adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/2e29b34e-9558-46ba-96b2-211295ece344.json

1480 lines
296 KiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--2e29b34e-9558-46ba-96b2-211295ece344",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T11:21:12.000Z",
"modified": "2021-02-04T11:21:12.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--2e29b34e-9558-46ba-96b2-211295ece344",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T11:21:12.000Z",
"modified": "2021-02-04T11:21:12.000Z",
"name": "OSINT - Hildegard: New TeamTNT Malware Targeting Kubernetes",
"published": "2021-02-04T11:21:39Z",
"object_refs": [
"indicator--176f9db1-1f95-4ea1-998a-7d0253d6d45f",
"indicator--ea90cee2-3338-459b-bf2e-8f84edd9c74d",
"indicator--4f61af6e-155f-46bd-ad05-8ef20e4ca408",
"indicator--740ba33d-f828-4737-a56f-303cfcd290f5",
"indicator--2062baa3-04a0-4feb-9623-842a1aafec3c",
"indicator--d335ffab-1b09-4ece-a139-43524c9a871a",
"indicator--ccd37fe0-a473-4e9c-acb0-55f7dc917a66",
"indicator--85a67a9c-b76a-424c-8fd7-fd2f413deafd",
"indicator--282fc55b-627c-4d5e-9342-1af5184ddb5a",
"indicator--bdeca9c5-acfc-482a-973f-80386ddc837f",
"indicator--5d9e3240-96da-40be-866a-ea3fc431a40e",
"indicator--afa6e590-1959-4c42-b77e-1fd4a9896826",
"indicator--a5e1d11b-0f73-4cf4-b3ef-b8e723e6d30a",
"indicator--2c26666d-b912-4e8a-9f68-803f0b824429",
"indicator--c939eb92-cd87-408a-b2c1-5c25430c0470",
"indicator--33821510-4992-4ecb-84e9-1d320038a927",
"indicator--5ecf50d7-0d07-4c15-844a-6d2954367bc3",
"indicator--06a70163-a39c-4f54-bbdb-a87a814f1c99",
"indicator--49958838-8ef3-42ca-8053-92baf705789a",
"indicator--e309ca78-38e1-4c9a-ab77-b42459ff8396",
"indicator--778de61f-d6d7-4c20-9eb1-c75d829a3c4c",
"indicator--72ed2178-2db5-4c4f-a3b6-ec0f2dfe8855",
"indicator--e3c384cd-1c89-4a4b-a874-1652562a02b8",
"indicator--6020f6d1-af71-4e4a-8a12-225c0242d370",
"indicator--dfb15087-2708-4da2-9b47-298071b8304d",
"indicator--a086e984-6da5-4f73-8030-469f98c3227c",
"x-misp-object--94c1c886-20de-4707-b937-40b85b53bd3f",
"indicator--d5ed01ea-338f-445b-90e6-e5344378aa83",
"x-misp-object--62edf8d4-05c9-4862-8d42-f8a4806a36bc",
"indicator--387943cb-ee93-42dd-98b0-2c27066365df",
"x-misp-object--10416647-701f-4247-93af-3e201abed9b2",
"indicator--13c55aeb-731f-4f9f-bed7-54bc16691ee0",
"x-misp-object--663a8f21-2bf4-499e-9f5c-ba6bd04faa87",
"indicator--1cc03dbc-d46a-4ee2-aef9-82cc7ef7c97a",
"x-misp-object--1247892f-3395-4415-933b-581bc19ca772",
"indicator--0c47742b-164b-4df9-8c71-ef7acafe77cc",
"x-misp-object--7454fe7f-f8e1-45bc-acb5-b270c3d9d93d",
"indicator--b7657286-0c79-4c4e-9e45-b5c47795b70e",
"x-misp-object--16f3ee0a-c011-439f-8bf5-2f88b5671de2",
"indicator--cd4e86bb-5672-428e-ad55-00bd5ec27323",
"x-misp-object--31ac78bf-1fb8-40f3-8c88-a6f5c1c1ed9c",
"indicator--172dce95-5a65-4cf0-b710-277a5832b326",
"x-misp-object--cd6c16c4-35f5-474c-b49d-e5d213880efc",
"indicator--de8d5991-babe-4c5d-9343-0a1bd17eaba9",
"x-misp-object--a38d8b07-b456-42ae-b58a-036d656a2a25",
"indicator--3b265851-d607-41db-883a-3cdf383f8c65",
"x-misp-object--383195f4-cd06-40ad-b1f9-8a3f078d3c81",
"x-misp-object--4a242786-2019-442c-a76c-a9b208d7a3c3",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"note--2b0419ad-bb80-44c9-895c-eb6d227715f7",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"relationship--1f719788-4295-4109-bc96-6fbccdbced71",
"relationship--d1592dbc-b397-4ef3-862f-6015c4bf79ec",
"relationship--b0260e5d-e9ba-4fb5-a032-5ae84f04e7d2",
"relationship--d080e640-a14f-48ec-ba98-4c865b64203d",
"relationship--4c64cc00-f01c-43a8-9f7c-2983a49f91b5",
"relationship--8dfb29d2-17a6-49b5-80a2-7c118088f854",
"relationship--396e7b50-305e-4581-8a19-968c4cd52741",
"relationship--56a9a8de-385e-4fd7-b87b-f3df6f8b1c72",
"relationship--81bf0673-cccb-48c8-aa04-f6eaf4bdaa6a",
"relationship--26124060-62b9-4bc4-88cb-27b61829ad29"
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--176f9db1-1f95-4ea1-998a-7d0253d6d45f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T08:58:34.000Z",
"modified": "2021-02-04T08:58:34.000Z",
