misp-circl-feed/feeds/circl/stix-2.1/6b6fa46d-4a17-44a4-a234-d69487b04597.json

{
    "type": "bundle",
    "id": "bundle--6b6fa46d-4a17-44a4-a234-d69487b04597",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2023-08-25T06:23:39.000Z",
            "modified": "2023-08-25T06:23:39.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--6b6fa46d-4a17-44a4-a234-d69487b04597",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2023-08-25T06:23:39.000Z",
            "modified": "2023-08-25T06:23:39.000Z",
            "name": "CISA - MAR-10459736.r1.v1 - WHIRLPOOL Variant",
            "published": "2023-08-25T06:23:46Z",
            "object_refs": [
                "indicator--3e5f8fc0-da1f-47f0-8b6e-f4c4b033ce47",
                "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
                "x-misp-object--07141506-e989-4a25-b510-797383e9b01a",
                "indicator--efd3fd98-6f1b-590d-bdd4-1e0753d3a689",
                "x-misp-object--626a2549-5775-43a8-b8bb-2fe2682a6dae",
                "indicator--31532fc0-d3ee-479f-8482-a4d49732d5af",
                "x-misp-object--74888f9e-4968-4601-944d-100a179c1b88",
                "relationship--de09e091-66a8-48d7-b0e0-109c70a45fd2",
                "relationship--9e5d9f1f-e131-4e28-be15-35d8920b5786"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "type:OSINT",
                "osint:lifetime=\"perpetual\"",
                "tlp:clear"
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--3e5f8fc0-da1f-47f0-8b6e-f4c4b033ce47",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2023-08-09T21:12:59.000Z",
            "modified": "2023-08-09T21:12:59.000Z",
            "description": "The file 'ssld' is a Linux ELF reverse shell and is a variant of WHIRLPOOL malware used on the Barracuda Email Security Gateway (ESG) device (Figure 1). The file looks for an encoded string with a '.io' extension (Figure 2). The string will be decoded and the data will be passed as the C2 which will include the Internet Protocol (IP) address and port number used to establish a reverse shell.",
            "pattern": "['namespace'='CISA_Consolidated.yara' rule_name=CISA_10452108_02 rule_content=rule CISA_10452108_02 : WHIRLPOOL backdoor communicates_with_c2 installs_other_components\n{\n\tmeta:\n\t\tAuthor = \"CISA Code & Media Analysis\"\n\t\tIncident = \"10452108\"\n\t\tDate = \"2023-06-20\"\n\t\tLast_Modified = \"20230804_1730\"\n\t\tActor = \"n/a\"\n\t\tFamily = \"WHIRLPOOL\"\n\t\tCapabilities = \"communicates-with-c2 installs-other-components\"\n\t\tMalware_Type = \"backdoor\"\n\t\tTool_Type = \"unknown\"\n\t\tDescription = \"Detects malicious Linux WHIRLPOOL samples\"\n\t\tSHA256_1 = \"83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c\"\n\t\tSHA256_2 = \"8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347\"\n\tstrings:\n\t\t$s0 = { 65 72 72 6f 72 20 2d 31 20 65 78 69 74 }\n\t\t$s1 = { 63 72 65 61 74 65 20 73 6f 63 6b 65 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }\n\t\t$s2 = { c7 00 20 32 3e 26 66 c7 40 04 31 00 }\n\t\t$a3 = { 70 6c 61 69 6e 5f 63 6f 6e 6e 65 63 74 }\n\t\t$a4 = { 63 6f 6e 6e 65 63 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }\n\t\t$a5 = { 73 73 6c 5f 63 6f 6e 6e 65 63 74 }\n\tcondition:\n\t\tuint32(0) == 0x464c457f and 4 of them\n}]",
            "pattern_type": "yara",
            "pattern_version": "2.1",
            "valid_from": "2023-08-17T19:19:43.944668Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload installation"
                }
            ],
            "labels": [
                "misp:type=\"yara\"",
                "misp:category=\"Payload installation\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2023-04-12T17:53:09.000Z",
