misp-circl-feed/feeds/circl/stix-2.1/042a4478-fe19-4ed0-a309-b96da3542a95.json

2213 lines
179 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--042a4478-fe19-4ed0-a309-b96da3542a95",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T13:21:32.000Z",
"modified": "2023-01-13T13:21:32.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--042a4478-fe19-4ed0-a309-b96da3542a95",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T13:21:32.000Z",
"modified": "2023-01-13T13:21:32.000Z",
"name": "Analysis of FG-IR-22-398 \u2013 FortiOS - heap-based buffer overflow in SSLVPNd",
"published": "2023-01-13T13:21:41Z",
"object_refs": [
"indicator--23b95adf-c8dd-4835-b1e9-e23183d6bbba",
"indicator--f15ce3fd-c07f-456f-b07f-4e4a3f822d6c",
"indicator--2eb35a69-dbfb-42a6-8d8a-3e3e400de928",
"indicator--0d3771cb-5259-49e0-af8f-e106621d23d7",
"indicator--35236d47-2d7c-4789-a1b0-84f524b1ab52",
"indicator--fcd50948-9e1b-4672-b01e-1fab338ae212",
"indicator--015d8a1c-fea6-46ac-a049-7ead9345cc3f",
"indicator--19dd0c3e-652f-464d-ad26-2ddf1e59ec73",
"indicator--8a77b238-13e4-4489-9e4c-f95328677c03",
"indicator--18016fa2-0115-47ed-a944-02a80bb4322b",
"indicator--740c6d33-5ed3-439e-9c85-42b8ad063c4c",
"indicator--b24d7229-5422-4645-a761-cc9b1ee33dd7",
"indicator--a12c722c-ed6e-4b7e-8bf6-d38f93715333",
"indicator--a475e912-4841-400c-b468-7f07e1503d29",
"indicator--83616717-5013-4ec0-a241-08e1d5f0f1fa",
"indicator--ca47bd29-6c27-4060-9710-e094d20676f5",
"indicator--109e3980-b70e-4fc2-9692-0937386098e4",
"indicator--964fd5be-2ff8-4178-bc8d-8f9bec690395",
"indicator--c9c5d50e-35c9-4602-8984-80a794dcee5d",
"indicator--89a2bddc-dc5d-45c0-aac4-1e97fb5f9cee",
"indicator--a525d45e-d512-4490-869f-a5a85dd75224",
"indicator--f4452141-acfb-44a6-bec8-ad5093fc5eb3",
"indicator--77971734-97ba-409b-a2e6-191837911cc1",
"indicator--66b4b3d7-8f5f-4aa0-9d97-ff627526a059",
"indicator--89c2666b-6fb6-402d-8856-9b8b8ddb213d",
"indicator--c435d49f-a81b-430a-a50a-b7ed0433ca2e",
"indicator--8e787e2c-9fd7-473d-a4a9-cd17976d950c",
"indicator--d1584713-f07c-4901-b6d9-895c11ba496c",
"indicator--c53e5c82-971b-459c-8ffd-df3b33fc902a",
"x-misp-attribute--145f47e5-9a3e-4fd0-ae3a-8d2e1ee052fe",
"x-misp-object--e382ee4d-ca77-46bd-9029-7e0339bf620c",
"vulnerability--48f4d58c-85aa-4048-ac46-852d2ce4a23f",
"vulnerability--0dc13dec-e5ab-4c09-8811-41e9a45dbb9e",
"x-misp-object--d7cc6b5e-f357-4962-8c46-d19ceb040746",
"x-misp-object--4b7f16b4-5f75-4dfb-845b-3d859bcdf633",
"x-misp-object--50105082-3cf7-400c-bf75-c2aabcff8a87",
"indicator--622b381c-f334-4a45-bbef-aca8ca6ee335",
"x-misp-object--ad14186f-2ff5-4cc7-aafe-309529f30500",
"x-misp-object--e74e0eb4-85d1-431b-902c-5fce491462bc",
"indicator--c84b8cb1-2f0a-451c-8e85-59f68705e719",
"x-misp-object--3da68ddc-8324-43fa-bbe8-f7720dc32a2b",
"indicator--9b6a958e-9b18-407c-9aac-9f1f5dfb8f5b",
"indicator--9ec6fbe0-8d11-447a-a038-f6b0a86b9814",
"indicator--3e84fef6-6655-46a8-9a74-2e05e651c3d2",
"indicator--32d28275-7f48-4b1e-90cc-285cbeee0a0c",
"indicator--4919dc52-6dd4-4e94-839a-a1f0a955c307",
"x-misp-object--961a77bc-6824-49ae-815c-efb178e8e1b4",
"indicator--3547fe3b-4672-41f8-8b87-dd3754d7aeeb",
"x-misp-object--060f92b1-3a95-49fd-b14f-e33adbd2115b",
"x-misp-object--2f9cb5df-616d-4aa3-b759-2312259e013a",
"x-misp-object--a8529e6e-6cfa-4786-a272-086dc1106dd2",
"x-misp-object--c10402d1-6766-4ab4-8509-f157c123b61c",
"x-misp-object--b3922ef0-5926-4bcf-b1c5-622a6742dcec",
"x-misp-object--1d1e1173-a0cf-4808-a2ee-51234b20e355",
"x-misp-object--2c07d192-0cfc-44d7-a50d-ba5e19f39d8a",
"x-misp-object--3b93ed78-8588-44e1-9900-13cfd51d57e8",
"x-misp-object--47345dc1-759f-4d34-997a-79c8a0ff8600",
2023-05-19 09:05:37 +00:00
"note--54ae3ae3-3b28-48d2-8aa3-b65955287a9d",
2024-04-05 12:15:17 +00:00
"relationship--791c092b-385b-4338-be9e-047db16c6177",
"relationship--f8a5d897-e7d1-4ff5-9b52-b2568c19868d"
2023-04-21 14:44:17 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:sector=\"Government, Administration\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"tlp:clear",
"misp-galaxy:country=\"russia\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--23b95adf-c8dd-4835-b1e9-e23183d6bbba",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:59:28.000Z",
"modified": "2023-01-13T08:59:28.000Z",
"description": "Hashes of post-exploitation implants",
"pattern": "[file:hashes.MD5 = 'f68c3f72270800ea675889e82bb02fb8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T08:59:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f15ce3fd-c07f-456f-b07f-4e4a3f822d6c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:59:28.000Z",
"modified": "2023-01-13T08:59:28.000Z",
"description": "Hashes of post-exploitation implants",
"pattern": "[file:hashes.MD5 = 'e3f640d8785c0c864739529889b1863a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T08:59:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2eb35a69-dbfb-42a6-8d8a-3e3e400de928",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:59:28.000Z",
"modified": "2023-01-13T08:59:28.000Z",
"description": "Hashes of post-exploitation implants",
"pattern": "[file:hashes.MD5 = '08cbaafb176ce6118f7e4e0b2d2d77cf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T08:59:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0d3771cb-5259-49e0-af8f-e106621d23d7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:59:28.000Z",
"modified": "2023-01-13T08:59:28.000Z",
"description": "Hashes of post-exploitation implants",
"pattern": "[file:hashes.MD5 = 'bdc2d2f5d5246f8956711bcce9f456b6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T08:59:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--35236d47-2d7c-4789-a1b0-84f524b1ab52",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:59:28.000Z",
"modified": "2023-01-13T08:59:28.000Z",
"description": "Hashes of post-exploitation implants",
"pattern": "[file:hashes.MD5 = '4548fa6625cb154ab320833186117393']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T08:59:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fcd50948-9e1b-4672-b01e-1fab338ae212",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:59:28.000Z",
"modified": "2023-01-13T08:59:28.000Z",
"description": "Hashes of post-exploitation implants",
"pattern": "[file:hashes.MD5 = 'e5d989b651b3eb351e10e408d5a062b3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T08:59:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--015d8a1c-fea6-46ac-a049-7ead9345cc3f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:59:28.000Z",
"modified": "2023-01-13T08:59:28.000Z",
"description": "Hashes of post-exploitation implants",