"description": "This machine hosts malicious files used in the campaign and receives the collected data to this C2.\r\nHosted files: TDGG, api.key, tmate, tt.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig, xmrig.so, ziggy, xmr3.assi",
"pattern": "[domain-name:value = 'the.borg.wtf' AND domain-name:resolves_to_refs[*].value = '45.9.150.36']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T08:58:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ea90cee2-3338-459b-bf2e-8f84edd9c74d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T08:59:13.000Z",
"modified": "2021-02-04T08:59:13.000Z",
"description": "The malware connects to this IP to obtain the victim host\u2019s public IP.\r\n",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '147.75.47.199')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T08:59:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4f61af6e-155f-46bd-ad05-8ef20e4ca408",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:00:11.000Z",
"modified": "2021-02-04T09:00:11.000Z",
"description": "This host hosts malicious scripts and binaries.\r\nHosted files: pei.sh, pei64.",
"pattern": "[domain-name:value = 'teamtnt.red' AND domain-name:resolves_to_refs[*].value = '45.9.148.108']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:00:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--740ba33d-f828-4737-a56f-303cfcd290f5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:00:59.000Z",
"modified": "2021-02-04T09:00:59.000Z",
"description": "This host hosts malicious scripts and binaries.\r\nHosted files: aws2.sh",
"pattern": "[domain-name:value = 'borg.wtf' AND domain-name:resolves_to_refs[*].value = '45.9.148.108']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:00:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2062baa3-04a0-4feb-9623-842a1aafec3c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:01:53.000Z",
"modified": "2021-02-04T09:01:53.000Z",
"description": "This host is one of the C2s. It runs an IRC server on port 6667.\r\n",
"pattern": "[domain-name:value = 'irc.borg.wtf' AND domain-name:resolves_to_refs[*].value = '123.245.9.147']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:01:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d335ffab-1b09-4ece-a139-43524c9a871a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:02:43.000Z",
"modified": "2021-02-04T09:02:43.000Z",
"description": "This host is one of the C2s. It runs an IRC server on port 6667.\r\n",
"pattern": "[domain-name:value = 'sampwn.anondns.net' AND domain-name:resolves_to_refs[*].value = '13.245.9.147']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:02:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ccd37fe0-a473-4e9c-acb0-55f7dc917a66",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:03:16.000Z",
"modified": "2021-02-04T09:03:16.000Z",
"description": "This host is one of the C2s. It runs an IRC server on port 6667.\r\n",
"pattern": "[domain-name:resolves_to_refs[*].value = '164.68.106.96']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:03:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--85a67a9c-b76a-424c-8fd7-fd2f413deafd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:03:47.000Z",
"modified": "2021-02-04T09:03:47.000Z",
"description": "This host is one of the C2s. It runs an IRC server on port 6667.\r\n",
"pattern": "[domain-name:resolves_to_refs[*].value = '62.234.121.105']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:03:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--282fc55b-627c-4d5e-9342-1af5184ddb5a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:06.000Z",
"modified": "2021-02-04T09:59:06.000Z",
"pattern": "[file:hashes.SHA256 = '2c1528253656ac09c7473911b24b243f083e60b98a19ba1bbb050979a1f38a0f' AND file:name = 'TDGGi' AND file:x_misp_text = 'script\tThis script downloads and executes tt.sh.']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bdeca9c5-acfc-482a-973f-80386ddc837f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:06.000Z",