            "modified": "2023-04-12T17:53:09.000Z",
            "name": "GeminiProduction_CMA",
            "description": "Cybersecurity and Infrastructure Security Agency Production Identity. Code and Media Analysis.",
            "identity_class": "system",
            "labels": [
                "misp:name=\"identity\"",
                "misp:meta-category=\"misc\"",
                "misp:to_ids=\"False\"",
                "misp:confidence-level=\"completely-confident\""
            ],
            "confidence": 100
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--07141506-e989-4a25-b510-797383e9b01a",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2023-08-09T21:12:59.000Z",
            "modified": "2023-08-09T21:12:59.000Z",
            "labels": [
                "misp:name=\"malware-analysis\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "text",
                    "object_relation": "product",
                    "value": "eset",
                    "category": "Other",
                    "uuid": "42e406d8-bcb1-468d-b9d1-195810672cab"
                },
                {
                    "type": "text",
                    "object_relation": "result",
                    "value": "unknown",
                    "category": "Other",
                    "uuid": "aea648ae-f790-412a-8511-22728becdb95"
                },
                {
                    "type": "text",
                    "object_relation": "result_name",
                    "value": "a variant of Linux/WhirlPool.A trojan",
                    "category": "Other",
                    "uuid": "e2f4500e-7dea-4009-8c50-d8915623816a"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "malware-analysis"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--efd3fd98-6f1b-590d-bdd4-1e0753d3a689",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2023-08-09T21:12:59.000Z",
            "modified": "2023-08-09T21:12:59.000Z",
            "pattern": "[file:hashes.MD5 = '77e1e9bf69b09ed0840534adb8258540' AND file:hashes.SHA1 = 'deadca9bd85ee5c4e086fd81eee09407b769e9b6' AND file:hashes.SHA256 = '0af253e60456b03af49cc675f71d47b2dd9a48f50a927e43b9d8116985c06459' AND file:hashes.SHA512 = '3ad6bd00c4195c9b1757a9d697196e8beffb343c331509c2eda24bbbd009cc1af552a1900ab04d169a22d273e6359cb2ff149050a7f792b9630108a4af226e2d' AND file:hashes.SSDEEP = '98304:1z2EGoxipg0NPbuqbVxbNgqE+Q+F4YGZLx4BAFm/CyU:LLXYGNFLj' AND file:name = 'ssld' AND file:size = '5034648']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2023-08-09T21:12:59Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--626a2549-5775-43a8-b8bb-2fe2682a6dae",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2023-08-09T21:12:59.000Z",
            "modified": "2023-08-09T21:12:59.000Z",
            "labels": [
                "misp:name=\"malware\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "text",
                    "object_relation": "description",
                    "value": "The file 'ssld' is a Linux ELF reverse shell and is a variant of WHIRLPOOL malware used on the Barracuda Email Security Gateway (ESG) device (Figure 1). The file looks for an encoded string with a '.io' extension (Figure 2). The string will be decoded and the data will be passed as the C2 which will include the Internet Protocol (IP) address and port number used to establish a reverse shell.",
                    "category": "Other",
                    "uuid": "2d538923-b375-4471-b5f4-69f653cf572e"
                },
                {
                    "type": "boolean",
                    "object_relation": "is_family",
                    "value": "0",
