misp-circl-feed/feeds/circl/stix-2.1/5935004a-eb44-4393-8e7b-4a86950d210f.json

415 lines
18 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5935004a-eb44-4393-8e7b-4a86950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:11.000Z",
"modified": "2017-06-05T07:02:11.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5935004a-eb44-4393-8e7b-4a86950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:11.000Z",
"modified": "2017-06-05T07:02:11.000Z",
"name": "OSINT - Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads",
"published": "2017-06-05T07:03:28Z",
"object_refs": [
"observed-data--59350055-54cc-457d-89f8-41e2950d210f",
"url--59350055-54cc-457d-89f8-41e2950d210f",
"x-misp-attribute--5935006c-a094-4d05-a611-4bcd950d210f",
"indicator--5935007c-f8b0-4b8f-9a56-41fd950d210f",
"indicator--5935007d-4268-42e0-9fda-4064950d210f",
"indicator--593500ad-f8a8-4f0e-b785-47c0950d210f",
"indicator--593500ad-1b5c-4d90-b9c8-44a4950d210f",
"indicator--593500dd-83bc-47ef-9823-4ee9950d210f",
"indicator--593500de-84f0-48dd-9a18-491b950d210f",
"indicator--593500de-2280-4f00-a7ee-4fdc950d210f",
"indicator--593501f8-c548-4d1c-a134-4eef02de0b81",
"indicator--593501f8-f3ac-4cc5-8bb6-4f0402de0b81",
"observed-data--593501f9-dd30-4e05-9460-456502de0b81",
"url--593501f9-dd30-4e05-9460-456502de0b81",
"indicator--593501f9-d36c-44f2-8b0c-45e702de0b81",
"indicator--593501fa-f060-4bd9-af1c-477e02de0b81",
"observed-data--593501fa-e124-4a10-8553-45c102de0b81",
"url--593501fa-e124-4a10-8553-45c102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"ETERNALBLUE\"",
"misp-galaxy:tool=\"gh0st\"",
"ms-caro-malware-full:malware-family=\"Nitol\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59350055-54cc-457d-89f8-41e2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:11.000Z",
"modified": "2017-06-05T07:02:11.000Z",
"first_observed": "2017-06-05T07:02:11Z",
"last_observed": "2017-06-05T07:02:11Z",
"number_observed": 1,
"object_refs": [
"url--59350055-54cc-457d-89f8-41e2950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59350055-54cc-457d-89f8-41e2950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5935006c-a094-4d05-a611-4bcd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:11.000Z",
"modified": "2017-06-05T07:02:11.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "The \u00e2\u20ac\u0153EternalBlue\u00e2\u20ac\u009d exploit (MS017-010) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block (SMB) protocol \u00e2\u20ac\u201c this time to distribute Backdoor.Nitol and Trojan Gh0st RAT.\r\n\r\nFireEye Dynamic Threat Intelligence (DTI) has historically observed similar payloads delivered via exploitation of CVE-2014-6332 vulnerability as well as in some email spam campaigns using powershell commands. Specifically, Backdoor.Nitol has also been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. Both payloads have previously been involved in targeted cyber-attacks against the aerospace and defense industry."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5935007c-f8b0-4b8f-9a56-41fd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:11.000Z",
"modified": "2017-06-05T07:02:11.000Z",
"pattern": "[file:hashes.SHA256 = 'cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-05T07:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5935007d-4268-42e0-9fda-4064950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:11.000Z",
"modified": "2017-06-05T07:02:11.000Z",
"pattern": "[file:hashes.SHA256 = '4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-05T07:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--593500ad-f8a8-4f0e-b785-47c0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:11.000Z",
"modified": "2017-06-05T07:02:11.000Z",
"description": "On port 45988 - taskmgr.exe (Nitol)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '121.201.9.204' AND network-traffic:dst_port = '45988']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-05T07:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--593500ad-1b5c-4d90-b9c8-44a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:11.000Z",
"modified": "2017-06-05T07:02:11.000Z",
"description": "On port 1541 - systemUpdate.exe (Gh0st)",
"pattern": "[domain-name:value = 'beiyeye.401hk.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-05T07:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--593500dd-83bc-47ef-9823-4ee9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:11.000Z",
"modified": "2017-06-05T07:02:11.000Z",
"description": "C2 - (Nitol)",
"pattern": "[domain-name:value = 'hackqz.f3322.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-05T07:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--593500de-84f0-48dd-9a18-491b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:11.000Z",
"modified": "2017-06-05T07:02:11.000Z",
"description": "C2 - On port 8880",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '120.209.40.157' AND network-traffic:dst_port = '8880']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-05T07:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--593500de-2280-4f00-a7ee-4fdc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:11.000Z",
"modified": "2017-06-05T07:02:11.000Z",
"description": "C2 (Gh0st)",
"pattern": "[domain-name:value = 'bj6po.a1free9bird.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-05T07:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--593501f8-c548-4d1c-a134-4eef02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:16.000Z",
"modified": "2017-06-05T07:02:16.000Z",
"description": "- Xchecked via VT: 4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309",
"pattern": "[file:hashes.SHA1 = '220c140c6dc21b39c7ef804a87186ff4a34af1f3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-05T07:02:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--593501f8-f3ac-4cc5-8bb6-4f0402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:16.000Z",
"modified": "2017-06-05T07:02:16.000Z",
"description": "- Xchecked via VT: 4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309",
"pattern": "[file:hashes.MD5 = 'b43006d33d0d33cd4e45f2e761358953']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-05T07:02:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--593501f9-dd30-4e05-9460-456502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:17.000Z",
"modified": "2017-06-05T07:02:17.000Z",
"first_observed": "2017-06-05T07:02:17Z",
"last_observed": "2017-06-05T07:02:17Z",
"number_observed": 1,
"object_refs": [
"url--593501f9-dd30-4e05-9460-456502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--593501f9-dd30-4e05-9460-456502de0b81",
"value": "https://www.virustotal.com/file/4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309/analysis/1495688434/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--593501f9-d36c-44f2-8b0c-45e702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:17.000Z",
"modified": "2017-06-05T07:02:17.000Z",
"description": "- Xchecked via VT: cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946",
"pattern": "[file:hashes.SHA1 = 'd6f2548e58bd3e3de8c64bba9cdb8f18a66aef36']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-05T07:02:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--593501fa-f060-4bd9-af1c-477e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:18.000Z",
"modified": "2017-06-05T07:02:18.000Z",
"description": "- Xchecked via VT: cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946",
"pattern": "[file:hashes.MD5 = '863877867a84bdb28148c6d871ccf94f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-05T07:02:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--593501fa-e124-4a10-8553-45c102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-05T07:02:18.000Z",
"modified": "2017-06-05T07:02:18.000Z",
"first_observed": "2017-06-05T07:02:18Z",
"last_observed": "2017-06-05T07:02:18Z",
"number_observed": 1,
"object_refs": [
"url--593501fa-e124-4a10-8553-45c102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--593501fa-e124-4a10-8553-45c102de0b81",
"value": "https://www.virustotal.com/file/cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946/analysis/1496639055/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}