"modified": "2021-02-04T09:59:06.000Z",
"pattern": "[file:hashes.SHA256 = '2cde98579162ab165623241719b2ab33ac40f0b5d0a8ba7e7067c7aebc530172' AND file:name = 'tt.sh' AND file:x_misp_text = 'script\tThis script downloads and runs tmate. It collects system information from the victim\u2019s host and sends the collected data to C2(45.9.150[.]36)']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9e3240-96da-40be-866a-ea3fc431a40e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:07.000Z",
"modified": "2021-02-04T09:59:07.000Z",
"pattern": "[file:hashes.SHA256 = 'b34df4b273b3bedaab531be46a0780d97b87588e93c1818158a47f7add8c7204' AND file:name = 'api.key' AND file:x_misp_text = 'text\tThe API key is used for creating a named tmate session from the compromised containers.']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--afa6e590-1959-4c42-b77e-1fd4a9896826",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:07.000Z",
"modified": "2021-02-04T09:59:07.000Z",
"pattern": "[file:hashes.SHA256 = 'd2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f' AND file:name = 'tmate' AND file:x_misp_text = 'ELF\ttmate v2.4.0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a5e1d11b-0f73-4cf4-b3ef-b8e723e6d30a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:07.000Z",
"modified": "2021-02-04T09:59:07.000Z",
"pattern": "[file:hashes.SHA256 = '74e3ccaea4df277e1a9c458a671db74aa47630928a7825f75994756512b09d64' AND file:name = 'sGAU.sh' AND file:x_misp_text = 'script\tThis script downloads and installs masscan. It scans Kubernetes\u2019 internal IP Kubelets running on port 10250. If masscan finds an exploitable Kubelet']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2c26666d-b912-4e8a-9f68-803f0b824429",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:07.000Z",
"modified": "2021-02-04T09:59:07.000Z",
"pattern": "[file:hashes.SHA256 = '8e33496ea00218c07145396c6bcf3e25f4e38a1061f807d2d3653497a291348c' AND file:name = 'kshell' AND file:x_misp_text = 'script\tThe script performs remote code execution in containers via Kubelet\u2019s API. It also downloads and executes xmr.sh in a target container.']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c939eb92-cd87-408a-b2c1-5c25430c0470",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:07.000Z",
"modified": "2021-02-04T09:59:07.000Z",
"pattern": "[file:hashes.SHA256 = '518a19aa2c3c9f895efa0d130e6355af5b5d7edf28e2a2d9b944aa358c23d887' AND file:name = 'install_monerod.bash' AND file:x_misp_text = 'script\tThe script is hosted in this Github repo. It pulls and builds the official monero project. It then creates a user named \u201cmonerodaemon\u201d and starts the monero service.']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--33821510-4992-4ecb-84e9-1d320038a927",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:07.000Z",
"modified": "2021-02-04T09:59:07.000Z",
"pattern": "[file:hashes.SHA256 = '5923f20010cb7c1d59aab36ba41c84cd20c25c6e64aace65dc8243ea827b537b' AND file:name = 'setup_moneroocean_miner.sh' AND file:x_misp_text = 'script\tThe script is hosted in this Github repo. It pulls and runs the MoneroOcean advanced version of xmrig.']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ecf50d7-0d07-4c15-844a-6d2954367bc3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:07.000Z",
"modified": "2021-02-04T09:59:07.000Z",
"pattern": "[file:hashes.SHA256 = 'a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9' AND file:name = 'xmrig' AND file:x_misp_text = '(oneroocean)\tELF\txmrig 6.7.2-mo3. This binary is hosted in MoneroOcean/xmrig Github repo.']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--06a70163-a39c-4f54-bbdb-a87a814f1c99",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:07.000Z",
"modified": "2021-02-04T09:59:07.000Z",
"pattern": "[file:hashes.SHA256 = 'ee6dbbf85a3bb301a2e448c7fddaa4c1c6f234a8c75597ee766c66f52540d015' AND file:name = 'pei.sh' AND file:x_misp_text = 'script\tThis script downloads and executes pei64 or pei32']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--49958838-8ef3-42ca-8053-92baf705789a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:08.000Z",