"pattern": "[file:hashes.MD5 = '3191cb2e06e9a30792309813793f78b6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T08:59:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--19dd0c3e-652f-464d-ad26-2ddf1e59ec73",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:59:28.000Z",
"modified": "2023-01-13T08:59:28.000Z",
"description": "Hashes of post-exploitation implants",
"pattern": "[file:hashes.MD5 = '12e28c14bb7f7b9513a02e5857592ad7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T08:59:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8a77b238-13e4-4489-9e4c-f95328677c03",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:59:28.000Z",
"modified": "2023-01-13T08:59:28.000Z",
"description": "Hashes of post-exploitation implants",
"pattern": "[file:hashes.MD5 = 'ae0839351721db5a9c269fd75dcb57ce']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T08:59:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--18016fa2-0115-47ed-a944-02a80bb4322b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:59:28.000Z",
"modified": "2023-01-13T08:59:28.000Z",
"description": "Hashes of post-exploitation implants",
"pattern": "[file:hashes.MD5 = '856341349dd954d82b112ba9165c4563']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T08:59:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--740c6d33-5ed3-439e-9c85-42b8ad063c4c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:12:45.000Z",
"modified": "2023-01-13T09:12:45.000Z",
"description": "Older Actor IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '156.251.162.76']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:12:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b24d7229-5422-4645-a761-cc9b1ee33dd7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:12:53.000Z",
"modified": "2023-01-13T09:12:53.000Z",
"description": "Older Actor IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '156.251.163.19']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:12:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a12c722c-ed6e-4b7e-8bf6-d38f93715333",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:12:22.000Z",
"modified": "2023-01-13T09:12:22.000Z",
"description": "Older Actor IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '156.251.163.122']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:12:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a475e912-4841-400c-b468-7f07e1503d29",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:12:34.000Z",
"modified": "2023-01-13T09:12:34.000Z",
"description": "Older Actor IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '156.251.162.111']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:12:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--83616717-5013-4ec0-a241-08e1d5f0f1fa",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.180.184.197']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ca47bd29-6c27-4060-9710-e094d20676f5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '66.42.91.32']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--109e3980-b70e-4fc2-9692-0937386098e4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '158.247.221.101']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--964fd5be-2ff8-4178-bc8d-8f9bec690395",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.148.27.117']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c9c5d50e-35c9-4602-8984-80a794dcee5d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.180.128.142']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--89a2bddc-dc5d-45c0-aac4-1e97fb5f9cee",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '155.138.224.122']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a525d45e-d512-4490-869f-a5a85dd75224",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.174.136.20']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f4452141-acfb-44a6-bec8-ad5093fc5eb3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.86.229.220']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--77971734-97ba-409b-a2e6-191837911cc1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.86.231.71']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--66b4b3d7-8f5f-4aa0-9d97-ff627526a059",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.99.35.116']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--89c2666b-6fb6-402d-8856-9b8b8ddb213d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.99.37.119']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c435d49f-a81b-430a-a50a-b7ed0433ca2e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.62.42.105']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8e787e2c-9fd7-473d-a4a9-cd17976d950c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.250.149.32']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d1584713-f07c-4901-b6d9-895c11ba496c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '137.175.30.138']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c53e5c82-971b-459c-8ffd-df3b33fc902a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:15:53.000Z",
"modified": "2023-01-13T09:15:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '146.70.157.133']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:15:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--145f47e5-9a3e-4fd0-ae3a-8d2e1ee052fe",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:28:37.000Z",
"modified": "2023-01-13T09:28:37.000Z",
"labels": [
"misp:type=\"pattern-in-traffic\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Network activity",
"x_misp_comment": "By emulating the malware's execution, we found a unique string of bytes in its\u00a0communication with its command & control server\u00a0that can be used for an IPS signature.\u00a0 This string detects the TLS traffic by the TLS request header.\u00a0 The buffer \u201c\\x00\\x0C\\x08http/1.1\\x02h2\\x00\\x00\\x00\\x14\\x00\\x12\\x00\\x00\\x0Fwww.example.com\u201d (unescaped) should appear inside the \u201cClient Hello\u201d packet.",
"x_misp_type": "pattern-in-traffic",
"x_misp_value": "\\x00\\x0C\\x08http/1.1\\x02h2\\x00\\x00\\x00\\x14\\x00\\x12\\x00\\x00\\x0Fwww.example.com"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e382ee4d-ca77-46bd-9029-7e0339bf620c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:54:09.000Z",
"modified": "2023-01-13T08:54:09.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd",
"category": "External analysis",
"uuid": "c3e0cd2c-3772-4695-bb62-54d0af792a89"
},
{
"type": "text",
"object_relation": "summary",
"value": "Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis.",
"category": "Other",
"uuid": "0c1a8b12-ac58-406a-9dd2-154fa18de957"
},
{
"type": "text",
"object_relation": "type",
"value": "Blog",
"category": "Other",