                    "category": "Other",
                    "uuid": "2b74c868-0c2e-4e1f-bb81-7cf1cc9d2c0b"
                },
                {
                    "type": "text",
                    "object_relation": "malware_type",
                    "value": "trojan",
                    "category": "Other",
                    "uuid": "be1cbecb-8dd5-4cf9-899f-a58169012721"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "malware"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--31532fc0-d3ee-479f-8482-a4d49732d5af",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2023-08-09T21:12:59.000Z",
            "modified": "2023-08-09T21:12:59.000Z",
            "pattern": "[file:hashes.MD5 = '77e1e9bf69b09ed0840534adb8258540' AND file:hashes.SHA1 = 'deadca9bd85ee5c4e086fd81eee09407b769e9b6' AND file:hashes.SHA256 = '0af253e60456b03af49cc675f71d47b2dd9a48f50a927e43b9d8116985c06459' AND file:hashes.SHA512 = '3ad6bd00c4195c9b1757a9d697196e8beffb343c331509c2eda24bbbd009cc1af552a1900ab04d169a22d273e6359cb2ff149050a7f792b9630108a4af226e2d']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2023-08-17T19:19:43.953009Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--74888f9e-4968-4601-944d-100a179c1b88",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2023-08-25T06:18:58.000Z",
            "modified": "2023-08-25T06:18:58.000Z",
            "labels": [
                "misp:name=\"original-imported-file\"",
                "misp:meta-category=\"file\""
            ],
            "x_misp_attributes": [
                {
                    "type": "attachment",
                    "object_relation": "imported-sample",
                    "value": "MAR-10459736.r1.v1.CLEAR_stix2.json",
                    "category": "External analysis",
                    "uuid": "3cebdcfe-65ce-4b62-b622-aa56867ef744",
                    "data": "ewogICAgInR5cGUiOiAiYnVuZGxlIiwKICAgICJpZCI6ICJidW5kbGUtLTc4ZDc0MDVkLWM3NjktNGVmYi05NTUwLTQwNWEzNThhMmQ3NiIsCiAgICAib2JqZWN0cyI6IFsKICAgICAgICB7CiAgICAgICAgICAgICJ0eXBlIjogImlkZW50aXR5IiwKICAgICAgICAgICAgInNwZWNfdmVyc2lvbiI6ICIyLjEiLAogICAgICAgICAgICAiaWQiOiAiaWRlbnRpdHktLThlMTEyZTcyLWFhOGYtNDE5MC1hMzU5LTI4YTlhYmFlMjg5NiIsCiAgICAgICAgICAgICJjcmVhdGVkX2J5X3JlZiI6ICJpZGVudGl0eS0tNDJhYzNjOTItNjBkMi00MThmLWJhOGUtODM4OTQ0ZTYxMTBiIiwKICAgICAgICAgICAgImNyZWF0ZWQiOiAiMjAyMy0wNC0xMlQxNzo1MzowOS42NDZaIiwKICAgICAgICAgICAgIm1vZGlmaWVkIjogIjIwMjMtMDQtMTJUMTc6NTM6MDkuNjQ2WiIsCiAgICAgICAgICAgICJuYW1lIjogIkdlbWluaVByb2R1Y3Rpb25fQ01BIiwKICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogIkN5YmVyc2VjdXJpdHkgYW5kIEluZnJhc3RydWN0dXJlIFNlY3VyaXR5IEFnZW5jeSBQcm9kdWN0aW9uIElkZW50aXR5LiBDb2RlIGFuZCBNZWRpYSBBbmFseXNpcy4iLAogICAgICAgICAgICAiaWRlbnRpdHlfY2xhc3MiOiAic3lzdGVtIiwKICAgICAgICAgICAgImNvbmZpZGVuY2UiOiAxMDAsCiAgICAgICAgICAgICJsYW5nIjogImVuIiwKICAgICAgICAgICAgIm9iamVjdF9tYXJraW5nX3JlZnMiOiBbCiAgICAgICAgICAgICAgICAibWFya2luZy1kZWZpbml0aW9uLS1iYWI0YTYzYy1hZWQ5LTRjZjUtYTc2Ni1kZmNhNWFiYWMyYmIiCiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgInR5cGUiOiAiZmlsZSIsCiAgICAgICAgICAgICJzcGVjX3ZlcnNpb24iOiAiMi4xIiwKICAgICAgICAgICAgImlkIjogImZpbGUtLWVmZDNmZDk4LTZmMWItNTkwZC1iZGQ0LTFlMDc1M2QzYTY4OSIsCiAgICAgICAgICAgICJoYXNoZXMiOiB7CiAgICAgICAgICAgICAgICAiTUQ1IjogIjc3ZTFlOWJmNjliMDllZDA4NDA1MzRhZGI4MjU4NTQwIiwKICAgICAgICAgICAgICAgICJTSEEtMSI6ICJkZWFkY2E5YmQ4NWVlNWM0ZTA4NmZkODFlZWUwOTQwN2I3NjllOWI2IiwKICAgICAgICAgICAgICAgICJTSEEtMjU2IjogIjBhZjI1M2U2MDQ1NmIwM2FmNDljYzY3NWY3MWQ0N2IyZGQ5YTQ4ZjUwYTkyN2U0M2I5ZDgxMTY5ODVjMDY0NTkiLAogICAgICAgICAgICAgICAgIlNIQS01MTIiOiAiM2FkNmJkMDBjNDE5NWM5YjE3NTdhOWQ2OTcxOTZlOGJlZmZiMzQzYzMzMTUwOWMyZWRhMjRiYmJkMDA5Y2MxYWY1NTJhMTkwMGFiMDRkMTY5YTIyZDI3M2U2MzU5Y2IyZmYxNDkwNTBhN2Y3OTJiOTYzMDEwOGE0YWYyMjZlMmQiLAogICAgICAgICAgICAgICAgIlNTREVFUCI6ICI5ODMwNDoxejJFR294aXBnME5QYnVxYlZ4Yk5ncUUrUStGNFlHWkx4NEJBRm0vQ3lVOkxMWFlHTkZMaiIKICAgICAgICAgICAgfSwKICAgICAgICAgICAgInNpemUiOiA1MDM0NjQ4LAogICAgICAgICAgICAibmFtZSI6ICJzc2xkIiwKICAgICAgICAgICAgIm9iamVjdF9tYXJraW5nX3JlZnMiOiBbCiAgICAgICAgICAgICAgICAibWFya2luZy1kZWZpbml0aW9uLS05NDg2OGM4OS04M2MyLTQ2NGItOTI5Yi1hMWE4YWEzYzg0ODciCiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgInR5cGUiOiAiaW5kaWNhdG9yIiwKICAgICAgICAgICAgInNwZWNfdmVyc2lvbiI6ICIyLjEiLAogICAgICAgICAgICAiaWQiOiAiaW5kaWNhdG9yLS0zZTVmOGZjMC1kYTFmLTQ3ZjAtOGI2ZS1mNGM0YjAzM2NlNDciLAogICAgICAgICAgICAiY3JlYXRlZF9ieV9yZWYiOiAiaWRlbnRpdHktLThlMTEyZTcyLWFhOGYtNDE5MC1hMzU5LTI4YTlhYmFlMjg5NiIsCiAgICAgICAgICAgICJjcmVhdGVkIjogIjIwMjMtMDgtMDlUMjE6MTI6NTkuMDAwWiIsCiAgICAgICAgICAgICJtb2RpZmllZCI6ICIyMDIzLTA4LTA5VDIxOjEyOjU5LjAwMFoiLAogICAgICAgICAgICAibmFtZSI6ICJzc2xkIiwKICAgICAgICAgICAgIm9iamVjdF9tYXJraW5nX3JlZnMiOiBbCiAgICAgICAgICAgICAgICAibWFya2luZy1kZWZpbml0aW9uLS05NDg2OGM4OS04M2MyLTQ2NGItOTI5Yi1hMWE4YWEzYzg0ODciCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJkZXNjcmlwdGlvbiI6ICJUaGUgZmlsZSAnc3NsZCcgaXMgYSBMaW51eCBFTEYgcmV2ZXJzZSBzaGVsbCBhbmQgaXMgYSB2YXJpYW50IG9mIFdISVJMUE9PTCBtYWx3YXJlIHVzZWQgb24gdGhlIEJhcnJhY3VkYSBFbWFpbCBTZWN1cml0eSBHYXRld2F5IChFU0cpIGRldmljZSAoRmlndXJlIDEpLiBUaGUgZmlsZSBsb29rcyBmb3IgYW4gZW5jb2RlZCBzdHJpbmcgd2l0aCBhICcuaW8nIGV4dGVuc2lvbiAoRmlndXJlIDIpLiBUaGUgc3RyaW5nIHdpbGwgYmUgZGVjb2RlZCBhbmQgdGhlIGRhdGEgd2lsbCBiZSBwYXNzZWQgYXMgdGhlIEMyIHdoaWNoIHdpbGwgaW5jbHVkZSB0aGUgSW50ZXJuZXQgUHJvdG9jb2wgKElQKSBhZGRyZXNzIGFuZCBwb3J0IG51bWJlciB1c2VkIHRvIGVzdGFibGlzaCBhIHJldmVyc2Ugc2hlbGwuIiwKICAgICAgICAgICAgImluZGljYXRvcl90eXBlcyI6IFsKICAgICAgICAgICAgICAgICJtYWxpY2lvdXMtYWN0aXZpdHkiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJwYXR0ZXJuIjogIiAnbmFtZXNwYWNlJz0nQ0lTQV9Db25zb2xpZGF0ZWQueWFyYScgcnVsZV9uYW1lPUNJU0FfMTA0NTIxMDhfMDIgcnVsZV9jb250ZW50PXJ1bGUgQ0lTQV8xMDQ1MjEwOF8wMiA6IFdISVJMUE9PTCBiYWNrZG9vciBjb21tdW5pY2F0ZXNfd2l0aF9jMiBpbnN0YWxsc19vdGhlcl9jb21wb25lbnRzXG57XG5cdG1ldGE6XG5cdFx0QXV0aG9yID0gXCJDSVNBIENvZGUgJiBNZWRpYSBBbmFseXNpc1wiXG5cdFx0SW5jaWRlbnQgPSBcIjEwNDUyMTA4XCJcblx0XHREYXRlID0gXCIyMDIzLTA2LTIwXCJcblx0XHRMYXN0X01vZGlmaWVkID0gXCIyMDIzMDgwNF8xNzMwXCJcblx0XHRBY3RvciA9IFwibi9hXCJcblx0XHRGYW1pbHkgPSBcIldISV
                },
                {
                    "type": "text",
                    "object_relation": "format",
                    "value": "STIX 2.1",
                    "category": "Other",
                    "uuid": "5c4002e7-7313-479e-911e-eb4920d76fc7"
                }
            ],
            "x_misp_meta_category": "file",
            "x_misp_name": "original-imported-file"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--de09e091-66a8-48d7-b0e0-109c70a45fd2",
            "created": "2023-08-25T06:18:51.000Z",
            "modified": "2023-08-25T06:18:51.000Z",
            "relationship_type": "analyses",
            "source_ref": "x-misp-object--07141506-e989-4a25-b510-797383e9b01a",
            "target_ref": "indicator--efd3fd98-6f1b-590d-bdd4-1e0753d3a689"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--9e5d9f1f-e131-4e28-be15-35d8920b5786",
            "created": "2023-08-25T06:18:51.000Z",
            "modified": "2023-08-25T06:18:51.000Z",
            "relationship_type": "associated-with",
            "source_ref": "indicator--efd3fd98-6f1b-590d-bdd4-1e0753d3a689",
            "target_ref": "x-misp-object--626a2549-5775-43a8-b8bb-2fe2682a6dae"
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`{`
			`"type": "bundle",`
			`"id": "bundle--6b6fa46d-4a17-44a4-a234-d69487b04597",`
			`"objects": [`
			`{`
			`"type": "identity",`
			`"spec_version": "2.1",`