"modified": "2021-02-04T09:59:08.000Z",
"pattern": "[file:hashes.SHA256 = '937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d' AND file:name = 'pei64' AND file:x_misp_text = 'ELF\tThis is a Kubernetes penetration tool from the peirates project. The tool is capable of escalating privilege and pivoting through the Kubernetes cluster.']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e309ca78-38e1-4c9a-ab77-b42459ff8396",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:08.000Z",
"modified": "2021-02-04T09:59:08.000Z",
"pattern": "[file:hashes.SHA256 = '72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742' AND file:name = 'pei32' AND file:x_misp_text = 'ELF\tSame as pei64']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--778de61f-d6d7-4c20-9eb1-c75d829a3c4c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:08.000Z",
"modified": "2021-02-04T09:59:08.000Z",
"pattern": "[file:hashes.SHA256 = '12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3' AND file:name = 'xmr3.assi' AND file:x_misp_text = 'script\tThe script downloads and runs aws2.sh']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--72ed2178-2db5-4c4f-a3b6-ec0f2dfe8855",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:08.000Z",
"modified": "2021-02-04T09:59:08.000Z",
"pattern": "[file:hashes.SHA256 = '053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e' AND file:name = 'aws2.sh' AND file:x_misp_text = 'script\tThe script searches for cloud credentials and sends the identified credentials to C2 (the.borg[.]wtf).']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e3c384cd-1c89-4a4b-a874-1652562a02b8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:08.000Z",
"modified": "2021-02-04T09:59:08.000Z",
"pattern": "[file:hashes.SHA256 = 'e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7' AND file:name = 't.sh' AND file:x_misp_text = 'script\tThe script downloads x86_64.so and tmate from C2. It modifies ld.so.preload and starts a tmate named session. It then sends back the victim\u2019s system info and tmate session to C2.']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6020f6d1-af71-4e4a-8a12-225c0242d370",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:08.000Z",
"modified": "2021-02-04T09:59:08.000Z",
"pattern": "[file:hashes.SHA256 = '77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8' AND file:name = 'x86_64.so' AND file:x_misp_text = 'ELF\tThis shared object replaces the existing /etc/ld.so.preload file. It uses the LD_PRELOAD trick to hide the tmate process.']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dfb15087-2708-4da2-9b47-298071b8304d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:08.000Z",
"modified": "2021-02-04T09:59:08.000Z",
"pattern": "[file:hashes.SHA256 = '78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983' AND file:name = 'xmrig' AND file:x_misp_text = 'ELF\txmrig v6.7.0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a086e984-6da5-4f73-8030-469f98c3227c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T09:59:08.000Z",
"modified": "2021-02-04T09:59:08.000Z",
"pattern": "[file:hashes.SHA256 = '3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f' AND file:name = 'xmrig.so' AND file:x_misp_text = 'ELF\tThis shared object replaces the existing /etc/ld.so.preload.']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T09:59:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--94c1c886-20de-4707-b937-40b85b53bd3f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:00:58.000Z",
"modified": "2021-02-04T10:00:58.000Z",
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "attachment",
"object_relation": "attachment",
"value": "word-image.png",
"category": "External analysis",
"uuid": "2b389dc5-f633-400f-ab9b-660fe5041103",
