misp-circl-feed/feeds/circl/stix-2.1/5c812baa-d614-4f99-88e0-426d950d210f.json

408 lines
305 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5c812baa-d614-4f99-88e0-426d950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:54:20.000Z",
"modified": "2019-03-07T14:54:20.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5c812baa-d614-4f99-88e0-426d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:54:20.000Z",
"modified": "2019-03-07T14:54:20.000Z",
"name": "OSINT - New SLUB Backdoor Uses GitHub, Communicates via Slack",
"published": "2019-03-07T14:54:40Z",
"object_refs": [
"observed-data--5c812bb7-f9a4-4e40-8386-2d92950d210f",
"url--5c812bb7-f9a4-4e40-8386-2d92950d210f",
"x-misp-attribute--5c812bd5-5ff0-4398-aa70-44d7950d210f",
"vulnerability--5c812c3b-92e4-4dca-ae5d-423f950d210f",
"observed-data--5c812c61-3fb8-4dd4-a066-426f950d210f",
"file--5c812c61-3fb8-4dd4-a066-426f950d210f",
"artifact--5c812c61-3fb8-4dd4-a066-426f950d210f",
"observed-data--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"file--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"indicator--5c812cd9-3bd0-4fb8-aebf-426f950d210f",
"indicator--5c812e19-f324-4fb4-8321-41b2950d210f",
"indicator--5c812e19-02cc-4e58-ad6f-4531950d210f",
"indicator--caa8ad96-cb54-41af-87e6-0d652834620b",
"x-misp-object--e326acd3-60af-46c8-bdb0-e3879b6dea8b",
"indicator--4712ac16-d976-47b2-8e95-99e0fbbfb94a",
"x-misp-object--ae0fe876-57e2-4670-8a0d-d6fed9a7d0d3",
2024-08-07 08:13:15 +00:00
"relationship--3e12e573-0684-4421-8407-1ab705cb2f4e",
"relationship--c16225bd-3917-4d45-8520-48b40b2f28bc"
2023-04-21 14:44:17 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"",
"misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c812bb7-f9a4-4e40-8386-2d92950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:33:27.000Z",
"modified": "2019-03-07T14:33:27.000Z",
"first_observed": "2019-03-07T14:33:27Z",
"last_observed": "2019-03-07T14:33:27Z",
"number_observed": 1,
"object_refs": [
"url--5c812bb7-f9a4-4e40-8386-2d92950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5c812bb7-f9a4-4e40-8386-2d92950d210f",
"value": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5c812bd5-5ff0-4398-aa70-44d7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:33:57.000Z",
"modified": "2019-03-07T14:33:57.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "We recently came across a previously unknown malware that piqued our interest in multiple ways. For starters, we discovered it being spread via watering hole attacks, a technique that involves an attacker compromising a website before adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only once. The infection was done by exploiting CVE-2018-8174, a VBScript engine vulnerability that was patched by Microsoft back in May 2018.\r\n\r\nSecond, it uses a multi-stage infection scheme. After it exploits the vulnerability, it downloads a DLL and runs it in PowerShell (PS). This file, which is a downloader, then downloads and runs the second executable file containing a backdoor. The first stage downloader also checks for the existence of different kinds of antivirus software processes, and then proceeds to exit if any is found. At the time of discovery, the backdoor was seemingly unknown to AV products.\r\n\r\nIn addition to the previously mentioned facts, we quickly noticed that the malware was connecting to the Slack platform, a collaborative messaging system that lets users create and use their own workspaces through the use of channels, similar to the IRC chatting system. We found this quite interesting, since we haven\u00e2\u20ac\u2122t observed any malware to date that communicates using Slack.\r\n\r\nOur technical investigation and analysis of the attacker\u00e2\u20ac\u2122s tools, techniques, and procedures (TTP) lead us to think that this threat is actually a stealthy targeted attack run by capable actors, and not a typical cybercriminal scheme.\r\n\r\nNote that as soon as this malware was discovered, we informed the Canadian Centre for Cyber Security, which acts as Canada\u00e2\u20ac\u2122s National Computer Security Incident Response Team (CSIRT). The Cyber Centre alerted the site operator, helped them understand the malware that was found, and offered mitigation advice."