			`"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2023-08-25T06:23:39.000Z",`
			`"modified": "2023-08-25T06:23:39.000Z",`
			`"name": "CIRCL",`
			`"identity_class": "organization"`
			`},`
			`{`
			`"type": "report",`
			`"spec_version": "2.1",`
			`"id": "report--6b6fa46d-4a17-44a4-a234-d69487b04597",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2023-08-25T06:23:39.000Z",`
			`"modified": "2023-08-25T06:23:39.000Z",`
			`"name": "CISA - MAR-10459736.r1.v1 - WHIRLPOOL Variant",`
			`"published": "2023-08-25T06:23:46Z",`
			`"object_refs": [`
			`"indicator--3e5f8fc0-da1f-47f0-8b6e-f4c4b033ce47",`
			`"identity--8e112e72-aa8f-4190-a359-28a9abae2896",`
			`"x-misp-object--07141506-e989-4a25-b510-797383e9b01a",`
			`"indicator--efd3fd98-6f1b-590d-bdd4-1e0753d3a689",`
			`"x-misp-object--626a2549-5775-43a8-b8bb-2fe2682a6dae",`
			`"indicator--31532fc0-d3ee-479f-8482-a4d49732d5af",`
			`"x-misp-object--74888f9e-4968-4601-944d-100a179c1b88",`
chg: [feeds] updated 2024-08-07 08:13:15 +00:00			`"relationship--de09e091-66a8-48d7-b0e0-109c70a45fd2",`
			`"relationship--9e5d9f1f-e131-4e28-be15-35d8920b5786"`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`],`
			`"labels": [`
			`"Threat-Report",`
			`"misp:tool=\"MISP-STIX-Converter\"",`
			`"type:OSINT",`
			`"osint:lifetime=\"perpetual\"",`
			`"tlp:clear"`
			`],`
			`"object_marking_refs": [`
			`"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--3e5f8fc0-da1f-47f0-8b6e-f4c4b033ce47",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2023-08-09T21:12:59.000Z",`
			`"modified": "2023-08-09T21:12:59.000Z",`
			`"description": "The file 'ssld' is a Linux ELF reverse shell and is a variant of WHIRLPOOL malware used on the Barracuda Email Security Gateway (ESG) device (Figure 1). The file looks for an encoded string with a '.io' extension (Figure 2). The string will be decoded and the data will be passed as the C2 which will include the Internet Protocol (IP) address and port number used to establish a reverse shell.",`
			"pattern": "['namespace'='CISA_Consolidated.yara' rule_name=CISA_10452108_02 rule_content=rule CISA_10452108_02 : WHIRLPOOL backdoor communicates_with_c2 installs_other_components\n{\n\tmeta:\n\t\tAuthor = \"CISA Code & Media Analysis\"\n\t\tIncident = \"10452108\"\n\t\tDate = \"2023-06-20\"\n\t\tLast_Modified = \"20230804_1730\"\n\t\tActor = \"n/a\"\n\t\tFamily = \"WHIRLPOOL\"\n\t\tCapabilities = \"communicates-with-c2 installs-other-components\"\n\t\tMalware_Type = \"backdoor\"\n\t\tTool_Type = \"unknown\"\n\t\tDescription = \"Detects malicious Linux WHIRLPOOL samples\"\n\t\tSHA256_1 = \"83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c\"\n\t\tSHA256_2 = \"8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347\"\n\tstrings:\n\t\t$s0 = { 65 72 72 6f 72 20 2d 31 20 65 78 69 74 }\n\t\t$s1 = { 63 72 65 61 74 65 20 73 6f 63 6b 65 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }\n\t\t$s2 = { c7 00 20 32 3e 26 66 c7 40 04 31 00 }\n\t\t$a3 = { 70 6c 61 69 6e 5f 63 6f 6e 6e 65 63 74 }\n\t\t$a4 = { 63 6f 6e 6e 65 63 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }\n\t\t$a5 = { 73 73 6c 5f 63 6f 6e 6e 65 63 74 }\n\tcondition:\n\t\tuint32(0) == 0x464c457f and 4 of them\n}]",
			`"pattern_type": "yara",`
			`"pattern_version": "2.1",`
			`"valid_from": "2023-08-17T19:19:43.944668Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload installation"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"yara\"",`
			`"misp:category=\"Payload installation\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "identity",`
			`"spec_version": "2.1",`
			`"id": "identity--8e112e72-aa8f-4190-a359-28a9abae2896",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2023-04-12T17:53:09.000Z",`