"data": "iVBORw0KGgoAAAANSUhEUgAABPgAAAQgCAYAAAB7KuLYAAAgAElEQVR4AexdCZgUxdmuyOL/axINLCbRmJg7RhPZxfwmJiaaaDzYxXjt7rCiKOIRVCIiooKKys4sIKAgN8olt8juzgy73HIfciiXKIKI4O+VmEh+j4DW/7y9W2NNb8/OzG73dPfMu8+zT/d0V1dVv/X211+9/VWVEPwjAkSACBABIuADBLpU1J1cPjB8TkkofGVZqKZHIBQeUFYRHVUajMwurYgsCgSjL3aujL5WHoq+XV4Z/TAQin4cCEX/EwhGPy8LRiT/iQE5QA6QA+QAOUAOkAPkQNZwIBT9oiwUORoIRT4NhCKHy0PR98tD0f2dB0W3B4LRlaWhBdVlocik0srIkLKKaJ/yYPS60lDkos7B8Omdxm063gfuP6tIBIgAESACRIAI+BWBqyrmndw5tOBPZaFIj9Jg+MmyYCR6bSiypywU+Y+VM9b18UVHbhu57Mjd41d9cf+UDfLhGZvkwDlb5eB52+TQqh1yeHinHBHZJUdG8f8K/4kBOUAOkAPkADlADpAD5ECWcGCXfCKySw6r3iGHzN8uK+e+JB+dtVk+OG2j7PPMWtlzzIqj3YcvOdJlUK3lx+5AZeSDslBkfSAUmVYSrHkoMDBcdnVF9Vklc+a08mtfgvUmAkSACBABIkAEXECgfPCin5RVRAJlofBgRODhq6Mu4nUZUnf0b2NXHn14+ibDcXl66V45d/0huXD7B3Lt64fly2//h//EgBwgB8gBcoAcIAfIAXKAHEjCgU1vfiKXv/JPWbPlXTl91ZtydO1uGZq7VfadtFbe/MSSI7oPXhaKfhEIRXaUB8NTAxXRXp2DNecz4s+FzhKLJAJEgAgQASLgVQQCwarflwWj92G4QOfKBR8oRyJQGf3irrGrPg/O2SonLH5dVr34jly1hwIeBUwKuOQAOUAOkAPkADlADpADmeDAlgOfykXb/y5nrD4gnwzvlP2mbpTdhy+OE/4CochLZRWRUdcMDF9bUrn4e17tc7BeRIAIEAEiQASIgM0IBAZGf1VaEelbVhGpCwSjnylB769PLTsKMW/Ssn1GNF4mnBaWQeeYHCAHyAFygBwgB8gBcoAcSI8Da/celvPWHzKmu7l/8jqJETbKp7+2MrKntCIytrSiprRkWF1bm7sSzI4IEAEiQASIABFwC4Hrhiz8Kl7wZcHwM4FQ9F318r999IqjQ57fLmevPSjX7f03h1AkGUJBxzM9x5N4ES9ygBwgB8gBcoAcIAcyx4G6bR/ICYv2GHP96YIfFvYoD0YeCISqC93qj7BcIkAEiAARIAJEoJkIdBoQblcWinYvDUVrlKDX9fG6o4/M3Cynrtwv13CuPAqaFDTJAXKAHCAHyAFygBwgB7KWA+Gt7xkRfr3Gr44t5tG5Mvo6Vu8tGVhzXjO7GbyMCBABIkAEiAARcBqBkmFrjysNRrqWBcNhJerdOmLpEaxaW7353ax1XvhlOHNfhok1sSYHyAFygBwgB8gBcsB/HFj1+mFjGp5+UzdI1U8oD0X3lw2MDsL0PU73U5g/ESACRIAIEAEikAICpZWRS8pC0SmBUPQ/eGFD1Bse3ilrX36foh6/SpMD5AA5QA6QA+QAOUAOkAPkQIwDG/d/Ip9duV/2n7YxJvZhoY5AMHJPYED1KSl0P5iECBABIkAEiAARsAuBawctOLU0GO3fubJ2L0S964fUHR303EuyZgsj9fhV2X9fldlmbDNygBwgB8gBcoAcIAcyz4H1+/4tn1m6V/aeuDom9pUGI3PLgtFiu/otzIcIEAEiQASIABGwQODaQeELy4KRmSq0/r4p6+T0VW/GvsjRMcq8Y0TMiTk5QA6QA+QAOUAOkAPkgN85sGTH3+Ww6h2y29BFR9DXwGq8ZRXRPkWhSBuLbgkPEQEiQASIABEgAs1BoCwYvTEQim40ovUerzuKl+/SXR9S2ONwC3KAHCAHyAFygBwgB8gBcoAcsJUDM1YfkH0nra2P6gtFjpZVREaVVEZ/2Zx+DK8hAkSACBABIpDzCNwwafl/46tZ51D0IIS9v41deXTSsn22vrz9/qWR9efXcnKAHCAHyAFygBwgB8gBcsAZDtRt+0CG5m6NG77bOVhzfs531AgAESACRIAIEIFUECipnHNioCI8oDwU/QjC3v1TNsi56w9R2OOXWXKAHCAHyAFygBwgB8gBcoAcyDgH1u49LEdGd8muj9cdRf8kEIzUllbWXpJK34ZpiAARIAJEgAjkHAIlo5Z/LRAKDwiEoh/jxfnw9E0yuvW9jL/A+QXUmS+gxJW4kgPkADlADpAD5AA5QA74mQNbD34mxy3aI7sPX2zM01cajCwqCy24OOc6brxhIkAEiAARIAKJECgLRu9TEXsDZmyStdvep7DHr7PkADlADpAD5AA5QA6QA+QAOeBJDkxc/LrsPnyJIfSVBcPhkoE15yXq6/A4ESACRIAIEIGsR6AkFLlFzbH34LMvygUvU9jz81dN1p1f5ckBcoAcIAfIAXKAHCAHcokDiOi7sWHl3UAoMq1zMHx61nfieINEgAgQASJABBQCpcFwR7Uqbp9n1sqqF9/x5Je5XHJOeK90xskBcoAcIAfIAXKAHCAHyIH0ObDlwKfGHH2ByugXmGqobGB0UKdxm45XfR9uiQARIAJEgAhkHQLlgxf9pCwYmYkX320jlx2ZvupNCnscdkEOkAPkADngew4s3/mefDq6ST41d5V8dvHLMvrim/KlQ5/5/r7Y0U+/o0/MiBk5kLscWL3no9iqu+Wh6PsYrZR1HTreEBEgAkSACBCB0mC0v7HqVGX0i1G1u9npYYeeHMhhDqzf+5E89TdXx/1f3bMyISe2HPhEXnlHKC69ur78nmEJr2tuJ+u8sl7yB3/oHPu/ZcA428tobt14nXc6jjOX7ZSXdOtv8CS/oEia/8GhrveNkOGN+xPyZ/jM5Y14vWQbo9rJc+/wnG3BtiAH0udA5KX3ZN9JayX6PqXByLKSYPhc9gaJABEgAkSACPgegdLKyCVloeg2vOAemblZrnjtXwk7OnQg0ncgiBkx8yMH1u75ZyMx5LKbHrS0DYiC6tx7aKP0EFP+2KWv3LjvsOV1LcHl5xffEFceym9Jfrl67Yxl2+W1fYbH/rv0ecKR9so0vpv2/5/sMfDpOI6YxT3z715DpllG9FVOrmuUz8ItBz3Lt8FTF8XaE22L+8o0/iyP7z1ygBzwCwemrHhDdmuYn6+0MjKkZM6cVr7v3PEGiAARIAJEIPcQKBm29riyisgoNRx3zjrvdlj84iSwnnRos4UD6Qh83R8c00gAcVLcA8YU+Ox51qzEq5WvfOBrQejFN/4tf3VFD0tOmkU982+rSFArjLws8AXufjzu3jt0us3X7ZktNpX3YY/NIo7E0QkObHrzEzl43jYjmq+8snZvWWXNX3KvZ8g7JgJEgAgQAd8iUBIKXxkIRQ9A3BtWvYPOfw4PxXTCUWKe/nfAUxX4/jZoSpyYoAQTpyL3FLco8NnDMSvxyu8CX89Ka04qbmLouNq32j7+7JK4d6IVRhT47OGfep65JZ7kADngBQ5gUcGeY1YcNYbtVkTGdhoQ5iIcvu3tsuJEgAgQgRxAYMCA5Xkqaq/nmJWf12x5N64j44WXK+tAJ48ccJ8DqQh8/Z+aZymUnF/ex/FhnhT47OGIlXjlZ4EPc+lZiXY//dN1cmzVOrnm1Q+Nd96qVz6QAydGLNOCW5vf/Dj2brTCiAKfPfyjrSeO5AA54EUOPBneWR/NF4ruLwtGi3Ogi8hbJAJEgAgQAb8hUF4R+WPnyuhufJUaHt4Z67x48cXKOtHhIwfc5UAygS80qdZSHGlK3MNCHGOeXyNHa/+RBIsbTIpujks3b+WrcTYrkcCHekPIufWRCbJb/1GGiDP7hV1y68FP46634hfqh3IhXGJOPywactegqUZ+WIHV6hocw2qs+j1hhVYch0gUnFQrb3zgKXlNz0ExcWlq3VY5Ibwh9r90e/2CDVXr9sq7Bk8zysbCJCgbeKWy0uvq1z
}
],
"x_misp_meta_category": "file",