"uuid": "113aa6d6-bbbb-4fc5-adb5-5d7795772079"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--48f4d58c-85aa-4048-ac46-852d2ce4a23f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:57:50.000Z",
"modified": "2023-01-13T08:57:50.000Z",
"name": "CVE-2022-42475",
"labels": [
"misp:name=\"vulnerability\"",
"misp:meta-category=\"vulnerability\"",
"misp:to_ids=\"False\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2022-42475"
},
{
"source_name": "url",
"url": "https://www.fortiguard.com/psirt/FG-IR-22-398"
},
{
"source_name": "url",
"url": "https://cvepremium.circl.lu/cve/CVE-2022-42475"
}
],
"x_misp_state": "Published"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--0dc13dec-e5ab-4c09-8811-41e9a45dbb9e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:58:01.000Z",
"modified": "2023-01-13T08:58:01.000Z",
"name": "CVE-2022-42475",
"description": "A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.",
"labels": [
"misp:name=\"vulnerability\"",
"misp:meta-category=\"vulnerability\"",
"misp:to_ids=\"False\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2022-42475"
},
{
"source_name": "url",
"url": "https://fortiguard.com/psirt/FG-IR-22-398"
}
],
"x_misp_cvss_score": "9.8",
"x_misp_cvss_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"x_misp_modified": "2023-01-09T17:30:00+00:00",
"x_misp_published": "2023-01-02T09:15:00+00:00",
"x_misp_state": "Published",
"x_misp_vulnerable_configuration": [
"cpe:2.3:o:fortinet:fortios:5.6.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.6:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.7:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.8:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.9:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.10:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.11:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.12:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.13:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.6.14:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.6:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.7:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.8:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.9:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.10:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.11:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.12:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.4.13:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.6:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.7:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.8:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.9:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.10:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.11:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.12:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.13:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.14:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.2.15:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.6:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.7:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.8:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.9:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.10:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.11:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.12:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.13:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:5.0.14:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.6:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.7:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.8:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.9:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.10:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.2.11:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.6:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.7:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.8:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.9:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.10:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.11:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.12:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.13:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.0.14:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.4.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.4.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.4.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.4.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.4.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.4.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.4.6:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.4.7:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.4.8:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.4.9:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:6.4.10:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:7.2.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:7.2.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:7.2.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortios:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.1.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.8:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.9:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.10:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.11:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.12:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:1.2.13:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:7.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:2.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:2.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:2.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:2.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:2.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:2.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:2.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:2.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:2.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortiproxy:2.0.10:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fim-7901e:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fim-7904e:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fim-7910e:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fim-7920e:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fim-7921f:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fim-7941f:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-6300f:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-6300f-dc:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-6500f:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-6500f-dc:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-6501f:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-6501f-dc:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-6601f:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-6601f-dc:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-7030e:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-7040e:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-7060e:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fortigate-7121f:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fpm-7620e:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fpm-7620f:-:*:*:*:*:*:*:*",
"cpe:2.3:h:fortinet:fpm-7630e:-:*:*:*:*:*:*:*"
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d7cc6b5e-f357-4962-8c46-d19ceb040746",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T08:58:03.000Z",
"modified": "2023-01-13T08:58:03.000Z",
"labels": [
"misp:name=\"weakness\"",
"misp:meta-category=\"vulnerability\""
],
"x_misp_attributes": [
{
"type": "weakness",
"object_relation": "id",
"value": "CWE-787",
"category": "External analysis",
"uuid": "ce73a5c3-f26c-4be4-bd9c-ba22f2ec6270"
},
{
"type": "text",
"object_relation": "name",
"value": "Out-of-bounds Write",
"category": "Other",
"uuid": "51becf41-07bd-4e91-85d1-abbd324c6c4d"
},
{
"type": "text",
"object_relation": "status",
"value": "Draft",
"category": "Other",
"uuid": "23898f79-54d5-4df9-978f-63979a4394aa"
},
{
"type": "text",
"object_relation": "weakness-abs",
"value": "Base",
"category": "Other",
"uuid": "7d3aa669-4f64-44d5-9997-eb00ad00ea53"
}
],
"x_misp_comment": "CVE-2022-42475: Enriched via the cve_advanced module",
"x_misp_meta_category": "vulnerability",
"x_misp_name": "weakness"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--4b7f16b4-5f75-4dfb-845b-3d859bcdf633",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:03:16.000Z",
"modified": "2023-01-13T09:03:16.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb",
"category": "External analysis",
"uuid": "0d1b4e81-b0c3-4f01-afcb-7a44502b206a"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "20/63",
"category": "External analysis",
"uuid": "f4403481-b830-4610-80f8-600e3efc7740"
}
],
"x_misp_comment": "3191cb2e06e9a30792309813793f78b6: enriched via the virustotal module.",
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--50105082-3cf7-400c-bf75-c2aabcff8a87",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:03:01.000Z",
"modified": "2023-01-13T09:03:01.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/ip_address/155.138.224.122",
"category": "External analysis",
"uuid": "b38daa57-d585-48cc-bc1d-d33c3b731e59"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "9/88",
"category": "External analysis",
"uuid": "5ed5cff5-18d0-4380-b05c-a5bf38c12680"
}
],
"x_misp_comment": "3191cb2e06e9a30792309813793f78b6: enriched via the virustotal module.",
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--622b381c-f334-4a45-bbef-aca8ca6ee335",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:02:47.000Z",
"modified": "2023-01-13T09:02:47.000Z",
"description": "3191cb2e06e9a30792309813793f78b6: enriched via the virustotal module.",
"pattern": "[domain-name:resolves_to_refs[*].value = '155.138.224.122']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:02:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ad14186f-2ff5-4cc7-aafe-309529f30500",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:02:34.000Z",
"modified": "2023-01-13T09:02:34.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/23f2536aec6a4977a504312ff5863468ba2900fece735acd775d0ae455b4cd4d",
"category": "External analysis",
"uuid": "420f124a-51a6-47ea-b337-49001dee28cc"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "21/63",
"category": "External analysis",
"uuid": "990bc7ad-4c4b-48d7-bebc-10a56a43544a"
}
],
"x_misp_comment": "856341349dd954d82b112ba9165c4563: enriched via the virustotal module.",
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e74e0eb4-85d1-431b-902c-5fce491462bc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:02:20.000Z",
"modified": "2023-01-13T09:02:20.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/ip_address/107.148.27.117",
"category": "External analysis",
"uuid": "819e7750-7fa2-49dc-b68a-fee2b2de07ca"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "10/88",
"category": "External analysis",
"uuid": "066a1449-5f70-4317-bbf0-289c64bf65aa"
}
],
"x_misp_comment": "856341349dd954d82b112ba9165c4563: enriched via the virustotal module.",
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c84b8cb1-2f0a-451c-8e85-59f68705e719",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:01:59.000Z",
"modified": "2023-01-13T09:01:59.000Z",
"description": "856341349dd954d82b112ba9165c4563: enriched via the virustotal module.",
"pattern": "[domain-name:resolves_to_refs[*].value = '107.148.27.117']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:01:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--3da68ddc-8324-43fa-bbe8-f7720dc32a2b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:03:50.000Z",
"modified": "2023-01-13T09:03:50.000Z",
"labels": [
"misp:name=\"ja3\"",
"misp:meta-category=\"network\""
],
"x_misp_attributes": [
{
"type": "ja3-fingerprint-md5",
"object_relation": "ja3-fingerprint-md5",
"value": "bf2b95ac267823f6588b2436bc537b26",
"category": "Network activity",
"to_ids": true,
"uuid": "d3a8c1fb-b989-457b-806b-e48892c77942"
}
],
"x_misp_comment": "The JA3 for the malware SSL/TLS client connection appears to be unique to the malware and can be used to detect an attack.",
"x_misp_meta_category": "network",
"x_misp_name": "ja3"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9b6a958e-9b18-407c-9aac-9f1f5dfb8f5b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:05:16.000Z",
"modified": "2023-01-13T09:05:16.000Z",
