831 lines
35 KiB
JSON
831 lines
35 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5880bb50-2330-42a3-a253-4c08950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:38:11.000Z",
|
||
|
"modified": "2017-01-19T13:38:11.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5880bb50-2330-42a3-a253-4c08950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:38:11.000Z",
|
||
|
"modified": "2017-01-19T13:38:11.000Z",
|
||
|
"name": "OSINT - FINDING THE RAT\u00e2\u20ac\u2122S NEST",
|
||
|
"published": "2017-01-19T13:38:32Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--5880bb6a-6a00-411b-9395-1d0e950d210f",
|
||
|
"url--5880bb6a-6a00-411b-9395-1d0e950d210f",
|
||
|
"x-misp-attribute--5880bb83-31b4-4906-a648-4447950d210f",
|
||
|
"indicator--5880be6d-4ce0-4a6c-af3c-4fc3950d210f",
|
||
|
"observed-data--5880be8e-ab60-4d26-80cd-4828950d210f",
|
||
|
"domain-name--5880be8e-ab60-4d26-80cd-4828950d210f",
|
||
|
"observed-data--5880be8e-8278-46e7-925b-47b2950d210f",
|
||
|
"network-traffic--5880be8e-8278-46e7-925b-47b2950d210f",
|
||
|
"ipv4-addr--5880be8e-8278-46e7-925b-47b2950d210f",
|
||
|
"indicator--5880beae-2e70-43f9-be6b-48ad950d210f",
|
||
|
"indicator--5880befd-2c2c-4308-8871-47e3950d210f",
|
||
|
"indicator--5880befe-0c6c-49d7-90a0-440c950d210f",
|
||
|
"indicator--5880bf2f-f570-4cd5-93d9-1d0e950d210f",
|
||
|
"indicator--5880bf30-10f0-40c2-bc95-1d0e950d210f",
|
||
|
"indicator--5880bf31-d0b0-4c41-bb57-1d0e950d210f",
|
||
|
"indicator--5880bfc0-2bb4-4903-9700-4807950d210f",
|
||
|
"indicator--5880bfc1-0bdc-4713-bfba-483f950d210f",
|
||
|
"indicator--5880bfc2-4618-4d45-b874-43dc950d210f",
|
||
|
"indicator--5880bfc3-75bc-4e71-a80b-420c950d210f",
|
||
|
"indicator--5880bfc3-65c4-4815-951a-4fbd950d210f",
|
||
|
"indicator--5880c003-3ce8-45ef-8a6d-4eb0950d210f",
|
||
|
"indicator--5880c0b7-2e18-4ae8-8a66-425c950d210f",
|
||
|
"indicator--5880c0b8-a8a8-4966-9a76-46ab950d210f",
|
||
|
"indicator--5880c0ff-72f4-4679-891b-402e02de0b81",
|
||
|
"indicator--5880c100-9e5c-477d-bd00-4d6102de0b81",
|
||
|
"observed-data--5880c100-5da8-4221-8728-44d102de0b81",
|
||
|
"url--5880c100-5da8-4221-8728-44d102de0b81",
|
||
|
"indicator--5880c101-32a8-4abd-a7c5-4e3d02de0b81",
|
||
|
"indicator--5880c102-3094-4160-b109-4b7402de0b81",
|
||
|
"observed-data--5880c103-9c50-4447-8d6f-4eb202de0b81",
|
||
|
"url--5880c103-9c50-4447-8d6f-4eb202de0b81",
|
||
|
"indicator--5880c103-47c4-4c29-b062-451502de0b81",
|
||
|
"indicator--5880c104-b694-4afe-96e4-415902de0b81",
|
||
|
"observed-data--5880c105-8f14-42d1-a7e4-43fd02de0b81",
|
||
|
"url--5880c105-8f14-42d1-a7e4-43fd02de0b81",
|
||
|
"indicator--5880c106-6e2c-4db5-b5f7-453202de0b81",
|
||
|
"indicator--5880c106-c7f0-4262-aea9-4a4802de0b81",
|
||
|
"observed-data--5880c107-5c20-412b-8b7c-4c5802de0b81",
|
||
|
"url--5880c107-5c20-412b-8b7c-4c5802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:tool=\"LuminosityLink\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"ms-caro-malware:malware-type=\"RemoteAccess\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5880bb6a-6a00-411b-9395-1d0e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:13:14.000Z",
|
||
|
"modified": "2017-01-19T13:13:14.000Z",
|
||
|
"first_observed": "2017-01-19T13:13:14Z",
|
||
|
"last_observed": "2017-01-19T13:13:14Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5880bb6a-6a00-411b-9395-1d0e950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5880bb6a-6a00-411b-9395-1d0e950d210f",
|
||
|
"value": "https://blog.opendns.com/2017/01/18/finding-the-rats-nest/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5880bb83-31b4-4906-a648-4447950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:13:39.000Z",
|
||
|
"modified": "2017-01-19T13:13:39.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "We\u00e2\u20ac\u2122ve spotted a Remote Access Trojan(RAT) and are headed down into the unknown. In this blog post we\u00e2\u20ac\u2122re going to examine some malicious infrastructure that we\u00e2\u20ac\u2122ve found by pivoting through domains delivering and communicating with RATs.\r\n\r\nA RAT is malware that creates a back door to gain access to the target and its connected resources in order to spy/steal information, drop additional malware such as ransomware, or to enlist the target into a botnet for DDoS purposes. A RAT can basically give all of the same access to a system that the attacker would have if they were physically accessing the target. A RAT has many functionalities: remote desktop control, webcam and microphone control, keylogger, remote shell, crypto miner, download and execute functionalities, screen capturing."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880be6d-4ce0-4a6c-af3c-4fc3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:26:05.000Z",