			`"modified": "2023-04-12T17:53:09.000Z",`
			`"name": "GeminiProduction_CMA",`
			`"description": "Cybersecurity and Infrastructure Security Agency Production Identity. Code and Media Analysis.",`
			`"identity_class": "system",`
			`"labels": [`
			`"misp:name=\"identity\"",`
			`"misp:meta-category=\"misc\"",`
			`"misp:to_ids=\"False\"",`
			`"misp:confidence-level=\"completely-confident\""`
			`],`
			`"confidence": 100`
			`},`
			`{`
			`"type": "x-misp-object",`
			`"spec_version": "2.1",`
			`"id": "x-misp-object--07141506-e989-4a25-b510-797383e9b01a",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2023-08-09T21:12:59.000Z",`
			`"modified": "2023-08-09T21:12:59.000Z",`
			`"labels": [`
			`"misp:name=\"malware-analysis\"",`
			`"misp:meta-category=\"misc\""`
			`],`
			`"x_misp_attributes": [`
			`{`
			`"type": "text",`
			`"object_relation": "product",`
			`"value": "eset",`
			`"category": "Other",`
			`"uuid": "42e406d8-bcb1-468d-b9d1-195810672cab"`
			`},`
			`{`
			`"type": "text",`
			`"object_relation": "result",`
			`"value": "unknown",`
			`"category": "Other",`
			`"uuid": "aea648ae-f790-412a-8511-22728becdb95"`
			`},`
			`{`
			`"type": "text",`
			`"object_relation": "result_name",`
			`"value": "a variant of Linux/WhirlPool.A trojan",`
			`"category": "Other",`
			`"uuid": "e2f4500e-7dea-4009-8c50-d8915623816a"`
			`}`
			`],`
			`"x_misp_meta_category": "misc",`
			`"x_misp_name": "malware-analysis"`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--efd3fd98-6f1b-590d-bdd4-1e0753d3a689",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2023-08-09T21:12:59.000Z",`
			`"modified": "2023-08-09T21:12:59.000Z",`
			"pattern": "[file:hashes.MD5 = '77e1e9bf69b09ed0840534adb8258540' AND file:hashes.SHA1 = 'deadca9bd85ee5c4e086fd81eee09407b769e9b6' AND file:hashes.SHA256 = '0af253e60456b03af49cc675f71d47b2dd9a48f50a927e43b9d8116985c06459' AND file:hashes.SHA512 = '3ad6bd00c4195c9b1757a9d697196e8beffb343c331509c2eda24bbbd009cc1af552a1900ab04d169a22d273e6359cb2ff149050a7f792b9630108a4af226e2d' AND file:hashes.SSDEEP = '98304:1z2EGoxipg0NPbuqbVxbNgqE+Q+F4YGZLx4BAFm/CyU:LLXYGNFLj' AND file:name = 'ssld' AND file:size = '5034648']",
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2023-08-09T21:12:59Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "file"`
			`}`
			`],`
			`"labels": [`
			`"misp:name=\"file\"",`
			`"misp:meta-category=\"file\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "x-misp-object",`
			`"spec_version": "2.1",`
			`"id": "x-misp-object--626a2549-5775-43a8-b8bb-2fe2682a6dae",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2023-08-09T21:12:59.000Z",`
			`"modified": "2023-08-09T21:12:59.000Z",`
			`"labels": [`
			`"misp:name=\"malware\"",`
			`"misp:meta-category=\"misc\""`
			`],`
			`"x_misp_attributes": [`
			`{`
			`"type": "text",`
			`"object_relation": "description",`
			`"value": "The file 'ssld' is a Linux ELF reverse shell and is a variant of WHIRLPOOL malware used on the Barracuda Email Security Gateway (ESG) device (Figure 1). The file looks for an encoded string with a '.io' extension (Figure 2). The string will be decoded and the data will be passed as the C2 which will include the Internet Protocol (IP) address and port number used to establish a reverse shell.",`
			`"category": "Other",`
			`"uuid": "2d538923-b375-4471-b5f4-69f653cf572e"`
			`},`
			`{`
			`"type": "boolean",`
			`"object_relation": "is_family",`
			`"value": "0",`
			`"category": "Other",`
			`"uuid": "2b74c868-0c2e-4e1f-bb81-7cf1cc9d2c0b"`
			`},`
			`{`
			`"type": "text",`
			`"object_relation": "malware_type",`
