432 lines
18 KiB
JSON
432 lines
18 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--595c89fd-d638-433e-b586-4a60950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-06T07:48:26.000Z",
|
||
|
"modified": "2017-07-06T07:48:26.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--595c89fd-d638-433e-b586-4a60950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-06T07:48:26.000Z",
|
||
|
"modified": "2017-07-06T07:48:26.000Z",
|
||
|
"name": "OSINT - Analysis of TeleBots\u00e2\u20ac\u2122 cunning backdoor",
|
||
|
"published": "2017-07-06T07:48:29Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--595c8a1b-87b0-47d3-b8c1-4488950d210f",
|
||
|
"url--595c8a1b-87b0-47d3-b8c1-4488950d210f",
|
||
|
"x-misp-attribute--595c8a34-a9c8-4848-9d2a-4059950d210f",
|
||
|
"x-misp-attribute--595c8a44-7348-442b-ad78-4150950d210f",
|
||
|
"observed-data--595c8a55-dea4-4b76-91d5-4095950d210f",
|
||
|
"domain-name--595c8a55-dea4-4b76-91d5-4095950d210f",
|
||
|
"indicator--595c8a67-f748-4d4b-9e6d-4231950d210f",
|
||
|
"indicator--595c8a67-f3e8-4c1f-92ef-49aa950d210f",
|
||
|
"indicator--595c8a67-873c-4735-a362-4f7d950d210f",
|
||
|
"indicator--595c8b18-cad4-4836-b9f1-4c8702de0b81",
|
||
|
"indicator--595c8b18-1e74-4a88-adfa-492802de0b81",
|
||
|
"observed-data--595c8b18-58b0-4e77-a3b9-4b5402de0b81",
|
||
|
"url--595c8b18-58b0-4e77-a3b9-4b5402de0b81",
|
||
|
"indicator--595c8b18-85d0-48bd-8690-430602de0b81",
|
||
|
"indicator--595c8b18-04d4-4133-b4c6-4b5502de0b81",
|
||
|
"observed-data--595c8b18-8d78-458a-bde0-43b902de0b81",
|
||
|
"url--595c8b18-8d78-458a-bde0-43b902de0b81",
|
||
|
"indicator--595c8b18-91b0-46d6-90d4-415602de0b81",
|
||
|
"indicator--595c8b18-0f48-4815-988c-4cbf02de0b81",
|
||
|
"observed-data--595c8b18-5990-458f-a79b-440b02de0b81",
|
||
|
"url--595c8b18-5990-458f-a79b-440b02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595c8a1b-87b0-47d3-b8c1-4488950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:47:03.000Z",
|
||
|
"modified": "2017-07-05T06:47:03.000Z",
|
||
|
"first_observed": "2017-07-05T06:47:03Z",
|
||
|
"last_observed": "2017-07-05T06:47:03Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--595c8a1b-87b0-47d3-b8c1-4488950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--595c8a1b-87b0-47d3-b8c1-4488950d210f",
|
||
|
"value": "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--595c8a34-a9c8-4848-9d2a-4059950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:47:03.000Z",
|
||
|
"modified": "2017-07-05T06:47:03.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors\u00e2\u20ac\u2122 intention was to cause damage, so they did all that they could to make data decryption very unlikely.\r\nIn our previous blogpost, we attributed this attack to the TeleBots group and uncovered details about other similar supply chain attacks against Ukraine. This article reveals details about the initial distribution vector that was used during the DiskCoder.C outbreak."
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--595c8a44-7348-442b-ad78-4150950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "MSIL/TeleDoor.A"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595c8a55-dea4-4b76-91d5-4095950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"first_observed": "2017-07-05T06:45:44Z",
|
||
|
"last_observed": "2017-07-05T06:45:44Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--595c8a55-dea4-4b76-91d5-4095950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--595c8a55-dea4-4b76-91d5-4095950d210f",
|
||
|
"value": "upd.me-doc.com.ua"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595c8a67-f748-4d4b-9e6d-4231950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = '7b051e7e7a82f07873fa360958acc6492e4385dd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T06:45:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595c8a67-f3e8-4c1f-92ef-49aa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = '7f3b1c56c180369ae7891483675bec61f3182f27']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T06:45:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595c8a67-873c-4735-a362-4f7d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = '3567434e2e49358e8210674641a20b147e0bd23c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T06:45:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595c8b18-cad4-4836-b9f1-4c8702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"description": "- Xchecked via VT: 3567434e2e49358e8210674641a20b147e0bd23c",
|
||
|
"pattern": "[file:hashes.SHA256 = '2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T06:45:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595c8b18-1e74-4a88-adfa-492802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"description": "- Xchecked via VT: 3567434e2e49358e8210674641a20b147e0bd23c",
|
||
|
"pattern": "[file:hashes.MD5 = '3efe62f6cb7285153114f888900a0962']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T06:45:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595c8b18-58b0-4e77-a3b9-4b5402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"first_observed": "2017-07-05T06:45:44Z",
|
||
|
"last_observed": "2017-07-05T06:45:44Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--595c8b18-58b0-4e77-a3b9-4b5402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--595c8b18-58b0-4e77-a3b9-4b5402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277/analysis/1499236176/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595c8b18-85d0-48bd-8690-430602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"description": "- Xchecked via VT: 7f3b1c56c180369ae7891483675bec61f3182f27",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T06:45:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595c8b18-04d4-4133-b4c6-4b5502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"description": "- Xchecked via VT: 7f3b1c56c180369ae7891483675bec61f3182f27",
|
||
|
"pattern": "[file:hashes.MD5 = '87db6af04613f4bd70467720239117e5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T06:45:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595c8b18-8d78-458a-bde0-43b902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"first_observed": "2017-07-05T06:45:44Z",
|
||
|
"last_observed": "2017-07-05T06:45:44Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--595c8b18-8d78-458a-bde0-43b902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--595c8b18-8d78-458a-bde0-43b902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac/analysis/1499232770/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595c8b18-91b0-46d6-90d4-415602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"description": "- Xchecked via VT: 7b051e7e7a82f07873fa360958acc6492e4385dd",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T06:45:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595c8b18-0f48-4815-988c-4cbf02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"description": "- Xchecked via VT: 7b051e7e7a82f07873fa360958acc6492e4385dd",
|
||
|
"pattern": "[file:hashes.MD5 = '8f5718be4ba2c6e4f8ce1597248bb03f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T06:45:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595c8b18-5990-458f-a79b-440b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T06:45:44.000Z",
|
||
|
"modified": "2017-07-05T06:45:44.000Z",
|
||
|
"first_observed": "2017-07-05T06:45:44Z",
|
||
|
"last_observed": "2017-07-05T06:45:44Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--595c8b18-5990-458f-a79b-440b02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--595c8b18-5990-458f-a79b-440b02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740/analysis/1499234664/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|