.000Z",
"name": "OSINT - Fancy Bear Source Code",
"published": "2017-01-09T07:25:22Z",
"object_refs": [
"x-misp-attribute--58724d03-65d4-4872-962a-4263950d210f",
"x-misp-attribute--58724d25-fbd4-4270-8f3c-4289950d210f",
"observed-data--58724d6c-0e30-4815-aa87-499c950d210f",
"url--58724d6c-0e30-4815-aa87-499c950d210f",
"indicator--58724d9c-d95c-4221-91a4-409e950d210f",
"indicator--58724db2-4a54-4329-93b6-444f950d210f",
"indicator--58724de8-45f0-4f8e-be18-41a0950d210f",
"indicator--58724e47-f46c-4c95-bdc9-47b9950d210f",
"indicator--58724e70-bc04-467e-a1ac-434e950d210f",
"indicator--58725095-9bfc-4bb1-b047-4822950d210f",
"indicator--58725097-6eb0-4520-8318-48f8950d210f",
"indicator--58725098-349c-4071-aa86-48fb950d210f",
"indicator--58733ad7-1798-4cb7-b296-43cc950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:threat-actor=\"Sofacy\"",
"misp-galaxy:microsoft-activity-group=\"STRONTIUM\"",
"osint:certainty=\"75\"",
"osint:source-type=\"source-code-repository\"",
"ms-caro-malware:malware-platform=\"Python\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58724d03-65d4-4872-962a-4263950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-08T14:43:03.000Z",
"modified": "2017-01-08T14:43:03.000Z",
"labels": [
"misp:type=\"github-repository\"",
"misp:category=\"Social network\""
],
"x_misp_category": "Social network",
"x_misp_comment": "Source of the information - IR performed by the github user and pushed publicly",
"x_misp_type": "github-repository",
"x_misp_value": "rickey-g/fancybear"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58724d25-fbd4-4270-8f3c-4289950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-08T14:31:01.000Z",
"modified": "2017-01-08T14:31:01.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "# Fancy Bear Source Code \r\nThis repo contains actual source code found during IR.\r\nThe code provides a communication channel for the attacker and infected client. It uses Google's gmail servers to send and receive encoded messages.\r\n\r\n### Some artifacts are summorized below\r\n- Comments are in english, with a lot of grammar mistakes\r\n- Subject of an email is: '**piradi nomeri**'. This is Georgian language\r\n- It saves files with **dataluri_**timetsamp.dat. 'Dataluri' is also Georgian for \"details\".\r\n- In the email body it uses the word: \"**gamarjoba**\". Meaning 'Hello' in Russian and Georgian.\r\n\r\n### These are the Gmail account details used, I've verified they once worked (but not anymore!)\r\n- POP3_MAIL_IP = 'pop.gmail.com' \r\n- POP3_PORT = 995\r\n- POP3_ADDR = 'jassnovember30@gmail.com'\r\n- POP3_PASS = '30Jass11'\r\n- SMTP_MAIL_IP = 'smtp.gmail.com'\r\n- SMTP_PORT = 587\r\n- SMTP_TO_ADDR = 'userdf783@mailtransition.com'\r\n- SMTP_FROM_ADDR = 'ginabetz75@gmail.com'\r\n- SMTP_PASS = '75Gina75'\r\n \r\n### Command and Control server\r\n- XAS_IP = '104.152.187.66'\r\n- XAS_GATE = '/updates/'\r\n\r\n**The code is completely left as found on the original server, including the log files.**"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58724d6c-0e30-4815-aa87-499c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-08T14:44:08.000Z",