"x_misp_name": "file"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d5ed01ea-338f-445b-90e6-e5344378aa83",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:24.000Z",
"modified": "2021-02-04T10:14:24.000Z",
"pattern": "[file:hashes.MD5 = 'fe9d149dec9cd182254ace576a332f56' AND file:hashes.SHA1 = '66f858f47aebad049a58d416ca5f7916bf3ec524' AND file:hashes.SHA256 = '3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T10:14:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--62edf8d4-05c9-4862-8d42-f8a4806a36bc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:24.000Z",
"modified": "2021-02-04T10:14:24.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-02-03T19:27:51+00:00",
"category": "Other",
"uuid": "7cce5fc0-9644-441d-8697-37e733ef44f5"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f/detection/f-3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f-1612380471",
"category": "Payload delivery",
"uuid": "7d3b53ae-687b-416c-b654-f25154c2070d"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "36/62",
"category": "Payload delivery",
"uuid": "70d081db-33dd-49a8-970b-038e2fd244b2"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--387943cb-ee93-42dd-98b0-2c27066365df",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:24.000Z",
"modified": "2021-02-04T10:14:24.000Z",
"pattern": "[file:hashes.MD5 = '92490c9b9d3bb59aca5f106e401dfcaa' AND file:hashes.SHA1 = 'ca46d7e629475ec4dce991221d9c9f3abf4f6ad3' AND file:hashes.SHA256 = 'e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T10:14:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--10416647-701f-4247-93af-3e201abed9b2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:24.000Z",
"modified": "2021-02-04T10:14:24.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-02-03T19:40:43+00:00",
"category": "Other",
"uuid": "d4cd28b1-b60e-44b4-9c64-7e7c4f45b5b6"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7/detection/f-e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7-1612381243",
"category": "Payload delivery",
"uuid": "6852adda-7ef4-4745-8c2b-fb5da0102746"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "8/60",
"category": "Payload delivery",
"uuid": "563c3788-bd32-4dcc-a076-af2cdfff1e33"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--13c55aeb-731f-4f9f-bed7-54bc16691ee0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:24.000Z",
"modified": "2021-02-04T10:14:24.000Z",
"pattern": "[file:hashes.MD5 = '9f98db93197c6dfb27475075ae14e8ae' AND file:hashes.SHA1 = 'd849ca5d8fea568c2ccc56719d9b1bc145c64c9e' AND file:hashes.SHA256 = '053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T10:14:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--663a8f21-2bf4-499e-9f5c-ba6bd04faa87",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:24.000Z",
"modified": "2021-02-04T10:14:24.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-02-03T19:41:02+00:00",
"category": "Other",
"uuid": "c032bbff-bca2-49ee-b17d-319677f87a00"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e/detection/f-053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e-1612381262",
"category": "Payload delivery",
"uuid": "a7ed5250-91ef-4cdd-9361-a9cb14637692"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "4/59",
"category": "Payload delivery",
"uuid": "28f8e57c-6ea4-4b49-8f71-7ef6d0ee00dd"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1cc03dbc-d46a-4ee2-aef9-82cc7ef7c97a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:24.000Z",
"modified": "2021-02-04T10:14:24.000Z",
"pattern": "[file:hashes.MD5 = '63248ffca814fec285379d27aaccf2e9' AND file:hashes.SHA1 = '661a178188ce87332779fd4e842674dd39425496' AND file:hashes.SHA256 = '72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T10:14:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--1247892f-3395-4415-933b-581bc19ca772",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:24.000Z",
"modified": "2021-02-04T10:14:24.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-02-04T06:36:23+00:00",
"category": "Other",
