misp-circl-feed/feeds/circl/stix-2.1/595dfe70-4ba8-4f83-8089-4a65950d210f.json

467 lines
20 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--595dfe70-4ba8-4f83-8089-4a65950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:15:00.000Z",
"modified": "2017-07-06T09:15:00.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--595dfe70-4ba8-4f83-8089-4a65950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:15:00.000Z",
"modified": "2017-07-06T09:15:00.000Z",
"name": "OSINT - New KONNI Campaign References North Korean Missile Capabilities",
"published": "2017-07-06T09:15:35Z",
"object_refs": [
"x-misp-attribute--595dfe84-33bc-42b1-8a1c-44ac950d210f",
"observed-data--595dfe98-e904-4afe-8795-4b6b950d210f",
"url--595dfe98-e904-4afe-8795-4b6b950d210f",
"indicator--595dfee2-dd28-4bb6-b9c1-440e950d210f",
"indicator--595dfee2-c87c-42f0-908a-41b3950d210f",
"indicator--595dfee2-103c-457d-8dfe-42e0950d210f",
"indicator--595dfef0-0d74-455f-a505-4b53950d210f",
"indicator--595dff07-cd38-43a2-b8a7-434202de0b81",
"indicator--595dff07-e8f8-4dba-a9c1-455902de0b81",
"observed-data--595dff07-8c58-449a-b220-48fe02de0b81",
"url--595dff07-8c58-449a-b220-48fe02de0b81",
"indicator--595dff07-ed6c-49bb-a884-485f02de0b81",
"indicator--595dff07-f148-4d46-95dc-4bca02de0b81",
"observed-data--595dff07-d464-45bd-ae88-45b002de0b81",
"url--595dff07-d464-45bd-ae88-45b002de0b81",
"indicator--595dff07-5098-4acd-b463-4ca002de0b81",
"indicator--595dff07-7bcc-42b6-a029-421302de0b81",
"observed-data--595dff07-7588-429f-b12d-494902de0b81",
"url--595dff07-7588-429f-b12d-494902de0b81",
"indicator--595dff4d-19a0-49e6-841f-4930950d210f",
"observed-data--595dff77-406c-49a8-83c2-dafc950d210f",
"domain-name--595dff77-406c-49a8-83c2-dafc950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--595dfe84-33bc-42b1-8a1c-44ac950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:13:10.000Z",
"modified": "2017-07-06T09:13:10.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "We recently wrote about the KONNI Remote Access Trojan (RAT) which has been distributed by a small number of campaigns over the past 3 years. We have identified a new distribution campaign which took place on 4th July. The malware used in this campaign has similar features to that distributed earlier in 2017 with the following changes:\r\nA new decoy document copy/pasted from an article published on the 3rd of July by Yonhap News Agency in Korea;\r\nThe dropper includes a 64 bit version of KONNI;\r\nA new CC infrastructure consisting of a climbing club website.\r\nNorth Korea conducted a test missile launch on 3rd July. This campaign appears to be directly related to the launch and the ensuing discussion of North Korean missile technology. This is consistent with previous KONNI distribution campaigns which have also frequently mentioned North Korea."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595dfe98-e904-4afe-8795-4b6b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:13:10.000Z",
"modified": "2017-07-06T09:13:10.000Z",
"first_observed": "2017-07-06T09:13:10Z",
"last_observed": "2017-07-06T09:13:10Z",
"number_observed": 1,
"object_refs": [
"url--595dfe98-e904-4afe-8795-4b6b950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595dfe98-e904-4afe-8795-4b6b950d210f",
"value": "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595dfee2-dd28-4bb6-b9c1-440e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"description": "Dropper",
"pattern": "[file:hashes.SHA256 = '33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-06T09:12:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595dfee2-c87c-42f0-908a-41b3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"description": "32 Bit binary",
"pattern": "[file:hashes.SHA256 = '290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-06T09:12:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595dfee2-103c-457d-8dfe-42e0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"description": "64 Bit binary",
"pattern": "[file:hashes.SHA256 = '8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-06T09:12:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595dfef0-0d74-455f-a505-4b53950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"pattern": "[domain-name:value = 'member-daumchk.netai.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-06T09:12:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595dff07-cd38-43a2-b8a7-434202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"description": "64 Bit binary - Xchecked via VT: 8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad",
"pattern": "[file:hashes.SHA1 = 'fc8e8390fdbfeb6b6db75a932267cb2f9b59c267']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-06T09:12:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595dff07-e8f8-4dba-a9c1-455902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"description": "64 Bit binary - Xchecked via VT: 8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad",
"pattern": "[file:hashes.MD5 = '4e8c61a21d2b91d1ec1404b5857b1663']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-06T09:12:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595dff07-8c58-449a-b220-48fe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"first_observed": "2017-07-06T09:12:39Z",
"last_observed": "2017-07-06T09:12:39Z",
"number_observed": 1,
"object_refs": [
"url--595dff07-8c58-449a-b220-48fe02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595dff07-8c58-449a-b220-48fe02de0b81",
"value": "https://www.virustotal.com/file/8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad/analysis/1499151659/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595dff07-ed6c-49bb-a884-485f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"description": "32 Bit binary - Xchecked via VT: 290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a",
"pattern": "[file:hashes.SHA1 = 'ce1e978fc459339e68add4dedb75fb73625571f3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-06T09:12:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595dff07-f148-4d46-95dc-4bca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"description": "32 Bit binary - Xchecked via VT: 290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a",
"pattern": "[file:hashes.MD5 = 'b691a2a2d56b8b74ed93531820bdead6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-06T09:12:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595dff07-d464-45bd-ae88-45b002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"first_observed": "2017-07-06T09:12:39Z",
"last_observed": "2017-07-06T09:12:39Z",
"number_observed": 1,
"object_refs": [
"url--595dff07-d464-45bd-ae88-45b002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595dff07-d464-45bd-ae88-45b002de0b81",
"value": "https://www.virustotal.com/file/290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a/analysis/1499151692/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595dff07-5098-4acd-b463-4ca002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"description": "Dropper - Xchecked via VT: 33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90",
"pattern": "[file:hashes.SHA1 = '400279ca89a2121b6e54a9115a38bca79be9e744']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-06T09:12:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595dff07-7bcc-42b6-a029-421302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"description": "Dropper - Xchecked via VT: 33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90",
"pattern": "[file:hashes.MD5 = 'f4abe28f3c35fa75481ae056d8637574']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-06T09:12:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595dff07-7588-429f-b12d-494902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:12:39.000Z",
"modified": "2017-07-06T09:12:39.000Z",
"first_observed": "2017-07-06T09:12:39Z",
"last_observed": "2017-07-06T09:12:39Z",
"number_observed": 1,
"object_refs": [
"url--595dff07-7588-429f-b12d-494902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595dff07-7588-429f-b12d-494902de0b81",
"value": "https://www.virustotal.com/file/33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90/analysis/1499151819/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595dff4d-19a0-49e6-841f-4930950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:13:49.000Z",
"modified": "2017-07-06T09:13:49.000Z",
"description": "member-daumchk.netai.net",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '145.14.144.230']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-06T09:13:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595dff77-406c-49a8-83c2-dafc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-06T09:15:00.000Z",
"modified": "2017-07-06T09:15:00.000Z",
"first_observed": "2017-07-06T09:15:00Z",
"last_observed": "2017-07-06T09:15:00Z",
"number_observed": 1,
"object_refs": [
"domain-name--595dff77-406c-49a8-83c2-dafc950d210f"
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--595dff77-406c-49a8-83c2-dafc950d210f",
"value": "donkeytraining.000webhostapp.com"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}