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5c812c3b-92e4-4dca-ae5d-423f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:35:39.000Z",
"modified": "2019-03-07T14:35:39.000Z",
"name": "CVE-2018-8174",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2018-8174"
}
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c812c61-3fb8-4dd4-a066-426f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:36:17.000Z",
"modified": "2019-03-07T14:36:17.000Z",
"first_observed": "2019-03-07T14:36:17Z",
"last_observed": "2019-03-07T14:36:17Z",
"number_observed": 1,
"object_refs": [
"file--5c812c61-3fb8-4dd4-a066-426f950d210f",
"artifact--5c812c61-3fb8-4dd4-a066-426f950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c812c61-3fb8-4dd4-a066-426f950d210f",
"name": "SLUB-Figure-5-1.jpg",
"content_ref": "artifact--5c812c61-3fb8-4dd4-a066-426f950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5c812c61-3fb8-4dd4-a066-426f950d210f",
"payload_bin": "/9j/4AAQSkZJRgABAgEAlgCWAAD/7gAOQWRvYmUAZAAAAAAB/+EASkV4aWYAAE1NACoAAAAIAAMBGgAFAAAAAQAAADIBGwAFAAAAAQAAADoBKAADAAAAAQACAAAAAAAAAJYAAAABAAAAlgAAAAEAAP/tACxQaG90b3Nob3AgMy4wADhCSU0D7QAAAAAAEACWAAAAAQABAJYAAAABAAH/4VKfaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/Pg0KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPg0KCTxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+DQoJCTxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyI+DQoJCQk8ZGM6Zm9ybWF0PmltYWdlL2pwZWc8L2RjOmZvcm1hdD4NCgkJCTxkYzp0aXRsZT4NCgkJCQk8cmRmOkFsdD4NCgkJCQkJPHJkZjpsaSB4bWw6bGFuZz0ieC1kZWZhdWx0Ij5GSWd1cmUtNTwvcmRmOmxpPg0KCQkJCTwvcmRmOkFsdD4NCgkJCTwvZGM6dGl0bGU+DQoJCTwvcmRmOkRlc2NyaXB0aW9uPg0KCQk8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcEdJbWc9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9nL2ltZy8iPg0KCQkJPHhtcDpNZXRhZGF0YURhdGU+MjAxOS0wMy0wNVQxNzozNjozNSswODowMDwveG1wOk1ldGFkYXRhRGF0ZT4NCgkJCTx4bXA6TW9kaWZ5RGF0ZT4yMDE5LTAzLTA1VDA5OjM2OjM2WjwveG1wOk1vZGlmeURhdGU+DQoJCQk8eG1wOkNyZWF0ZURhdGU+MjAxOS0wMy0wNVQxNzozNjozNSswODowMDwveG1wOkNyZWF0ZURhdGU+DQoJCQk8eG1wOkNyZWF0b3JUb29sPkFkb2JlIElsbHVzdHJhdG9yIENTNiAoV2luZG93cyk8L3htcDpDcmVhdG9yVG9vbD4NCgkJCTx4bXA6VGh1bWJuYWlscz4NCgkJCQk8cmRmOkFsdD4NCgkJCQkJPHJkZjpsaSByZGY6cGFyc2VUeXBlPSJSZXNvdXJjZSI+DQoJCQkJCQk8eG1wR0ltZzp3aWR0aD4yNTY8L3htcEdJbWc6d2lkdGg+DQoJCQkJCQk8eG1wR0ltZzpoZWlnaHQ+MTUyPC94bXBHSW1nOmhlaWdodD4NCgkJCQkJCTx4bXBHSW1nOmZvcm1hdD5KUEVHPC94bXBHSW1nOmZvcm1hdD4NCgkJCQkJCTx4bXBHSW1nOmltYWdlPi85ai80QUFRU2taSlJnQUJBZ0VBbGdDV0FBRC83UUFzVUdodmRHOXphRzl3SURNdU1BQTRRa2xOQSswQUFBQUFBQkFBbGdBQUFBRUENCkFRQ1dBQUFBQVFBQi8rSU1XRWxEUTE5UVVrOUdTVXhGQUFFQkFBQU1TRXhwYm04Q0VBQUFiVzUwY2xKSFFpQllXVm9nQjg0QUFnQUoNCkFBWUFNUUFBWVdOemNFMVRSbFFBQUFBQVNVVkRJSE5TUjBJQUFBQUFBQUFBQUFBQUFBQUFBUGJXQUFFQUFBQUEweTFJVUNBZ0FBQUENCkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBUlkzQnlkQUFBQVZBQUFBQXoNClpHVnpZd0FBQVlRQUFBQnNkM1J3ZEFBQUFmQUFBQUFVWW10d2RBQUFBZ1FBQUFBVWNsaFpXZ0FBQWhnQUFBQVVaMWhaV2dBQUFpd0ENCkFBQVVZbGhaV2dBQUFrQUFBQUFVWkcxdVpBQUFBbFFBQUFCd1pHMWtaQUFBQXNRQUFBQ0lkblZsWkFBQUEwd0FBQUNHZG1sbGR3QUENCkE5UUFBQUFrYkhWdGFRQUFBL2dBQUFBVWJXVmhjd0FBQkF3QUFBQWtkR1ZqYUFBQUJEQUFBQUFNY2xSU1F3QUFCRHdBQUFnTVoxUlMNClF3QUFCRHdBQUFnTVlsUlNRd0FBQkR3QUFBZ01kR1Y0ZEFBQUFBQkRiM0I1Y21sbmFIUWdLR01wSURFNU9UZ2dTR1YzYkdWMGRDMVENCllXTnJZWEprSUVOdmJYQmhibmtBQUdSbGMyTUFBQUFBQUFBQUVuTlNSMElnU1VWRE5qRTVOall0TWk0eEFBQUFBQUFBQUFBQUFBQVMNCmMxSkhRaUJKUlVNMk1UazJOaTB5TGpFQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUENCkFBQUFBQUFBQUFBQUFGaFpXaUFBQUFBQUFBRHpVUUFCQUFBQUFSYk1XRmxhSUFBQUFBQUFBQUFBQUFBQUFBQUFBQUJZV1ZvZ0FBQUENCkFBQUFiNklBQURqMUFBQURrRmhaV2lBQUFBQUFBQUJpbVFBQXQ0VUFBQmphV0ZsYUlBQUFBQUFBQUNTZ0FBQVBoQUFBdHM5a1pYTmoNCkFBQUFBQUFBQUJaSlJVTWdhSFIwY0RvdkwzZDNkeTVwWldNdVkyZ0FBQUFBQUFBQUFBQUFBQlpKUlVNZ2FIUjBjRG92TDNkM2R5NXANClpXTXVZMmdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBWkdWell3QUENCkFBQUFBQUF1U1VWRElEWXhPVFkyTFRJdU1TQkVaV1poZFd4MElGSkhRaUJqYjJ4dmRYSWdjM0JoWTJVZ0xTQnpVa2RDQUFBQUFBQUENCkFBQUFBQUF1U1VWRElEWXhPVFkyTFRJdU1TQkVaV1poZFd4MElGSkhRaUJqYjJ4dmRYSWdjM0JoWTJVZ0xTQnpVa2RDQUFBQUFBQUENCkFBQUFBQUFBQUFBQUFBQUFBQUFBQUdSbGMyTUFBQUFBQUFBQUxGSmxabVZ5Wlc1alpTQldhV1YzYVc1bklFTnZibVJwZEdsdmJpQnANCmJpQkpSVU0yTVRrMk5pMHlMakVBQUFBQUFBQUFBQUFBQUN4U1pXWmxjbVZ1WTJVZ1ZtbGxkMmx1WnlCRGIyNWthWFJwYjI0Z2FXNGcNClNVVkROakU1TmpZdE1pNHhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQjJhV1YzQUFBQUFBQVRwUDRBRkY4dUFCRFANCkZBQUQ3Y3dBQkJNTEFBTmNuZ0FBQUFGWVdWb2dBQUFBQUFCTUNWWUFVQUFBQUZjZjUyMWxZWE1BQUFBQUFBQUFBUUFBQUFBQUFBQUENCkFBQUFBQUFBQUFBQUFBS1BBQUFBQW5OcFp5QUFBQUFBUTFKVUlHTjFjbllBQUFBQUFBQUVBQUFBQUFVQUNnQVBBQlFBR1FBZUFDTUENCktBQXRBRElBTndBN0FFQUFSUUJLQUU4QVZBQlpBRjRBWXdCb0FHMEFjZ0IzQUh3QWdRQ0dBSXNBa0FDVkFKb0Fud0NrQUtrQXJnQ3kNCkFMY0F2QURCQU1ZQXl3RFFBTlVBMndEZ0FPVUE2d0R3QVBZQSt3RUJBUWN
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:37:20.000Z",
"modified": "2019-03-07T14:37:20.000Z",
"first_observed": "2019-03-07T14:37:20Z",
"last_observed": "2019-03-07T14:37:20Z",
"number_observed": 1,
"object_refs": [
"file--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"name": "SLUB-Figure-9.jpg",