"pattern": "[file:hashes.MD5 = '54bbea35b095ddfe9740df97b693627b' AND file:hashes.SHA1 = '08760cb1d322269dbe62d9a642697ac71306fbe3' AND file:hashes.SHA256 = '61aae0e18c41ec4f610676680d26f6c6e1d4d5aa4e5092e40915fe806b679cd4' AND file:hashes.SHA512 = 'c0c33975fc3338be2d18daef09f8a156f3bf2038af05b28980bdcbc855bd8875869ad904584cf822f6ebd58fdcbc39c07f5ab6fdd1e13f3cab641faf76e2c0ea' AND file:hashes.SSDEEP = '3072:MzT/0/ENklKQLrAuyaxSHC5inA+LzfLXDvbnT/r3jP7HzL/3zXvbnT/ry5:2mKQLrAuPxK1A+LzfLXDvbnT/r3jP7HQ' AND file:name = '61aae0e18c41ec4f610676680d26f6c6e1d4d5aa4e5092e40915fe806b679cd4' AND file:size = '99328' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAKhILVZe4FMKtcQAAACEAQAgABwANTRiYmVhMzViMDk1ZGRmZTk3NDBkZjk3YjY5MzYyN2JVVAkAA8wewWPMHsFjdXgLAAEEIQAAAAQhAAAAblouTwlLkTDBfu7kf8UObT+RVqtMv8YkNgE+n1lvMXO8PydPeJEZi1A7+D0x+50kT8kO4uw1b8tIi/GQ0vhxcbUUuNH4/VA2VL15XtMY0852b6Cg9j66zW5x0b86soLE6AP/FUikQFochzvpNwD5wgOvxHJn+e6Bw4gMKxkmIEwjJ9vKtr+Q7iDkpyy56QmZxMezWPvZCT3/2hbfl5OiXhqr814v0q63lFDrrKfzdn+/lUDZvrQVvIVaapq5m1uR30wU4DllYJS3WbG1Kyncw4dy6xwPB4LBKSHF2SMSgsXFlK08181fXeetSr3qsDKsev+pHdTJDaPin2n7/zrLv5pIydEmtGEBAgR9zYDQZifU59ZkGNtL6g2ieY/9PrmUWvXkwUAh+JW5m4SlRQKxJ04Ppgp4pLabUHhv0BQpAuMlGK3LXcxAq2COcDmPEx5pDzC3WiY1ejbNoHonRT63s26oPGF7yhOzSUIzzm0gtfRvxuIjYBoOJSf3+dsFHe+7ZM9X5vthvPS6pXm7qkx4Lb2sFe1TzRmRSPKEggJ1qUmay6RJbYOqVHKzl3dgOr5G65wJbeNtSn//bWgrcizO+zFSXSRMQQfKMYVrj6t/6Xkb76AWAlbp2XZOeqd4cU7EhTx6uZxiLmDPaFET6gbWzm/KD0Sv7B6hijl4h8GkUrGn01jzTG0Y2VBPZSQVTqPOJcWPNwVM2Dj9nI85w4IXzDfD4jsUBWixOnECMqOoLvRoajmutYmvCPmLlXImG/iMcMZXfGMfTFzzpInqa2qK+22VMjryyDJKyOezI8F59D2kadSpzW6eEL+z6zkj+SJhJd99fywNTi1JiUpBNgOUUkdU+ehpPZtvHmHx3tg7pGAVXzk+c7D+XzvknVgjv8LydVUUZuA19AAOKnnuXYng+qF6g8HLkBkF1H1FFIPEok4mEgz/CJJO6Idsadf/n6cy/IJLrO5cvW39kmZ0vjfWnnyPPUgY5HF1JYXdBLPI9vcNCMmoI8lN4YZtJbm4LP17Ds5Z90YWC+i61po/6I/YE7SX5iJ0utJeXnk9s7cfhR4zR95s/qHg8xfYwqC171RK827cTBb6JVajcvLqVFKghIE0KcZs+exAe4+zDfMdOT+sq07UAkam7kGf429v4IYoZmqHEhVhBtrIY8ssJ/I+6m88j4AOgaIATOcU4d7i0DGhvsrzOc7Rayylg/5VYEticiqAghOn4TK4gmNA3Mq5oxkIQX6DUBcgu5yJ2TjasOBbxOidWs7XmgFCFqGLq5NkKPhDVa7X/nSyxTXHO3LVN+Im3gf+DT+Y1L7nbGGL2cN7MQlfS1KM5VmvDGtaNDg0hxiC7dRlGVrCSijEhYIHI/YNAZ8DnC5xHLfro1NQDb2Iz+7IBpnIJbRdJ3vODO5NQQsfZvx7aee18yxTZ06nA49qxj4XFK/cSIPHiYOAk4V2txxy/V7cUmCmMZPY7gyULYz0kTFC7QJAl6shoUh7D2VaePM3KgXUdPtzyFVTUGtmeyyu0VAn2Sq3kWr0xDozPHxLy7h6nr88OQdEC254n1mz0Pl5Nsw5fCwOtukAm7rczOnzkMLzWWA0wwOlWU7fh41uIuUVZbD9e1bIa78xVHCAuh3v8Ei8DoIVn0Q0RowyvoybM+LaiTFGByRpTBOOMDFVHPXwpD99Rs6aaN9AZwmfgGtkp4+zaiwB1H5BMqzVA4QtGytPrq4Ec/Iez6rmuehl6Os4HCuSEvBdLbpSTnf2KkKlRFg7ZTHCAB/3dm0W9Dif0v5KBempnvBOxXGznCY/z5k+7jM55cycxuN4MNjgr3KK/gLSvSymHuk26xhiaDH2uVgi+CZZ7VQYM5uwkrouGdRbghysSMSaiFTarUmCcOch53B6mGetpVLsByfKjzPNANVV+iCsFAv6iM1Nc1/awvDZcSMBSCnoiogo3xwFt6gpVZOXBuEnj28NpvMoEUZXWcKM+f4kGz+eUmHI94ERR3ZjXlq6WXLo8O3uZPUOwEBHr/2kWysHmb4fn/CUngGHk11C1X4j99en9hIGa2/+qszsQXDramG6mXVZUFbgRrYqat4ZkM7gw/5Nw6IJHTtCvuOu/QlVLavazaoS0a3VvjkZXdRJUp4il3A/hhVl5FxB03xqvGUY9vmjqgrSc89QK5+PZULCvvTsw/02T9CurkbRESTCkmyIX91+fjxlzQ9sopM+0RUj13j5n0DnbZLRu3ei7N/M0JZ5olS/bWeJgS/TJfBQvF1svXtS/Xn/frMwIllh0IRBQMYM0IuRVGyQdp8EWSbc/mGhmAfnbkmJ2cCdyMVkCJ7L8nB4oEk4g5j574UggCJS8SIG48/lXWvQure9kC0r1fBccAl78f/rhjaqrrog6FNmFRYrkN2DuYdlvE1QSmEao7vVRXjRB1zBkD16BASj5daDtpI4ef0/ukQ/x3cCyolwbOVHmxTMAn5N324ovn/sN0B52qJ3aZTfNiLUlAEL7OFvsL9gvvWEwp12YwHKyV7O7HYY0fn0Viai/2Y+Or9Yu0XlvGcITn4LP1Cd272qqPj6yPnovQFMAedkvJUQfPmuGrAcRD52a8DUaM3YJekN4W2DfVdTT5xCEWEfCKAH3t3Dc4jH3pIQ0Ao3olNuN6PEBTtUWR9p5eGKpL6Wk643P6AO5liTu9EcJO9il/7OaRR6O5gUisDxVGDxH2aJzPAMlSd8hRdp8u+mv1M8Oeni+Dn52NvUp4+xCWACT/M+7ee0+CWuM5PBxbvPv8yp1rN5xTHEfNQ9suApe7I20t2VXCf4sE4jzU9n4rKcOjSDkYD3AsCRs/oxMek7Gn7v+SgIynRS8Aydegzqoz7c/yV/vl7sWPHgYwBnxLxa/DRIkN/BbLefoM+fVYcMptXVsa4DvxAUVX0RoBFewkF9DgDgYOgA+J4+QK+Af/R2L/kddmg2ScSm7gmagEhLdRlEvfNiNFhYbxU6eyxHciKGAron25QFaSIjArcYRxSaia7KWWuX9/HqdQotMlIe6DrDIXRVj3yAkfJmsv4w6XedK+/0QlyXvZG2AXQaBPgDxf4UbFBQigdtG9Xpu5sTQT9+eFAdECRMAUVQXKTX4h30HhnDBagpE2MR90LBktYl0ne6I6MTAhiu7/ZXpdAo72N23lFDu5NRZpmk7eHUxHpUFJP1rPdEiMLgXsGdUYGk3Thalv+Umh+wq+R+tWYQYbsCxuaB+qifDAjHEDAskYe93ULo3qlGO4J0VmS6scGVm5yOKhutkreW8+umQkAlUvHGYBXUywVhJ/fVAQhExu8TxVP9bcFJIrbAjxMehrw
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:05:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9ec6fbe0-8d11-447a-a038-f6b0a86b9814",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:18:36.000Z",
"modified": "2023-01-13T09:18:36.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.247.168.153') AND network-traffic:dst_port = '8033']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3e84fef6-6655-46a8-9a74-2e05e651c3d2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:20:17.000Z",
"modified": "2023-01-13T09:20:17.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.36.119.61') AND network-traffic:dst_port = '8443' AND network-traffic:dst_port = '444']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:20:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--32d28275-7f48-4b1e-90cc-285cbeee0a0c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:21:34.000Z",
"modified": "2023-01-13T09:21:34.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.131.189.143') AND network-traffic:dst_port = '30080' AND network-traffic:dst_port = '30081' AND network-traffic:dst_port = '30443' AND network-traffic:dst_port = '20443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:21:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4919dc52-6dd4-4e94-839a-a1f0a955c307",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:22:14.000Z",
"modified": "2023-01-13T09:22:14.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.34.130.40') AND network-traffic:dst_port = '444']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:22:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--961a77bc-6824-49ae-815c-efb178e8e1b4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:25:25.000Z",
"modified": "2023-01-13T09:25:25.000Z",
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "state",
"value": "Malicious",
"category": "Other",
"uuid": "a746a583-7902-4cfb-8ea4-179104290eec"
},
{
"type": "text",
"object_relation": "fullpath",
"value": "/data/lib/libips.bak",
"category": "Other",
"uuid": "96d1f70a-aa11-44fe-9bae-b715d4927109"
},
{
"type": "text",
"object_relation": "fullpath",
"value": "/data/lib/libgif.so",
"category": "Other",
"uuid": "e6436492-3dc5-4bd6-815b-caa60dcad202"
},
{
"type": "text",
"object_relation": "fullpath",
"value": "/data/lib/libiptcp.so",
"category": "Other",
"uuid": "0cab46d9-5e32-4525-b21d-04f54b46cbff"
},
{
"type": "text",
"object_relation": "fullpath",
"value": "/data/lib/libipudp.so",
"category": "Other",
"uuid": "d7932f54-07a2-41bb-b81e-4608cc75d39a"
},
{
"type": "text",
"object_relation": "fullpath",
"value": "/data/lib/libjepg.so",
"category": "Other",
"uuid": "f66e9dde-c15a-45cd-bf6f-784c0457ab7b"
},
{
"type": "text",
"object_relation": "fullpath",
"value": "/var/.sslvpnconfigbk",
"category": "Other",
"uuid": "11efedea-9665-4347-88a6-b3d540aa2e8a"
},
{
"type": "text",
"object_relation": "fullpath",
"value": "/data/etc/wxd.conf",
"category": "Other",
"uuid": "622c1a0f-3d5f-49c7-8e6e-6a78248276d6"
},
{
"type": "text",
"object_relation": "fullpath",
"value": "/flash",
"category": "Other",
"uuid": "0c217051-2182-4c9f-a704-14b250a8b9f5"
