misp-circl-feed/feeds/circl/stix-2.1/621f4e53-cd54-4194-8d8f-4a6e0abe1822.json

266 lines
13 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--621f4e53-cd54-4194-8d8f-4a6e0abe1822",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
"created": "2022-10-04T10:50:55.000Z",
"modified": "2022-10-04T10:50:55.000Z",
"name": "CERT-FR_1510",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--621f4e53-cd54-4194-8d8f-4a6e0abe1822",
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
"created": "2022-10-04T10:50:55.000Z",
"modified": "2022-10-04T10:50:55.000Z",
"name": "[ESET] IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine",
"published": "2022-03-03T09:40:22Z",
"object_refs": [
"x-misp-attribute--8ff8162a-1965-4bfb-bc15-d49b47d66c4d",
"indicator--3d6dc0a1-13a0-4271-83e2-8a7f772feb8a",
"indicator--e1aa2325-e0e4-46b3-ab9e-970f7e5913c7",
"indicator--4a2b5c85-f132-4cb3-8416-657cfe948d39",
"indicator--b14c46e5-412f-4630-99b6-4c69e850267d",
"indicator--20e73d21-8aed-43e2-b5bb-1fb549206762",
"indicator--e0bfa427-7b38-41bb-ae0a-80e4825e1f0e",
"indicator--710d4708-ecbb-4073-a348-9a1824802410",
"indicator--d26acfcb-6054-44d8-a31d-17e9551336b9"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"fr-classif:non-classifiees=\"NON-CLASSIFIEES\"",
"cossi:TLP=\"white\"",
"cossi:RechercheSourceOuverte=\"Autorisee\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--8ff8162a-1965-4bfb-bc15-d49b47d66c4d",
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
"created": "2022-03-02T11:00:35.000Z",
"modified": "2022-03-02T11:00:35.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Other\"",
"misp:to_ids=\"True\"",
"DescriptionTechnique"
],
"x_misp_category": "Other",
"x_misp_type": "comment",
"x_misp_value": "Marqueurs issus d'un blog post pr\u00e9sentant un maliciel destructeur, IsaacWiper, ainsi qu'un m\u00e9canisme de propagation utilis\u00e9 par HermeticWiper utilisant notamment du WMI et du SMB."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3d6dc0a1-13a0-4271-83e2-8a7f772feb8a",
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
"created": "2022-03-02T11:00:35.000Z",
"modified": "2022-03-02T11:00:35.000Z",
"description": "HermeticWizard",
"pattern": "[file:hashes.SHA1 = '3c54c9a49a8ddca02189fe15fea52fe24f41a86f' AND file:name = 'c9EEAF78C9A12.dat']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-03-02T11:00:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e1aa2325-e0e4-46b3-ab9e-970f7e5913c7",
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
"created": "2022-03-02T11:00:35.000Z",
"modified": "2022-03-02T11:00:35.000Z",
"description": "IsaacWiper",
"pattern": "[file:hashes.SHA1 = 'ad602039c6f0237d4a997d5640e92ce5e2b3bba3' AND file:name = 'cl64.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-03-02T11:00:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4a2b5c85-f132-4cb3-8416-657cfe948d39",
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
"created": "2022-03-02T11:00:36.000Z",
"modified": "2022-03-02T11:00:36.000Z",
"description": "IsaacWiper",
"pattern": "[file:hashes.SHA1 = '736a4cfad1ed83a6a0b75b0474d5e01a3a36f950' AND file:name = 'cld.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-03-02T11:00:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b14c46e5-412f-4630-99b6-4c69e850267d",
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
"created": "2022-03-02T11:00:36.000Z",
"modified": "2022-03-02T11:00:36.000Z",
"description": "IsaacWiper",
"pattern": "[file:hashes.SHA1 = 'e9b96e9b86fad28d950ca428879168e0894d854f' AND file:name = 'clean.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-03-02T11:00:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--20e73d21-8aed-43e2-b5bb-1fb549206762",
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
"created": "2022-03-02T11:01:23.000Z",
"modified": "2022-03-02T11:01:23.000Z",
"description": "HermeticRansom",
"pattern": "[file:hashes.MD5 = 'd5d2c4ac6c724cd63b69ca054713e278' AND file:hashes.SHA1 = 'f32d791ec9e6385a91b45942c230f52aff1626df' AND file:hashes.SHA256 = '4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382' AND file:hashes.SHA512 = '9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91' AND file:name = 'cc2.exe' AND file:size = '3295232' AND file:x_misp_entropy = '5.9679556846481' AND file:x_misp_mimetype = 'PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-03-02T11:01:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e0bfa427-7b38-41bb-ae0a-80e4825e1f0e",
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
"created": "2022-03-02T11:01:25.000Z",
"modified": "2022-03-02T11:01:25.000Z",
"description": "HermeticWiper",
"pattern": "[file:hashes.MD5 = '3f4a16b29f2f0532b7ce3e7656799125' AND file:hashes.SHA1 = '61b25d11392172e587d8da3045812a66c3385451' AND file:hashes.SHA256 = '1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591' AND file:hashes.SHA512 = '32acaceda42128ef9e0a9f36ee2678d2fc296fda2df38629eb223939c8a9352b3bb2b7021bb84e9f223a4a26df57b528a711447b1451213a013fe00f9b971d80' AND file:name = 'conhosts.exe' AND file:size = '117000' AND file:x_misp_entropy = '6.3853905802374' AND file:x_misp_mimetype = 'PE32 executable (GUI) Intel 80386, for MS Windows']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-03-02T11:01:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--710d4708-ecbb-4073-a348-9a1824802410",
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
"created": "2022-03-02T11:01:26.000Z",
"modified": "2022-03-02T11:01:26.000Z",
"description": "HermeticWiper",
"pattern": "[file:hashes.MD5 = '84ba0197920fd3e2b7dfa719fee09d2f' AND file:hashes.SHA1 = '912342f1c840a42f6b74132f8a7c4ffe7d40fb77' AND file:hashes.SHA256 = '0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da' AND file:hashes.SHA512 = 'bbd4f0263abc71311404c55cb3e4711b707a71e28dcc1f08abd533a4c7f151db9cc40697105d76f1c978000e8fa7aa219adb65b31fb196b08f1ae003e04b9d23' AND file:name = 'com.exe' AND file:size = '117000' AND file:x_misp_entropy = '6.3817850700557' AND file:x_misp_mimetype = 'PE32 executable (GUI) Intel 80386, for MS Windows']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-03-02T11:01:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d26acfcb-6054-44d8-a31d-17e9551336b9",
"created_by_ref": "identity--56bdf779-46f8-4353-bdf9-2bb95bce2212",
"created": "2022-03-02T11:01:28.000Z",
"modified": "2022-03-02T11:01:28.000Z",
"description": "Legitimate RemCom remote access tool",
"pattern": "[file:hashes.MD5 = '6983f7001de10f4d19fc2d794c3eb534' AND file:hashes.SHA1 = '23873bf2670cf64c2440058130548d4e4da412dd' AND file:hashes.SHA256 = '3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71' AND file:hashes.SHA512 = '0b04be07d5b3a6b9526a4ae8050861d260bd5334b5320a6d7e6d0f7016199c98d82e5e520fe489e13b0db5146579037c24a22ae6674e9e7b6749b9bf90ad02aa' AND file:name = 'XqoYMlBX.exe' AND file:size = '56320' AND file:x_misp_entropy = '6.2650543077112' AND file:x_misp_mimetype = 'PE32 executable (console) Intel 80386, for MS Windows']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-03-02T11:01:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}