415 lines
18 KiB
JSON
415 lines
18 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5935004a-eb44-4393-8e7b-4a86950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:11.000Z",
|
||
|
"modified": "2017-06-05T07:02:11.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5935004a-eb44-4393-8e7b-4a86950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:11.000Z",
|
||
|
"modified": "2017-06-05T07:02:11.000Z",
|
||
|
"name": "OSINT - Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads",
|
||
|
"published": "2017-06-05T07:03:28Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--59350055-54cc-457d-89f8-41e2950d210f",
|
||
|
"url--59350055-54cc-457d-89f8-41e2950d210f",
|
||
|
"x-misp-attribute--5935006c-a094-4d05-a611-4bcd950d210f",
|
||
|
"indicator--5935007c-f8b0-4b8f-9a56-41fd950d210f",
|
||
|
"indicator--5935007d-4268-42e0-9fda-4064950d210f",
|
||
|
"indicator--593500ad-f8a8-4f0e-b785-47c0950d210f",
|
||
|
"indicator--593500ad-1b5c-4d90-b9c8-44a4950d210f",
|
||
|
"indicator--593500dd-83bc-47ef-9823-4ee9950d210f",
|
||
|
"indicator--593500de-84f0-48dd-9a18-491b950d210f",
|
||
|
"indicator--593500de-2280-4f00-a7ee-4fdc950d210f",
|
||
|
"indicator--593501f8-c548-4d1c-a134-4eef02de0b81",
|
||
|
"indicator--593501f8-f3ac-4cc5-8bb6-4f0402de0b81",
|
||
|
"observed-data--593501f9-dd30-4e05-9460-456502de0b81",
|
||
|
"url--593501f9-dd30-4e05-9460-456502de0b81",
|
||
|
"indicator--593501f9-d36c-44f2-8b0c-45e702de0b81",
|
||
|
"indicator--593501fa-f060-4bd9-af1c-477e02de0b81",
|
||
|
"observed-data--593501fa-e124-4a10-8553-45c102de0b81",
|
||
|
"url--593501fa-e124-4a10-8553-45c102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:tool=\"ETERNALBLUE\"",
|
||
|
"misp-galaxy:tool=\"gh0st\"",
|
||
|
"ms-caro-malware-full:malware-family=\"Nitol\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59350055-54cc-457d-89f8-41e2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:11.000Z",
|
||
|
"modified": "2017-06-05T07:02:11.000Z",
|
||
|
"first_observed": "2017-06-05T07:02:11Z",
|
||
|
"last_observed": "2017-06-05T07:02:11Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59350055-54cc-457d-89f8-41e2950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59350055-54cc-457d-89f8-41e2950d210f",
|
||
|
"value": "https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5935006c-a094-4d05-a611-4bcd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:11.000Z",
|
||
|
"modified": "2017-06-05T07:02:11.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "The \u00e2\u20ac\u0153EternalBlue\u00e2\u20ac\u009d exploit (MS017-010) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block (SMB) protocol \u00e2\u20ac\u201c this time to distribute Backdoor.Nitol and Trojan Gh0st RAT.\r\n\r\nFireEye Dynamic Threat Intelligence (DTI) has historically observed similar payloads delivered via exploitation of CVE-2014-6332 vulnerability as well as in some email spam campaigns using powershell commands. Specifically, Backdoor.Nitol has also been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. Both payloads have previously been involved in targeted cyber-attacks against the aerospace and defense industry."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5935007c-f8b0-4b8f-9a56-41fd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:11.000Z",
|
||
|
"modified": "2017-06-05T07:02:11.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-05T07:02:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5935007d-4268-42e0-9fda-4064950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:11.000Z",
|
||
|
"modified": "2017-06-05T07:02:11.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-05T07:02:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593500ad-f8a8-4f0e-b785-47c0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:11.000Z",
|
||
|
"modified": "2017-06-05T07:02:11.000Z",
|
||
|
"description": "On port 45988 - taskmgr.exe (Nitol)",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '121.201.9.204' AND network-traffic:dst_port = '45988']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-05T07:02:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst|port\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593500ad-1b5c-4d90-b9c8-44a4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:11.000Z",
|
||
|
"modified": "2017-06-05T07:02:11.000Z",
|
||
|
"description": "On port 1541 - systemUpdate.exe (Gh0st)",
|
||
|
"pattern": "[domain-name:value = 'beiyeye.401hk.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-05T07:02:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593500dd-83bc-47ef-9823-4ee9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:11.000Z",
|
||
|
"modified": "2017-06-05T07:02:11.000Z",
|
||
|
"description": "C2 - (Nitol)",
|
||
|
"pattern": "[domain-name:value = 'hackqz.f3322.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-05T07:02:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593500de-84f0-48dd-9a18-491b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:11.000Z",
|
||
|
"modified": "2017-06-05T07:02:11.000Z",
|
||
|
"description": "C2 - On port 8880",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '120.209.40.157' AND network-traffic:dst_port = '8880']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-05T07:02:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst|port\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593500de-2280-4f00-a7ee-4fdc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:11.000Z",
|
||
|
"modified": "2017-06-05T07:02:11.000Z",
|
||
|
"description": "C2 (Gh0st)",
|
||
|
"pattern": "[domain-name:value = 'bj6po.a1free9bird.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-05T07:02:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593501f8-c548-4d1c-a134-4eef02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:16.000Z",
|
||
|
"modified": "2017-06-05T07:02:16.000Z",
|
||
|
"description": "- Xchecked via VT: 4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309",
|
||
|
"pattern": "[file:hashes.SHA1 = '220c140c6dc21b39c7ef804a87186ff4a34af1f3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-05T07:02:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593501f8-f3ac-4cc5-8bb6-4f0402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:16.000Z",
|
||
|
"modified": "2017-06-05T07:02:16.000Z",
|
||
|
"description": "- Xchecked via VT: 4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309",
|
||
|
"pattern": "[file:hashes.MD5 = 'b43006d33d0d33cd4e45f2e761358953']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-05T07:02:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--593501f9-dd30-4e05-9460-456502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:17.000Z",
|
||
|
"modified": "2017-06-05T07:02:17.000Z",
|
||
|
"first_observed": "2017-06-05T07:02:17Z",
|
||
|
"last_observed": "2017-06-05T07:02:17Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--593501f9-dd30-4e05-9460-456502de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--593501f9-dd30-4e05-9460-456502de0b81",
|
||
|
"value": "https://www.virustotal.com/file/4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309/analysis/1495688434/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593501f9-d36c-44f2-8b0c-45e702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:17.000Z",
|
||
|
"modified": "2017-06-05T07:02:17.000Z",
|
||
|
"description": "- Xchecked via VT: cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd6f2548e58bd3e3de8c64bba9cdb8f18a66aef36']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-05T07:02:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593501fa-f060-4bd9-af1c-477e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:18.000Z",
|
||
|
"modified": "2017-06-05T07:02:18.000Z",
|
||
|
"description": "- Xchecked via VT: cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946",
|
||
|
"pattern": "[file:hashes.MD5 = '863877867a84bdb28148c6d871ccf94f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-05T07:02:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--593501fa-e124-4a10-8553-45c102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-05T07:02:18.000Z",
|
||
|
"modified": "2017-06-05T07:02:18.000Z",
|
||
|
"first_observed": "2017-06-05T07:02:18Z",
|
||
|
"last_observed": "2017-06-05T07:02:18Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--593501fa-e124-4a10-8553-45c102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--593501fa-e124-4a10-8553-45c102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946/analysis/1496639055/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|