}
],
"x_misp_comment": "Presence of the following artifacts in the filesystem:",
"x_misp_meta_category": "file",
"x_misp_name": "file"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3547fe3b-4672-41f8-8b87-dd3754d7aeeb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:05:16.000Z",
"modified": "2023-01-13T09:05:16.000Z",
"pattern": "[file:extensions.'windows-pebinary-ext'.number_of_sections = '9' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.optional_header.address_of_entry_point = '4199600' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2021-08-26T07:13:04+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = 'AC file name' AND file:extensions.'windows-pebinary-ext'.x_misp_file_description = 'AC Description' AND file:extensions.'windows-pebinary-ext'.x_misp_file_version = '1.0' AND file:extensions.'windows-pebinary-ext'.x_misp_lang_id = '080904E4' AND file:extensions.'windows-pebinary-ext'.x_misp_product_name = 'AC' AND file:extensions.'windows-pebinary-ext'.x_misp_product_version = '1.0' AND file:extensions.'windows-pebinary-ext'.x_misp_company_name = 'AC Company' AND file:extensions.'windows-pebinary-ext'.x_misp_legal_copyright = 'AC copyright']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-13T09:05:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"pe\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--060f92b1-3a95-49fd-b14f-e33adbd2115b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:05:15.000Z",
"modified": "2023-01-13T09:05:15.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".text",
"category": "Other",
"uuid": "e7bb1fd2-36d5-4863-b17f-42d75904e58e"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "80896",
"category": "Other",
"uuid": "0e9f763e-140d-4d66-a757-4ac6c5df334c"
},
{
"type": "float",
"object_relation": "entropy",
"value": "6.1933439370956",
"category": "Other",
"uuid": "a112ff46-43d1-46fb-98cf-7d1b252f53a2"
},
{
"type": "md5",
"object_relation": "md5",
"value": "4b5de9374a615b76e607c1dc4d17ac72",
"category": "Payload delivery",
"to_ids": true,
"uuid": "727306a3-783a-45b8-ae8e-48dc9139cadd"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "92a4ea254751b960250b21d8f8e947eb769ef01a",
"category": "Payload delivery",
"to_ids": true,
"uuid": "34c210a9-8b14-4068-8aa7-2a056825a360"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "5f826a78d3d88061f3f7e3281ffc41b37a8071a217cd15b584e4f6edd909b23c",
"category": "Payload delivery",
"to_ids": true,
"uuid": "8d7dbb00-c7ce-4bf9-ae08-82f90440ae70"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "b208b7a03e8036c27f09f43fc1f46fa7343c3a62efe0aa554908ac6426df1783d694638e135ef71b85cb8544e4da37d6a03cb6e923848a492016d688f1ddf5a2",
"category": "Payload delivery",
"to_ids": true,
"uuid": "d02b29e1-aaa0-49c9-8df8-82f6fe67bcbe"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "1536:MzT7zQBr/zINrQlKQLvTYZuyjOzNSHCCiin0F7KLzfLXDvbnT/r3jP7HzL/3zXvW:MzT/0/ENklKQLrAuyaxSHC5inA+LzfL6",
"category": "Payload delivery",
"to_ids": true,
"uuid": "04c733f2-a876-4fc5-a5ce-5dbb1bdf9728"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--2f9cb5df-616d-4aa3-b759-2312259e013a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:05:15.000Z",
"modified": "2023-01-13T09:05:15.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".data",
"category": "Other",
"uuid": "3d0c000e-3d10-41ac-98d0-edfed05c7848"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "2560",
"category": "Other",
"uuid": "e9661fd2-6e1e-4e68-9851-4ea518ec3d89"
},
{
"type": "float",
"object_relation": "entropy",
"value": "0.6540748833811",
"category": "Other",
"uuid": "9dbc8653-6947-4fd8-981c-99ed03427aa6"
},
{
"type": "md5",
"object_relation": "md5",
"value": "7ea63e83e1c0f8b6dc4ef536699484dd",
"category": "Payload delivery",
"to_ids": true,
"uuid": "0ba25daf-1ff1-4b72-8972-446c93b893f7"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "3326c3c5793f7f3510ef415f14b3db4b62e27bd2",
"category": "Payload delivery",
"to_ids": true,
"uuid": "4bb3fd53-5738-45a3-a935-0f7944bb9c1b"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "89ec50c88cda5557005116ac06d514df68f12d2c0bf29773b20589814ab9723f",
"category": "Payload delivery",
"to_ids": true,
"uuid": "c0c6126e-0ddf-47ed-92bf-fee96c54251a"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "09403f1bf4e83bb72db252de42b2c8bddd29ba99557115466f02ac668b6d6074a0883f597f6c0e7613bf00900af6163a1ee0a204a09bcb1e497c2a8eb29664d5",
"category": "Payload delivery",
"to_ids": true,
"uuid": "6f53837d-928a-4b54-84fa-99a6b11e538c"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "6:Xmt/eLtlMQQ/wm+RxlXOfUKjyipKR9jHUAj/k1Aj/k1qa6Ul:XmtGplsF+Rj7xfkAA1AA19",
"category": "Payload delivery",
"to_ids": true,
"uuid": "cc8db82e-412d-418e-bb6e-9d8f95b5d023"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a8529e6e-6cfa-4786-a272-086dc1106dd2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:05:15.000Z",
"modified": "2023-01-13T09:05:15.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".rdata",
"category": "Other",
"uuid": "b8384a3d-3278-4c86-9614-6b1dd8ebd607"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "5120",
"category": "Other",
"uuid": "282e9121-898f-461b-89fe-ee74a686dca6"
},
{
"type": "float",
"object_relation": "entropy",
"value": "5.4635139902349",
"category": "Other",
"uuid": "2f687329-70e3-4cb4-994c-f2ae46f0145a"
},
{
"type": "md5",
"object_relation": "md5",
"value": "e4c9d495339c4a934cc1b935660e0e38",
"category": "Payload delivery",
"to_ids": true,
"uuid": "01b4507e-7822-4c32-bbef-f38583f11150"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "037f98546890d032d441763d9e3bc1de54ffbbc0",
"category": "Payload delivery",
"to_ids": true,
"uuid": "805c0a79-84ce-4578-8e1b-3efbadf1e1ce"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "336ea8b9b38f4d53ad336eec0b0e1e03b59955194a5f37a15b0ae1fc80b4f061",
"category": "Payload delivery",
"to_ids": true,
"uuid": "6bef110b-bb2c-40db-ac48-e28e7d72720c"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "3bf3cac0891b015a26d18090219d445c48bbdc89eeac878cfcffb393b8b33296317aa7bc5f12d6f1498429807424f8c3e3ab249b273b270607bbffe83b5f9a75",
"category": "Payload delivery",
"to_ids": true,
"uuid": "8c0a496f-5a62-4c16-99c7-8843cd2f87e0"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "48:X65hlRWXMFfHP7BEP+sx4OQQuQv2qjr5vh8MMy9D/DtyGbBbBbBbBbBbBbBbBbBP:qLrmMF/SP+GuQv2qHLd9DhX",
"category": "Payload delivery",
"to_ids": true,
"uuid": "960db690-e673-43f1-bbda-24285d0d0b99"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--c10402d1-6766-4ab4-8509-f157c123b61c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:05:15.000Z",