|
||
|
"modified": "2017-01-19T13:26:05.000Z",
|
||
|
"pattern": "[url:value = 'http://onsitepowersystems.com/invoice86291320.zip']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:26:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5880be8e-ab60-4d26-80cd-4828950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:26:38.000Z",
|
||
|
"modified": "2017-01-19T13:26:38.000Z",
|
||
|
"first_observed": "2017-01-19T13:26:38Z",
|
||
|
"last_observed": "2017-01-19T13:26:38Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--5880be8e-ab60-4d26-80cd-4828950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--5880be8e-ab60-4d26-80cd-4828950d210f",
|
||
|
"value": "onsitepowersystems.com"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5880be8e-8278-46e7-925b-47b2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:26:38.000Z",
|
||
|
"modified": "2017-01-19T13:26:38.000Z",
|
||
|
"first_observed": "2017-01-19T13:26:38Z",
|
||
|
"last_observed": "2017-01-19T13:26:38Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5880be8e-8278-46e7-925b-47b2950d210f",
|
||
|
"ipv4-addr--5880be8e-8278-46e7-925b-47b2950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5880be8e-8278-46e7-925b-47b2950d210f",
|
||
|
"dst_ref": "ipv4-addr--5880be8e-8278-46e7-925b-47b2950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5880be8e-8278-46e7-925b-47b2950d210f",
|
||
|
"value": "191.101.22.47"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880beae-2e70-43f9-be6b-48ad950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:27:10.000Z",
|
||
|
"modified": "2017-01-19T13:27:10.000Z",
|
||
|
"description": "Sample",
|
||
|
"pattern": "[file:hashes.SHA256 = '083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:27:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880befd-2c2c-4308-8871-47e3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:28:29.000Z",
|
||
|
"modified": "2017-01-19T13:28:29.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[domain-name:value = 'thevm2.biz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:28:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880befe-0c6c-49d7-90a0-440c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:28:30.000Z",
|
||
|
"modified": "2017-01-19T13:28:30.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[domain-name:value = 'blackhills.ddns.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:28:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880bf2f-f570-4cd5-93d9-1d0e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:29:19.000Z",
|
||
|
"modified": "2017-01-19T13:29:19.000Z",
|
||
|
"description": "Malware dropped (after RAT installation)",
|
||
|
"pattern": "[file:hashes.SHA256 = '0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:29:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880bf30-10f0-40c2-bc95-1d0e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:29:20.000Z",
|
||
|
"modified": "2017-01-19T13:29:20.000Z",
|
||
|
"description": "Malware dropped (after RAT installation)",
|
||
|
"pattern": "[file:hashes.SHA256 = '1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:29:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880bf31-d0b0-4c41-bb57-1d0e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:29:21.000Z",
|
||
|
"modified": "2017-01-19T13:29:21.000Z",
|
||
|
"description": "Malware dropped (after RAT installation)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:29:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880bfc0-2bb4-4903-9700-4807950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:31:44.000Z",
|
||
|
"modified": "2017-01-19T13:31:44.000Z",
|
||
|
"description": "Potential malicious domains registered by nie0461@gmail[.]com",
|
||
|