"modified": "2017-01-08T14:44:08.000Z",
"first_observed": "2017-01-08T14:44:08Z",
"last_observed": "2017-01-08T14:44:08Z",
"number_observed": 1,
"object_refs": [
"url--58724d6c-0e30-4815-aa87-499c950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58724d6c-0e30-4815-aa87-499c950d210f",
"value": "https://github.com/rickey-g/fancybear"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58724d9c-d95c-4221-91a4-409e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-08T14:33:00.000Z",
"modified": "2017-01-08T14:33:00.000Z",
"pattern": "[email-message:from_ref.value = 'jassnovember30@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-08T14:33:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58724db2-4a54-4329-93b6-444f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-08T14:33:22.000Z",
"modified": "2017-01-08T14:33:22.000Z",
"pattern": "[email-message:to_refs[*].value = 'userdf783@mailtransition.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-08T14:33:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58724de8-45f0-4f8e-be18-41a0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-08T14:34:16.000Z",
"modified": "2017-01-08T14:34:16.000Z",
"pattern": "[email-message:to_refs[*].value = 'ginabetz75@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-08T14:34:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58724e47-f46c-4c95-bdc9-47b9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-08T14:35:51.000Z",
"modified": "2017-01-08T14:35:51.000Z",
"description": "Command and Control server in default config",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.152.187.66']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-08T14:35:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58724e70-bc04-467e-a1ac-434e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-08T14:36:32.000Z",
"modified": "2017-01-08T14:36:32.000Z",
"description": "Command and Control server",
"pattern": "[url:value = '104.152.187.66/updates/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-08T14:36:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58725095-9bfc-4bb1-b047-4822950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-08T14:45:41.000Z",
"modified": "2017-01-08T14:45:41.000Z",
"description": "zip file of the github master branch",