			`"value": "trojan",`
			`"category": "Other",`
			`"uuid": "be1cbecb-8dd5-4cf9-899f-a58169012721"`
			`}`
			`],`
			`"x_misp_meta_category": "misc",`
			`"x_misp_name": "malware"`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--31532fc0-d3ee-479f-8482-a4d49732d5af",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2023-08-09T21:12:59.000Z",`
			`"modified": "2023-08-09T21:12:59.000Z",`
			`"pattern": "[file:hashes.MD5 = '77e1e9bf69b09ed0840534adb8258540' AND file:hashes.SHA1 = 'deadca9bd85ee5c4e086fd81eee09407b769e9b6' AND file:hashes.SHA256 = '0af253e60456b03af49cc675f71d47b2dd9a48f50a927e43b9d8116985c06459' AND file:hashes.SHA512 = '3ad6bd00c4195c9b1757a9d697196e8beffb343c331509c2eda24bbbd009cc1af552a1900ab04d169a22d273e6359cb2ff149050a7f792b9630108a4af226e2d']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2023-08-17T19:19:43.953009Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "file"`
			`}`
			`],`
			`"labels": [`
			`"misp:name=\"file\"",`
			`"misp:meta-category=\"file\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "x-misp-object",`
			`"spec_version": "2.1",`
			`"id": "x-misp-object--74888f9e-4968-4601-944d-100a179c1b88",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2023-08-25T06:18:58.000Z",`
			`"modified": "2023-08-25T06:18:58.000Z",`
			`"labels": [`
			`"misp:name=\"original-imported-file\"",`
			`"misp:meta-category=\"file\""`
			`],`
			`"x_misp_attributes": [`
			`{`
			`"type": "attachment",`
			`"object_relation": "imported-sample",`
			`"value": "MAR-10459736.r1.v1.CLEAR_stix2.json",`
			`"category": "External analysis",`
			`"uuid": "3cebdcfe-65ce-4b62-b622-aa56867ef744",`
			"data": "ewogICAgInR5cGUiOiAiYnVuZGxlIiwKICAgICJpZCI6ICJidW5kbGUtLTc4ZDc0MDVkLWM3NjktNGVmYi05NTUwLTQwNWEzNThhMmQ3NiIsCiAgICAib2JqZWN0cyI6IFsKICAgICAgICB7CiAgICAgICAgICAgICJ0eXBlIjogImlkZW50aXR5IiwKICAgICAgICAgICAgInNwZWNfdmVyc2lvbiI6ICIyLjEiLAogICAgICAgICAgICAiaWQiOiAiaWRlbnRpdHktLThlMTEyZTcyLWFhOGYtNDE5MC1hMzU5LTI4YTlhYmFlMjg5NiIsCiAgICAgICAgICAgICJjcmVhdGVkX2J5X3JlZiI6ICJpZGVudGl0eS0tNDJhYzNjOTItNjBkMi00MThmLWJhOGUtODM4OTQ0ZTYxMTBiIiwKICAgICAgICAgICAgImNyZWF0ZWQiOiAiMjAyMy0wNC0xMlQxNzo1MzowOS42NDZaIiwKICAgICAgICAgICAgIm1vZGlmaWVkIjogIjIwMjMtMDQtMTJUMTc6NTM6MDkuNjQ2WiIsCiAgICAgICAgICAgICJuYW1lIjogIkdlbWluaVByb2R1Y3Rpb25fQ01BIiwKICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogIkN5YmVyc2VjdXJpdHkgYW5kIEluZnJhc3RydWN0dXJlIFNlY3VyaXR5IEFnZW5jeSBQcm9kdWN0aW9uIElkZW50aXR5LiBDb2RlIGFuZCBNZWRpYSBBbmFseXNpcy4iLAogICAgICAgICAgICAiaWRlbnRpdHlfY2xhc3MiOiAic3lzdGVtIiwKICAgICAgICAgICAgImNvbmZpZGVuY2UiOiAxMDAsCiAgICAgICAgICAgICJsYW5nIjogImVuIiwKICAgICAgICAgICAgIm9iamVjdF9tYXJraW5nX3JlZnMiOiBbCiAgICAgICAgICAgICAgICAibWFya2luZy1kZWZpbml0aW9uLS1iYWI0YTYzYy1hZWQ5LTRjZjUtYTc2Ni1kZmNhNWFiYWMyYmIiCiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgInR5cGUiOiAiZmlsZSIsCiAgICAgICAgICAgICJzcGVjX3ZlcnNpb24iOiAiMi4xIiwKICAgICAgICAgICAgImlkIjogImZpbGUtLWVmZDNmZDk4LTZmMWItNTkwZC1iZGQ0LTFlMDc1M2QzYTY4OSIsCiAgICAgICAgICAgICJoYXNoZXMiOiB7CiAgICAgICAgICAgICAgICAiTUQ1IjogIjc3ZTFlOWJmNjliMDllZDA4NDA1MzRhZGI4MjU4NTQwIiwKICAgICAgICAgICAgICAgICJTSEEtMSI6ICJkZWFkY2E5YmQ4NWVlNWM0ZTA4NmZkODFlZWUwOTQwN2I3NjllOWI2IiwKICAgICAgICAgICAgICAgICJTSEEtMjU2IjogIjBhZjI1M2U2MDQ1NmIwM2FmNDljYzY3NWY3MWQ0N2IyZGQ5YTQ4ZjUwYTkyN2U0M2I5ZDgxMTY5ODVjMDY0NTkiLAogICAgICAgICAgICAgICAgIlNIQS01MTIiOiAiM2FkNmJkMDBjNDE5NWM5YjE3NTdhOWQ2OTcxOTZlOGJlZmZiMzQzYzMzMTUwOWMyZWRhMjRiYmJkMDA5Y2MxYWY1NTJhMTkwMGFiMDRkMTY5YTIyZDI3M2U2MzU5Y2IyZmYxNDkwNTBhN2Y3OTJiOTYzMDEwOGE0YWYyMjZlMmQiLAogICAgICAgICAgICAgICAgIlNTREVFUCI6ICI5ODMwNDoxejJFR294aXBnME5QYnVxYlZ4Yk5ncUUrUStGNFlHWkx4NEJBRm0vQ3lVOkxMWFlHTkZMaiIKICAgICAgICAgICAgfSwKICAgICAgICAgICAgInNpemUiOiA1MDM0NjQ4LAogICAgICAgICAgICAibmFtZSI6ICJzc2xkIiwKICAgICAgICAgICAgIm9iamVjdF9tYXJraW5nX3JlZnMiOiBbCiAgICAgICAgICAgICAgICAibWFya2luZy1kZWZpbml0aW9uLS05NDg2OGM4OS04M2MyLTQ2NGItOTI5Yi1hMWE4YWEzYzg0ODciCiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgInR5cGUiOiAiaW5kaWNhdG9yIiwKICAgICAgICAgICAgInNwZWNfdmVyc2lvbiI6ICIyLjEiLAogICAgICAgICAgICAiaWQiOiAiaW5kaWNhdG9yLS0zZTVmOGZjMC1kYTFmLTQ3ZjAtOGI2ZS1mNGM0YjAzM2NlNDciLAogICAgICAgICAgICAiY3JlYXRlZF9ieV9yZWYiOiAiaWRlbnRpdHktLThlMTEyZTcyLWFhOGYtNDE5MC1hMzU5LTI4YTlhYmFlMjg5NiIsCiAgICAgICAgICAgICJjcmVhdGVkIjogIjIwMjMtMDgtMDlUMjE6MTI6NTkuMDAwWiIsCiAgICAgICAgICAgICJtb2RpZmllZCI6ICIyMDIzLTA4LTA5VDIxOjEyOjU5LjAwMFoiLAogICAgICAgICAgICAibmFtZSI6ICJzc2xkIiwKICAgICAgICAgICAgIm9iamVjdF9tYXJraW5nX3JlZnMiOiBbCiAgICAgICAgICAgICAgICAibWFya2luZy1kZWZpbml0aW9uLS05NDg2OGM4OS04M2MyLTQ2NGItOTI5Yi1hMWE4YWEzYzg0ODciCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJkZXNjcmlwdGlvbiI6ICJUaGUgZmlsZSAnc3NsZCcgaXMgYSBMaW51eCBFTEYgcmV2ZXJzZSBzaGVsbCBhbmQgaXMgYSB2YXJpYW50IG9mIFdISVJMUE9PTCBtYWx3YXJlIHVzZWQgb24gdGhlIEJhcnJhY3VkYSBFbWFpbCBTZWN1cml0eSBHYXRld2F5IChFU0cpIGRldmljZSAoRmlndXJlIDEpLiBUaGUgZmlsZSBsb29rcyBmb3IgYW4gZW5jb2RlZCBzdHJpbmcgd2l0aCBhICcuaW8nIGV4dGVuc2lvbiAoRmlndXJlIDIpLiBUaGUgc3RyaW5nIHdpbGwgYmUgZGVjb2RlZCBhbmQgdGhlIGRhdGEgd2lsbCBiZSBwYXNzZWQgYXMgdGhlIEMyIHdoaWNoIHdpbGwgaW5jbHVkZSB0aGUgSW50ZXJuZXQgUHJvdG9jb2wgKElQKSBhZGRyZXNzIGFuZCBwb3J0IG51bWJlciB1c2VkIHRvIGVzdGFibGlzaCBhIHJldmVyc2Ugc2hlbGwuIiwKICAgICAgICAgICAgImluZGljYXRvcl90eXBlcyI6IFsKICAgICAgICAgICAgICAgICJtYWxpY2lvdXMtYWN0aXZpdHkiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJwYXR0ZXJuIjogIiAnbmFtZXNwYWNlJz0nQ0lTQV9Db25zb2xpZGF0ZWQueWFyYScgcnVsZV9uYW1lPUNJU0FfMTA0NTIxMDhfMDIgcnVsZV9jb250ZW50PXJ1bGUgQ0lTQV8xMDQ1MjEwOF8wMiA6IFdISVJMUE9PTCBiYWNrZG9vciBjb21tdW5pY2F0ZXNfd2l0aF9jMiBpbnN0YWxsc19vdGhlcl9jb21wb25lbnRzXG57XG5cdG1ldGE6XG5cdFx0QXV0aG9yID0gXCJDSVNBIENvZGUgJiBNZWRpYSBBbmFseXNpc1wiXG5cdFx0SW5jaWRlbnQgPSBcIjEwNDUyMTA4XCJcblx0XHREYXRlID0gXCIyMDIzLTA2LTIwXCJcblx0XHRMYXN0X01vZGlmaWVkID0gXCIyMDIzMDgwNF8xNzMwXCJcblx0XHRBY3RvciA9IFwibi9hXCJcblx0XHRGYW1pbHkgPSBcIldISV
			`},`
			`{`
			`"type": "text",`
			`"object_relation": "format",`
			`"value": "STIX 2.1",`
			`"category": "Other",`
			`"uuid": "5c4002e7-7313-479e-911e-eb4920d76fc7"`
			`}`
			`],`
			`"x_misp_meta_category": "file",`
			`"x_misp_name": "original-imported-file"`
			`},`
			`{`
			`"type": "relationship",`
			`"spec_version": "2.1",`
chg: [feeds] updated 2024-08-07 08:13:15 +00:00			`"id": "relationship--de09e091-66a8-48d7-b0e0-109c70a45fd2",`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"created": "2023-08-25T06:18:51.000Z",`
			`"modified": "2023-08-25T06:18:51.000Z",`
			`"relationship_type": "analyses",`
			`"source_ref": "x-misp-object--07141506-e989-4a25-b510-797383e9b01a",`
			`"target_ref": "indicator--efd3fd98-6f1b-590d-bdd4-1e0753d3a689"`
			`},`
			`{`
			`"type": "relationship",`
			`"spec_version": "2.1",`
chg: [feeds] updated 2024-08-07 08:13:15 +00:00			`"id": "relationship--9e5d9f1f-e131-4e28-be15-35d8920b5786",`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"created": "2023-08-25T06:18:51.000Z",`
			`"modified": "2023-08-25T06:18:51.000Z",`
			`"relationship_type": "associated-with",`
			`"source_ref": "indicator--efd3fd98-6f1b-590d-bdd4-1e0753d3a689",`
			`"target_ref": "x-misp-object--626a2549-5775-43a8-b8bb-2fe2682a6dae"`
			`},`
			`{`
			`"type": "marking-definition",`
			`"spec_version": "2.1",`
			`"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",`
			`"created": "2017-01-20T00:00:00.000Z",`
			`"definition_type": "tlp",`
			`"name": "TLP:WHITE",`
			`"definition": {`
			`"tlp": "white"`
			`}`
			`}`
			`]`
			`}`