"uuid": "e482ad3f-ea53-4783-a5fc-a9df32a22e68"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742/detection/f-72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742-1612420583",
"category": "Payload delivery",
"uuid": "a7245756-6000-46a0-83d0-a8f046c7e488"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "3/61",
"category": "Payload delivery",
"uuid": "0154047d-9659-4470-bb33-127abbfd3c46"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0c47742b-164b-4df9-8c71-ef7acafe77cc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:24.000Z",
"modified": "2021-02-04T10:14:24.000Z",
"pattern": "[file:hashes.MD5 = '35ac482fafb1453f993cb7c447fb9525' AND file:hashes.SHA1 = '59e538c2a3b5a4ccf49b30b88e5571a27931aa4c' AND file:hashes.SHA256 = 'a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T10:14:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--7454fe7f-f8e1-45bc-acb5-b270c3d9d93d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:25.000Z",
"modified": "2021-02-04T10:14:25.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-02-03T19:34:55+00:00",
"category": "Other",
"uuid": "f7f0be32-b20e-47e9-bff2-c3b6857999ef"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9/detection/f-a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9-1612380895",
"category": "Payload delivery",
"uuid": "3b209465-79f6-4244-b8f0-8d2e1f99f5b7"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "24/62",
"category": "Payload delivery",
"uuid": "4282e0ac-e3ea-4f2e-8d1c-244e51aa67ae"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b7657286-0c79-4c4e-9e45-b5c47795b70e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:25.000Z",
"modified": "2021-02-04T10:14:25.000Z",
"pattern": "[file:hashes.MD5 = '1aeb95215a633400d90ad8cbca9bc300' AND file:hashes.SHA1 = '31381d57d93b0c0738d2e92bce0014b69371f958' AND file:hashes.SHA256 = 'd2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T10:14:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--16f3ee0a-c011-439f-8bf5-2f88b5671de2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:25.000Z",
"modified": "2021-02-04T10:14:25.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-02-03T20:11:13+00:00",
"category": "Other",
"uuid": "14744553-4167-424e-a9ea-86c40d3ade68"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f/detection/f-d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f-1612383073",
"category": "Payload delivery",
"uuid": "949d6755-855d-4624-8c90-f2e9ece4f101"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "2/62",
"category": "Payload delivery",
"uuid": "37edadcb-4036-45d7-a086-11f69ac56b2b"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cd4e86bb-5672-428e-ad55-00bd5ec27323",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:25.000Z",
"modified": "2021-02-04T10:14:25.000Z",
"pattern": "[file:hashes.MD5 = '80c202ced80965521adf1d63ba6be712' AND file:hashes.SHA1 = '9481e349e3b3942edd2346fa823611e16a375ae4' AND file:hashes.SHA256 = '77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T10:14:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--31ac78bf-1fb8-40f3-8c88-a6f5c1c1ed9c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:25.000Z",
"modified": "2021-02-04T10:14:25.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-02-03T19:31:29+00:00",
"category": "Other",
"uuid": "0bb828f3-37c1-453e-bbec-e3c7504adb9f"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8/detection/f-77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8-1612380689",
"category": "Payload delivery",
"uuid": "cb9b754b-9665-477f-b519-e868e5469128"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "26/63",
"category": "Payload delivery",
"uuid": "2b4e5d30-c772-4b53-b4be-bf6970b9f8d6"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--172dce95-5a65-4cf0-b710-277a5832b326",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:25.000Z",
"modified": "2021-02-04T10:14:25.000Z",
"pattern": "[file:hashes.MD5 = '70330c23a9027ba0d2d6dd552818d97b' AND file:hashes.SHA1 = 'e94aeaeae1a3df5e3778c37f7a77be43da627c7e' AND file:hashes.SHA256 = '78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T10:14:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--cd6c16c4-35f5-474c-b49d-e5d213880efc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:25.000Z",