"pattern": "[file:content_ref.payload_bin = 'UEsDBBQACQAIALV1KEqK4X6w9NECAD8cAwAgABwANjcwYzc1YjBjMzcyY2Y4ZmQ3ZGEyZDg4N2E0OTExMGNVVAkAA5VQcliVUHJYdXgLAAEEIQAAAAQhAAAARj3QsVLLfS6wBD31EHm2WWc9Be1+LoiwaeiW/NkX0xZdV6A4K1weS0dScczb/iSs8UYm5HnSvoW6bUm6hs/7LDrSNLfoqNQHylplJTjD61s9cVY+hrno+5Dm7kxLq7WRpLjxnQv7hVWRvfVieSbkXBz41ueQfYv5mm6xpQ98VvQ9TqhOUkJLhGj/VHqiWnVyC8cP/atbQXg1a8fcHb9PsvNqlwYNK/246Dwof2HZ0P6tirb54mnillU7mMmBVx2DASu8zjD9kCf4MJJ2F2Bs9SLLzTvTRr1Y6zlw2cVg0g2n6981A9yty77qoItjYKNt++EkzFpse3XzXQbJ/EtqE7jQeSz/2FLXfBC5fCd+aSBiVlKWWTRU3dq3YAYgmgMNZd0nd23qLIzjdAUYS/haS+tdMItxsrrEJzHWiBhmhBhGC/ZokVjupQqUCH+Ave2aWxIm5DCXwyzmN0k3v7uaO5It2en+vUGZN8DeGoZtDwn8s+2CnnadXJRZE40C/1oSoEYJJIsQPQYRYhiLOWtEr1//NNpWSOq/KgCtkAWXuJ0Vy7/LlBec7pnylBW4UergkkHNtpgu6zGeDMLg+FesoKkRVAhO2H6xDQvf2rAWSPeQGR2ivYmgBRkie/eoqO9x+cNaybgg2be1ggMfzyV4qn+ejx8IpxrL/AMqQPLbxr2DYwKnoXGR/pHSoI5/VD9JNNjFvhHPIwiE0NQHv/VxY/sVQnkO5Oesi82rg5lSx5vmb5F9htKovgqRn2Iw2Xi1xIGdtKNf9GDvDkF1ltFn/S2hzkBXCtyEpckuzIkhxXOD2qF7CwHAp13yP0CCz74JjbXtbb2NCoaXKNWBsHE8B91lrDJABaJDC3ShTOO3jg+amL25s0t6H1mxFmc8ah8CXJ814UFNPHOgRhzsto3Dd+9t81anvVf4JY+Tct38LlSOMnTkgLUUqpYp7ycQGlmCddL0JUjiZe6aX9r/XpM4AwYB/U4xAU7hQ+UqCk0rVLlLds9TONqKJ0eT9jQ5MUkVJyH/dASMLF6bvXeTMA2w1o2lqe/AYvlqcmKPzpDdQXcxL6EgsaM5qMhVWLowpoQWZRva/0YhVyqfQo0sNLEv1bEAyzgtJ1NovEDwcVet26sKSaC9gDcV+fpDR5LOCPDDAHZumfkVXLoBY8lKAkvsIaJFDVtB+46quDXUTJWzFhfCvAIQ9eyIk5JTbTDe9AqKh83fxt/HvK6YGpvmay8iHpHERbOX03aQXrCulSNnHBQMkn4Z0Pbmo2FUQTuDmpHd+BnU8OpYyiPF59hkdilpe/XNpkUPuFqj4PsMQEAd64ygkWWrLpBXWguF7dboZ8C3MrcJTDYDReR+FO57cddJT1bh+b+9jmyotdja7H/+j4QjiV8vN5FHOy/UK23Z4L/eVMESEl5GJHwjuxRrRfcg5WNYv4rIkV5T33UUHK5z8K6aFynGXayjO2lB88k9CcmV7Fi9C4/glg56Acl+oNQaJA5mS9T4P7G3Z03zleCvRDGO3qBtc+ok5A2EKVAXnoS6rPvSKlATrJ6fvEtRmY3QKTMY7qwzgZzRqL0x3mPl5NlJQ6w+/Ava68HVRt6LQjCu1W5FVvfnWzB7xjuSZyCMkp+ZyAF6pAUULiHrBsoVFkJr1nLBUf0xdoXucfM2PR0r90LR/t9Q0WBau87wviXi7aE7E7D516wkRTEZ8c7hn/encHDWqzf1tpdUJnj6uTjy/5IsQ5ceO/5etgk9kVigC6jfuEKUA0OGTY9bj19KlAhWY3dSGFCD9FuLGCQpYHYGzP3KiJywW34NvD63Ya7St70CCh2Z+f43UoHLaBg5oroguYqqOoV4eyCuk3ZnYNS7/eOY/5txOYZqh1U1MD+gLXQXUKywpwRxPldANR/JH93+EeLcTMI42lAlpGof5dT3QA264XG5WlIAFQ13Q8dP4dfSFld6cWkRa5xsHpRjJfgEEc/svQGKAoAM50UXNZFTktDEz+xgAxHBfk4ygzxcnLlUdFhQFjkLjtr1gIZE/tlhxMx1nawjfmgXWc1ixkib4PjT8+j0V01d4IaqFlbDT7EQgNq/vh1naVZ7jaE6viFjoavGObazw47Kj2UY26scKdCjH1bH914W0oON6elXCx6zsYDR35uzZyFbwRp40LOgs7SxedxY0EQ6h0iAF1khZP5NYrzZ3iwoCjak4sCvw34AmViWUdc6WS6DKlgl/lN6YAySsN/jpBzKDQDau3a23sLs/7N7YOtP2AH8uC42sjVzt90RCr5zaluGXzVMgFrgq/jyzQZJygaHn1S1LCGsub1UinLPPLnmCC8YyKAGtDnQINEB21fXtZfKFKPyYIshexcZTTLc0pwMgtA/rYWzP5m5ZbM7lmH2r2GCCjVyZ5PbThQ8YHbQfhWIih3Ai8OH6ye7x3N1xqAs14YQ+nY/IGqlKPbvdxcNVp6XyHQLTTXMrqWoo6OsprIDB8PjE2x/aunSuKaQdrpLJ9sY2NBU1nLCiTE71zVHLYWdL/vaC2oOrxbkiOPxupK+V0jHlRxdQpzoaQoPk1IYiIV2FkyV9cjNxpnE7sCnrHdfiYfsC8a7vvimSCm3khpKuly4dwPMVRc0ruB0slyYM6