"content_ref": "artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"payload_bin": "/9j/4AAQSkZJRgABAQEA3ADcAAD/2wBDAAIBAQIBAQICAgICAgICAwUDAwMDAwYEBAMFBwYHBwcGBwcICQsJCAgKCAcHCg0KCgsMDAwMBwkODw0MDgsMDAz/2wBDAQICAgMDAwYDAwYMCAcIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAz/wAARCAIYBOsDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACijNFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeeftV/tLeHf2QfgD4l+Inil5Ro/hu3EzxxY825kZgkcSZ43O7Ko+tfg98bf8Ag49/aK+IfjW7vPDGraR4J0UysbWwtNOhuWjjz8oeSZWLNjqQAM9q/R3/AIOZL+az/wCCaTxxOUS68VadFKB/GoWd8f8AfSqfwr+eaumjBNXZzVptOyPsv/h/7+1V/wBFIj/8Etj/APGqP+H/AL+1V/0UiP8A8Etj/wDGq+NKK25V2Mud9z7L/wCH/v7VX/RSI/8AwS2P/wAao/4f+/tVf9FIj/8ABLY//Gq+NKKOVdg533Psv/h/7+1V/wBFIj/8Etj/APGqP+H/AL+1V/0UiP8A8Etj/wDGq+NKKOVdg533Psv/AIf+/tVf9FIj/wDBLY//ABqj/h/7+1V/0UiP/wAEtj/8ar40oo5V2Dnfc+y/+H/v7VX/AEUiP/wS2P8A8ao/4f8Av7VX/RSI/wDwS2P/AMar40oo5V2Dnfc+y/8Ah/7+1V/0UiP/AMEtj/8AGqP+H/v7VX/RSI//AAS2P/xqvjSijlXYOd9z7L/4f+/tVf8ARSI//BLY/wDxqj/h/wC/tVf9FIj/APBLY/8AxqvjSijlXYOd9z7L/wCH/v7VX/RSI/8AwS2P/wAao/4f+/tVf9FIj/8ABLY//Gq+NKKOVdg533Psv/h/7+1V/wBFIj/8Etj/APGqUf8ABf39qoEH/hZEZx/1BbH/AONV8Z0Uci7BzvufuJ/wR2/4L2+IP2nPjBYfCz4uW2mf27rmU0XXLKIW63MyqW8iaP7oZgDtZccjGOQa/Vyv5Qf+Cd9xJbft+fA9o3ZGPj7Q1yODg6hACPxBI/Gv6vq5q0UnodFGTa1CiiisTYKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiig0AGaK/n6/4LC/8FoPiT8Xf2ifE3gb4e+KdY8H+AvCl/NpatpN01rcazJExjkmkljIcxlg21AQpXBIz0+KR+178V/+imePv/B9df8AxdbxoNq7ZhKuk7JH9bdFfySf8NffFf8A6KZ4+/8AB9df/F0f8NffFf8A6KZ4+/8AB9df/F0/q/mL6x5H9bdFfySf8NffFf8A6KZ4+/8AB9df/F0f8NffFf8A6KZ4+/8AB9df/F0fV/MPrHkf1t0V/JJ/w198V/8Aopnj7/wfXX/xdH/DX3xX/wCimePv/B9df/F0fV/MPrHkf1t
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c812cd9-3bd0-4fb8-aebf-426f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:38:17.000Z",
"modified": "2019-03-07T14:38:17.000Z",
"pattern": "[url:value = 'https://gist.github.com/kancc14522/626a3a68a2cc2a91c1ece1eed7610c8a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-07T14:38:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c812e19-f324-4fb4-8321-41b2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:43:37.000Z",
"modified": "2019-03-07T14:43:37.000Z",
"description": "Trojan.Win32.CVE20151701.E",
"pattern": "[file:hashes.SHA256 = '3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-07T14:43:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c812e19-02cc-4e58-ad6f-4531950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:43:37.000Z",
"modified": "2019-03-07T14:43:37.000Z",
"description": "Backdoor.Win32.SLUB.A",
"pattern": "[file:hashes.SHA256 = '43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-07T14:43:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--caa8ad96-cb54-41af-87e6-0d652834620b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:43:58.000Z",
"modified": "2019-03-07T14:43:58.000Z",
"pattern": "[file:hashes.MD5 = '142ea550d65fbd90cc2a47aeaef0c210' AND file:hashes.SHA1 = 'e092e130a0627015331c3d3e0265befd65c167b4' AND file:hashes.SHA256 = '3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-07T14:43:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e326acd3-60af-46c8-bdb0-e3879b6dea8b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:43:59.000Z",