"pattern": "[domain-name:value = 'marciaguthke.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:31:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880bfc1-0bdc-4713-bfba-483f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:31:45.000Z",
|
||
|
"modified": "2017-01-19T13:31:45.000Z",
|
||
|
"description": "Potential malicious domains registered by nie0461@gmail[.]com",
|
||
|
"pattern": "[domain-name:value = 'email-hosting.us']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:31:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880bfc2-4618-4d45-b874-43dc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:31:46.000Z",
|
||
|
"modified": "2017-01-19T13:31:46.000Z",
|
||
|
"description": "Potential malicious domains registered by nie0461@gmail[.]com",
|
||
|
"pattern": "[domain-name:value = 'emailhostings.in']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:31:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880bfc3-75bc-4e71-a80b-420c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:31:47.000Z",
|
||
|
"modified": "2017-01-19T13:31:47.000Z",
|
||
|
"description": "Potential malicious domains registered by nie0461@gmail[.]com",
|
||
|
"pattern": "[domain-name:value = 'myvm2.biz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:31:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880bfc3-65c4-4815-951a-4fbd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:31:47.000Z",
|
||
|
"modified": "2017-01-19T13:31:47.000Z",
|
||
|
"description": "Potential malicious domains registered by nie0461@gmail[.]com",
|
||
|
"pattern": "[domain-name:value = 'vm2online.biz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:31:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880c003-3ce8-45ef-8a6d-4eb0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:32:51.000Z",
|
||
|
"modified": "2017-01-19T13:32:51.000Z",
|
||
|
"description": "which has the nameservers that are hosting these panels currently, and hosted some in the past.",
|
||
|
"pattern": "[domain-name:value = 'hackcom.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:32:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880c0b7-2e18-4ae8-8a66-425c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:35:51.000Z",
|
||
|
"modified": "2017-01-19T13:35:51.000Z",
|
||
|
"description": "fake AV support domains",
|
||
|
"pattern": "[domain-name:value = 'irus-os-77h7ft.pw']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:35:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880c0b8-a8a8-4966-9a76-46ab950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:35:52.000Z",
|
||
|
"modified": "2017-01-19T13:35:52.000Z",
|
||
|
"description": "fake AV support domains",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.111.155.6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:35:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880c0ff-72f4-4679-891b-402e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:03.000Z",
|
||
|
"modified": "2017-01-19T13:37:03.000Z",
|
||
|
"description": "Sample - Xchecked via VT: 083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0",
|
||
|
"pattern": "[file:hashes.SHA1 = '81d77e94b1ba8462b81eb27f3fed6faa5b0b7da9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:37:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880c100-9e5c-477d-bd00-4d6102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:04.000Z",
|
||
|
"modified": "2017-01-19T13:37:04.000Z",
|
||
|
"description": "Sample - Xchecked via VT: 083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0",
|
||
|
"pattern": "[file:hashes.MD5 = '9d30dbac68b18b3a12994a10ff685f40']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:37:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5880c100-5da8-4221-8728-44d102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:04.000Z",
|
||
|
"modified": "2017-01-19T13:37:04.000Z",
|
||
|
"first_observed": "2017-01-19T13:37:04Z",
|
||
|
"last_observed": "2017-01-19T13:37:04Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5880c100-5da8-4221-8728-44d102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5880c100-5da8-4221-8728-44d102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0/analysis/1482557009/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880c101-32a8-4abd-a7c5-4e3d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:05.000Z",
|
||
|