qYi+zYH9Y/IAt6j+jDDun1afQpzKRhn8MkF/jJ2ejnqEjYmOOl7sIWyDs39whTUo46/SbcMtf9MkALU9B+clNrLVUza9wCx42zb3CiguOmCFEZOdE2P2H7XRZlMeaO7CeakVIEMWpbhQ+DlV6hsEexHp4491Xrnr14ot8ftO6SFLGbwYyA+nyJWJlr4cybRGnSOYGv9kny8HeB645qmySu+0Mykoz+EPeVWitbpSsfUitIoattz1V3HAAOj3Sa3dASkcVAPMx3E66TdVU9ZWHz/xBD6iAHeP6+5X3JiiRERjVjNXg4Y7U6FNjPGddGZCnONjS2NDo+yVVU/gB1iVgIPuGOPL9ghYPf7GT00ryfGj9H0o5ECb/FwqzgYfsBUyx+OkTFv3rSJfr7rssocWwVtC3hmmNIs8Km29RtkWCEzHMpCij1S+gQ+lDihCPBq9OwFYE5PvPWhmSevwxDtByM+6+UNzYzkThoyORKTW5W0JYydZ8UEQ19MVxPvlMJV3tEj7HsKK6wKbIzK/4B6ITB9qC8WVNdn/vpjaAy9uB7+SEMb288aKG9dMDmMRnoUj/kBBkGO3i2hjMwsAyzA2v2wCMQLqTTANR9+p2kVRzO9LcY1CR2iKKREBL2j9qgfCWqJRuzQK8IvJ0OMARyN+s/1nEFYuwubyvkWFsnm97KmnWY8tKqw/HdY3Q2HJbwB4ZD9fScwK0Lcb2jJefaLg0C+YPDau6o8oWBWP7tr/p0xnJeGJvUQsYtOzRJ7wnPiHAxi2/YabOBiC/9TrsQzfG9dU/msCRiGe8KV3Anl9SaZNNxgTSwwYvHIhljJ+VIiQl5ZGBKntIyK56WHaxKwNKhrbSm3llLbS/qErOuZVall9oG9xEGtrjPuqURXCoYje8h9Dlbeqhi7F0Dsvi2nHs7e3/5yMeff5IpW5vREqCYAW2jqnu6b3W7w3Da1NCP05M5LimLxDBj9t193qbJ7aPI8P7yOWZs+htZLlqMpYu4XMIw2UwCYpBzFfMIqaZQyxJwP09F80gjhNZj0C5nMJjXjbWuPkMbM1+hH/lyz+6bmq4cFN2Q7h41kXa+lr9WP2zBx9rcAZdYK4YkhAS6yiXtQ1iiXXuHcZaiLme/TTppuzhrQjmJJ/pLzut/GSEAl5BtxwkdZcoa6FIVOLh1GleiA0mv1bQrfJh/ej6RfJ0h/SOF3hr8SrquyqfLdachEDzYP17ELy4R3Po8vZG+WL4YLqsPkmBZ8HgPXcalSB8Imnl8qhOnBbDlHnwGwOvrgXgQgtRHj0sSAqglY2SZvT
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-08T14:45:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"malware-sample\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58725097-6eb0-4520-8318-48f8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-08T14:45:43.000Z",
"modified": "2017-01-08T14:45:43.000Z",
"description": "zip file of the github master branch",
"pattern": "[file:name = 'fancybear-master.zip' AND file:hashes.SHA1 = '4e63fc81bc611b5efcfd1091fc63ca6e3cc80842']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-08T14:45:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58725098-349c-4071-aa86-48fb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-08T14:45:44.000Z",
"modified": "2017-01-08T14:45:44.000Z",
"description": "zip file of the github master branch",
"pattern": "[file:name = 'fancybear-master.zip' AND file:hashes.SHA256 = '26bb761ced7b7b1b418f46d3908ac626985480795ce5e4b659c59eb5acd1fdab']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-08T14:45:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename|sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58733ad7-1798-4cb7-b296-43cc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-09T07:25:11.000Z",
"modified": "2017-01-09T07:25:11.000Z",
"pattern": "[url:value = 'http://trasitionmail.com/mail2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-09T07:25:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}