"modified": "2019-03-07T14:43:59.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-03-01T01:49:19",
"category": "Other",
"comment": "Trojan.Win32.CVE20151701.E",
"uuid": "40be40ac-66c7-45ea-a2d7-0ffaea92ce0a"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7/analysis/1551404959/",
"category": "Payload delivery",
"comment": "Trojan.Win32.CVE20151701.E",
"uuid": "442cf993-0cb9-48a6-8bb1-e1ab6fcb3a0a"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "32/63",
"category": "Payload delivery",
"comment": "Trojan.Win32.CVE20151701.E",
"uuid": "49b64f75-c33f-42ab-a43d-8ea7bfafbe12"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4712ac16-d976-47b2-8e95-99e0fbbfb94a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:44:00.000Z",
"modified": "2019-03-07T14:44:00.000Z",
"pattern": "[file:hashes.MD5 = 'f3004ddaef5b8c18883e716dda966141' AND file:hashes.SHA1 = '786e366ab9edbbba315ee1cc0de12132b107ba9c' AND file:hashes.SHA256 = '43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-07T14:44:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ae0fe876-57e2-4670-8a0d-d6fed9a7d0d3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:44:00.000Z",
"modified": "2019-03-07T14:44:00.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-03-06T16:37:38",
"category": "Other",
"comment": "Backdoor.Win32.SLUB.A",
"uuid": "a77369bd-22fd-4be7-883e-933bd72867cc"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7/analysis/1551890258/",
"category": "Payload delivery",
"comment": "Backdoor.Win32.SLUB.A",
"uuid": "81801a81-6192-4cfb-8aaf-ead1f36da2e8"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "7/69",
"category": "Payload delivery",
"comment": "Backdoor.Win32.SLUB.A",
"uuid": "a1fe3994-9403-415e-b117-30f4b38e65d4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--3e12e573-0684-4421-8407-1ab705cb2f4e",
2023-04-21 14:44:17 +00:00
"created": "2019-03-07T14:44:00.000Z",
"modified": "2019-03-07T14:44:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--caa8ad96-cb54-41af-87e6-0d652834620b",
"target_ref": "x-misp-object--e326acd3-60af-46c8-bdb0-e3879b6dea8b"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-08-07 08:13:15 +00:00
"id": "relationship--c16225bd-3917-4d45-8520-48b40b2f28bc",
2023-04-21 14:44:17 +00:00
"created": "2019-03-07T14:44:00.000Z",
"modified": "2019-03-07T14:44:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--4712ac16-d976-47b2-8e95-99e0fbbfb94a",
"target_ref": "x-misp-object--ae0fe876-57e2-4670-8a0d-d6fed9a7d0d3"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}