"modified": "2017-01-19T13:37:05.000Z",
|
||
|
"description": "Malware dropped (after RAT installation) - Xchecked via VT: 0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87",
|
||
|
"pattern": "[file:hashes.SHA1 = '7547d0ec26695ecd8a9e696b6e1a1e5485330662']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:37:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880c102-3094-4160-b109-4b7402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:06.000Z",
|
||
|
"modified": "2017-01-19T13:37:06.000Z",
|
||
|
"description": "Malware dropped (after RAT installation) - Xchecked via VT: 0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87",
|
||
|
"pattern": "[file:hashes.MD5 = '7e5dd95f50dd0df531c8bb9069b8f350']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:37:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5880c103-9c50-4447-8d6f-4eb202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:07.000Z",
|
||
|
"modified": "2017-01-19T13:37:07.000Z",
|
||
|
"first_observed": "2017-01-19T13:37:07Z",
|
||
|
"last_observed": "2017-01-19T13:37:07Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5880c103-9c50-4447-8d6f-4eb202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5880c103-9c50-4447-8d6f-4eb202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87/analysis/1483722136/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880c103-47c4-4c29-b062-451502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:07.000Z",
|
||
|
"modified": "2017-01-19T13:37:07.000Z",
|
||
|
"description": "Malware dropped (after RAT installation) - Xchecked via VT: ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9",
|
||
|
"pattern": "[file:hashes.SHA1 = 'bc9d26c387cc938c3c50f2a14042fbf6524f3b9f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:37:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880c104-b694-4afe-96e4-415902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:08.000Z",
|
||
|
"modified": "2017-01-19T13:37:08.000Z",
|
||
|
"description": "Malware dropped (after RAT installation) - Xchecked via VT: ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9",
|
||
|
"pattern": "[file:hashes.MD5 = 'edc94982e4b857a58947c235acb762f6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:37:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5880c105-8f14-42d1-a7e4-43fd02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:09.000Z",
|
||
|
"modified": "2017-01-19T13:37:09.000Z",
|
||
|
"first_observed": "2017-01-19T13:37:09Z",
|
||
|
"last_observed": "2017-01-19T13:37:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5880c105-8f14-42d1-a7e4-43fd02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5880c105-8f14-42d1-a7e4-43fd02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9/analysis/1484664762/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880c106-6e2c-4db5-b5f7-453202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:10.000Z",
|
||
|
"modified": "2017-01-19T13:37:10.000Z",
|
||
|
"description": "Malware dropped (after RAT installation) - Xchecked via VT: 1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a",
|
||
|
"pattern": "[file:hashes.SHA1 = '9ae528cd78a02a989fa91c841c5792fff30e7271']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:37:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5880c106-c7f0-4262-aea9-4a4802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:10.000Z",
|
||
|
"modified": "2017-01-19T13:37:10.000Z",
|
||
|
"description": "Malware dropped (after RAT installation) - Xchecked via VT: 1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a",
|
||
|
"pattern": "[file:hashes.MD5 = 'c505995c2c79d7d4f484fc1bba828c9a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-19T13:37:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5880c107-5c20-412b-8b7c-4c5802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-19T13:37:11.000Z",
|
||
|
"modified": "2017-01-19T13:37:11.000Z",
|
||
|
"first_observed": "2017-01-19T13:37:11Z",
|
||
|
"last_observed": "2017-01-19T13:37:11Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5880c107-5c20-412b-8b7c-4c5802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5880c107-5c20-412b-8b7c-4c5802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a/analysis/1484297083/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|