"modified": "2023-01-13T09:05:15.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".bss",
"category": "Other",
"uuid": "7c2df5c6-4b3f-4d1c-a5f7-823cfe281da7"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "0",
"category": "Other",
"uuid": "15dfb76d-f355-49f3-97dc-bc3c45d830df"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--b3922ef0-5926-4bcf-b1c5-622a6742dcec",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:05:15.000Z",
"modified": "2023-01-13T09:05:15.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".idata",
"category": "Other",
"uuid": "98de02a5-8133-4375-b702-f606b6efcd48"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "4096",
"category": "Other",
"uuid": "f1e21f9f-3e57-49c0-8bd2-02694064057e"
},
{
"type": "float",
"object_relation": "entropy",
"value": "5.2099581938208",
"category": "Other",
"uuid": "4edf59fd-77c7-4da0-9654-140008f38358"
},
{
"type": "md5",
"object_relation": "md5",
"value": "4f2bf103dfcc95692a488edab688bbc7",
"category": "Payload delivery",
"to_ids": true,
"uuid": "1ad115ba-9135-48b2-aa20-803f6cc64c5c"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "b2d25fd8efd7b824c2912a9f80c918fe1f11952d",
"category": "Payload delivery",
"to_ids": true,
"uuid": "dc32eb3c-6165-443e-89cf-20fab39e55be"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "f60d590bc286bc3357f693500e25f8d13699f93402c384ea3354ee694ad6abb2",
"category": "Payload delivery",
"to_ids": true,
"uuid": "96713c7e-9b9d-4d42-8be7-0e9ce32d592d"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "b9a44e91d89c9586694f575a54eb41db7e2dc7f1097a1470470e6df077747c024dae28ae828b572e400d35e0b0957b31f3e54fd8f2a9f5fc64e6f1729fbe423d",
"category": "Payload delivery",
"to_ids": true,
"uuid": "f7625501-88f3-47b8-9622-94aed9790d12"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "48:VYTBshkXzByshkXzByr3mPWXEDll6GraRBTuyK1uA9GFDkcMUuRVxGp:yy4W+s/zuBTfK1uA9SDkcMUuRVq",
"category": "Payload delivery",
"to_ids": true,
"uuid": "78dfc026-71fe-49b7-9474-b5face8bf6c0"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--1d1e1173-a0cf-4808-a2ee-51234b20e355",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:05:15.000Z",
"modified": "2023-01-13T09:05:15.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".CRT",
"category": "Other",
"uuid": "f06bd361-ad6e-4779-8862-a9fd1abee749"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "512",
"category": "Other",
"uuid": "50f064df-82de-4a32-818c-1a71f6092f29"
},
{
"type": "float",
"object_relation": "entropy",
"value": "1.6185253040527",
"category": "Other",
"uuid": "3ea9ab4b-e55d-42d5-9939-f1e5defefeeb"
},
{
"type": "md5",
"object_relation": "md5",
"value": "3312975753899c136a2cba9b13c60ad0",
"category": "Payload delivery",
"to_ids": true,
"uuid": "4bbcbe4d-06d5-4b3f-80b7-7c5e21d0a4dd"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "6bb845d70432ae6f16002393f1ed36d3f5ff826e",
"category": "Payload delivery",
"to_ids": true,
"uuid": "2db1b968-e3a6-47d0-bd2f-56f7edcc1ba1"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "fc607709d7ac5011094efd7565647ad4dfd793c9f57a0e949f25bf2d241fcbad",
"category": "Payload delivery",
"to_ids": true,
"uuid": "f08350ee-0eb2-4811-84a0-628cf2cbd6a8"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "16ce5aeea206f79e4b26341705b451df52c492bbd7ca0d7bab47e9d3230f881a36d5ab27311f56d4dc4f580951eda3759e978b1db2240283762e44f13509da7c",
"category": "Payload delivery",
"to_ids": true,
"uuid": "155f634e-fa59-47d6-b9cf-a620f7f498f0"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "3:+/tdFllXl6ltl/ll:N",
"category": "Payload delivery",
"to_ids": true,
"uuid": "9b3ab4e9-16f3-4e3e-8628-ddadc03dd9f9"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--2c07d192-0cfc-44d7-a50d-ba5e19f39d8a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:06:37.000Z",
"modified": "2023-01-13T09:06:37.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".tls",
"category": "Other",
"uuid": "e6a28091-a0f1-4178-9cc8-523ade686c07"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "512",
"category": "Other",
"uuid": "eccebb87-6d3e-4670-9d2d-72516cdf095f"
},
{
"type": "md5",
"object_relation": "md5",
"value": "7dea362b3fac8e00956a4952a3d4f474",
"category": "Payload delivery",
"uuid": "f9496589-7caf-4f02-ad9d-6d6efd4507f6"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "05fe405753166f125559e7c9ac558654f107c7e9",
"category": "Payload delivery",
"uuid": "4dab0373-5c41-49f9-8c6c-fb9eac072c8b"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc",
"category": "Payload delivery",
"uuid": "33ffc6c1-6f6c-48ae-b896-329f05ad4e04"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b",
"category": "Payload delivery",
"uuid": "8583b84e-ed12-4cb1-8b74-4424a17fbe2f"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "3::",
"category": "Payload delivery",
"uuid": "caa672a1-4b89-4110-b2de-2a070e98de05"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--3b93ed78-8588-44e1-9900-13cfd51d57e8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:05:15.000Z",
"modified": "2023-01-13T09:05:15.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".rsrc",
"category": "Other",
"uuid": "225b9a26-fcd0-4ec1-bb00-7dd968a65f4d"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "2048",
"category": "Other",
"uuid": "16d1c894-557a-4a9f-870f-0329d9c8b812"
},
{
"type": "float",
"object_relation": "entropy",
"value": "4.6724534459793",
"category": "Other",
"uuid": "aa3f4d55-21af-40b0-bce3-96f4a4a3d2e0"
},
{
"type": "md5",
"object_relation": "md5",
"value": "e3e643d996d7a5984b5ac6bea5f8ad4b",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5f0c4135-154a-4043-b185-84f4f4b73312"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "d6d79694a79924624fcc1f89853e45cc0024d1e4",
"category": "Payload delivery",
"to_ids": true,
"uuid": "e829e0d5-917c-470f-8d25-bf519aa053a8"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "10fa569b3cf75ff21ea3b433416d16d9ff53bb127bcb8dfe24b4aea6bea0b684",
"category": "Payload delivery",
"to_ids": true,
"uuid": "a7080397-14dc-418f-8f61-de80d7827b5b"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "20085231c5480a9c6617d05b3d028f492a8f48f1b18bf6be5826ffa01774e696c283df4fbbc77a7f978d7f49c7155065419db2e2613a833d5c3b5b98842157ca",
"category": "Payload delivery",
"to_ids": true,
"uuid": "c3383d8c-346f-441b-a23b-ed97f7e90608"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "24:b9pGZeFVJprKNZ1bh3lCPNWredtn3tcuf3hwcK:Bp/FVnrcLbRlOBh3tThi",
"category": "Payload delivery",
"to_ids": true,
"uuid": "2f2b6635-98d9-488a-997a-9a0d7aebdb25"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--47345dc1-759f-4d34-997a-79c8a0ff8600",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:05:16.000Z",
"modified": "2023-01-13T09:05:16.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": ".reloc",
"category": "Other",
"uuid": "a1fe38da-7f11-444f-8ff2-66b76715dbba"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "2560",
"category": "Other",
"uuid": "ad77b0b6-cc28-48b1-9f59-bffed8093589"
},
{
"type": "float",
"object_relation": "entropy",
"value": "6.5454664509897",
"category": "Other",
"uuid": "5f4c2d8e-ebb8-46a6-80b3-c2fe6d85ed27"
},
{
"type": "md5",
"object_relation": "md5",
"value": "927d3c8f39932c4903ce0ae8dc4d7abb",
"category": "Payload delivery",
"to_ids": true,
"uuid": "21de482b-a7cf-4762-a839-d28ac606e45c"
},
{
"type": "sha1",
"object_relation": "sha1",
"value": "512ed9db2fe4151324abf949d70deb3fe4566a66",
"category": "Payload delivery",
"to_ids": true,
"uuid": "850e849c-073d-4850-9af2-169e36f697dc"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "a9506a3cbf332502d62d7b7fc0849fde3809545a75d911e9cae9268fa143b32c",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5f4e9726-098a-4733-8d67-0478a381b09a"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "2263a71d4f9ee005ed301020ae0e0d974003a39d481f4a82b6899a47847888969a6d66b7c585598307c14c83cc97f744b6f2dc0158426e2628ed02114ac5f338",
"category": "Payload delivery",
"to_ids": true,
"uuid": "ff7530a2-7124-412c-98c8-c409141da557"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "48:+BXwIRwsB3qZRyxbFCh3vvvbvXIdruBHnHofSX3X3X:+1wIRwsWGCzvXk8HofSnH",
"category": "Payload delivery",
"to_ids": true,
"uuid": "25566b15-5d61-46a8-a2bd-4767edcfd05b"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
2023-05-19 09:05:37 +00:00
{
"type": "note",
"spec_version": "2.1",
"id": "note--54ae3ae3-3b28-48d2-8aa3-b65955287a9d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-01-13T09:30:53.000Z",
"modified": "2023-01-13T09:30:53.000Z",
"abstract": "Report from - https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd (1673602179)",
"content": "# PSIRT Blogs\r\n\r\n # Analysis of FG-IR-22-398 \u2013 FortiOS - heap-based buffer overflow in SSLVPNd\r\n By Carl Windsor, Guillaume Lovet, Hongkei Chan, and Alex Kong | January 11, 2023 **Affected Platforms:** FortiOS \r\n \r\n **Impacted Users:** Government &large organizations \r\n **Impact:** Data loss and OS and file corruption \r\n **Severity Level:** High\r\n\r\n Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis.\r\n\r\n ## Executive Summary\r\n\r\n \r\n * Multiple additional IoCs have been uncovered related to the incident FG-IR-22-398 / CVE-2022-42475\r\n * The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.\r\n \r\n ## Incident Analysis\r\n\r\n As mentioned in the advisory, we detected this issue in the wild and were able to collect a sample of the malware along with related network traffic.\r\n\r\n The malware was a variant of a generic Linux implant customized for FortiOS. The following information was gathered during the forensic filesystem and binary analysis of the received appliance.\r\n\r\n **Libips.bak**\r\n\r\n The suspicious binary was located at */data/lib/libips.bak*. This file may be masquerading as a component of Fortinet\u2019s IPS Engine, located at /data/lib/libips.so. The file /data/lib/libips.so was present, but with a zero file size.\r\n\r\n Here is an image of the /data/lib directory:\r\n\r\n **Libgif.so, libips.bak,** and **libiptcp.so** are not part of any FortiOS components or processes.\r\n\r\n **Libips.bak** appears to be a trojanized version of the IPS Engine, typically located at ***/data/lib/libips.so*.** A diff comparing ***libips.bak*** with a clean **libips.so** from the same FortiOS build was performed. Up to about the 0x1900 byte mark, the files differ. After that point, the files are identical. Below is a screenshot of **libips.bak** (top) and the clean **libips.so** (bottom). ***libips.bak*** contains data where **libips.so** does not.\r\n\r\n After the first ~0x1900 bytes, the files are identical.\r\n\r\n **Libips.bak** exports the functions **ips\\_so\\_patch\\_urldb** and **ips\\_so\\_query\\_interface**. These are the same exports in the clean IPS engine binary, libips.so. Both exported functions lead to the same malicious code. If **libps.bak** is named libips.so in the **/data/lib** directory, the malicious code will be executed automatically as components of FortiOS will call these exported functions. The binary does not attempt to return to the clean IPS engine code, so IPS functionality is also compromised. Below is an example export function that immediately calls the malicious code.\r\n\r\n The primary malicious code is shown below.\r\n\r\n The malicious code begins by looping through file descriptors from 3 to 255. If it can duplicate the file descriptors, it will close both the duplicate and original descriptors.\r\n\r\n Next, it will read from **/data/lib/libiptcp.so** and write the data to **/data/lib/libjepg.so. /data/lib/libjepg.so** is renamed as **/data/lib/libips.so. fork()** andis used multiple times initially as an anti-debugging technique.\r\n\r\n It then calls **fork()** once more. The child process reads from **/data/lib/libgif.so** and writes that data to **/data/lib/libjepg.so. /data/lib/libjepg.so** is then renamed as **/data/lib/libips.so.**\r\n\r\n The parent process checks for read access to **/var/.sslvpnconfigbk**. This file is opened, then closed immediately. Finally, **/data/lib/libipudp.so** is executed with the argument **\"/data/lib/libipudp.so\"**.\r\n\r\n The files referenced in this code\u2014**libiptcp.so, libgif.so, .sslvpnconfigbk,** and **libipudp.so\u2014**could not be recovered.\r\n\r\n **Wxd.conf**\r\n\r\n The format of this config file is similar to that of \"Fa
"object_refs": [
"report--042a4478-fe19-4ed0-a309-b96da3542a95"
]
},
2023-04-21 14:44:17 +00:00
{
"type": "relationship",
"spec_version": "2.1",
2024-04-05 12:15:17 +00:00
"id": "relationship--791c092b-385b-4338-be9e-047db16c6177",
2023-04-21 14:44:17 +00:00
"created": "2023-01-13T08:58:03.000Z",
"modified": "2023-01-13T08:58:03.000Z",
"relationship_type": "related-to",
"source_ref": "vulnerability--0dc13dec-e5ab-4c09-8811-41e9a45dbb9e",
"target_ref": "vulnerability--48f4d58c-85aa-4048-ac46-852d2ce4a23f"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-04-05 12:15:17 +00:00
"id": "relationship--f8a5d897-e7d1-4ff5-9b52-b2568c19868d",
2023-04-21 14:44:17 +00:00
"created": "2023-01-13T08:58:03.000Z",
"modified": "2023-01-13T08:58:03.000Z",
"relationship_type": "weakened-by",
"source_ref": "vulnerability--0dc13dec-e5ab-4c09-8811-41e9a45dbb9e",
"target_ref": "x-misp-object--d7cc6b5e-f357-4962-8c46-d19ceb040746"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}