"modified": "2021-02-04T10:14:25.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-02-03T19:38:56+00:00",
"category": "Other",
"uuid": "58d5b530-df03-43b3-a0bc-1958ed931ce3"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983/detection/f-78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983-1612381136",
"category": "Payload delivery",
"uuid": "f2e6fa65-0bcd-4147-8988-6fa1244279ab"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "30/62",
"category": "Payload delivery",
"uuid": "01a178ee-c1e2-4b87-bfca-f6c9b1c4e6f6"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--de8d5991-babe-4c5d-9343-0a1bd17eaba9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:25.000Z",
"modified": "2021-02-04T10:14:25.000Z",
"pattern": "[file:hashes.MD5 = 'e10e607751f00516c86b35a6a3b76517' AND file:hashes.SHA1 = '841e188fb08de785a7cd43cb9ce3550ba84c21ef' AND file:hashes.SHA256 = '12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T10:14:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a38d8b07-b456-42ae-b58a-036d656a2a25",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:25.000Z",
"modified": "2021-02-04T10:14:25.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-02-03T19:38:17+00:00",
"category": "Other",
"uuid": "75e9f292-c358-4b12-897a-66c78643e7ec"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3/detection/f-12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3-1612381097",
"category": "Payload delivery",
"uuid": "70cd68f7-0a97-44d5-8a20-9e48050e725e"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "25/60",
"category": "Payload delivery",
"uuid": "ee1c3b33-7bae-4e3c-ba79-09d0275c372c"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3b265851-d607-41db-883a-3cdf383f8c65",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:25.000Z",
"modified": "2021-02-04T10:14:25.000Z",
"pattern": "[file:hashes.MD5 = '018d88b8203bdea0fe4dc5b4baa930c4' AND file:hashes.SHA1 = '4ea685a7fc013cf3476ad13e9dcf6f08d06af85a' AND file:hashes.SHA256 = '937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-02-04T10:14:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--383195f4-cd06-40ad-b1f9-8a3f078d3c81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T10:14:25.000Z",
"modified": "2021-02-04T10:14:25.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-02-04T06:37:14+00:00",
"category": "Other",
"uuid": "d6fb239f-65d1-4aaa-b4a2-081e712bebaa"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d/detection/f-937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d-1612420634",
"category": "Payload delivery",
"uuid": "5639436e-48e6-4452-a771-d4475af5fe82"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "1/60",
"category": "Payload delivery",
"uuid": "7a643205-b7cc-437b-b564-d722e30939ed"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--4a242786-2019-442c-a76c-a9b208d7a3c3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T11:20:59.000Z",
"modified": "2021-02-04T11:20:59.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
"category": "External analysis",
"uuid": "1765b652-f97a-46d0-b72d-148a81e51f13"
},
{
"type": "text",
"object_relation": "summary",
"value": "In January 2021, Unit 42 researchers detected a new malware campaign targeting Kubernetes clusters. The attackers gained initial access via a misconfigured kubelet that allowed anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible and eventually launched cryptojacking operations. Based on the tactics, techniques and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT. We refer to this new malware as Hildegard, the username of the tmate account that the malware used.\r\n\r\nTeamTNT is known for exploiting unsecured Docker daemons and deploying malicious container images, as documented in previous research (Cetus, Black-T and TeamTNT DDoS). However, this is the first time we found TeamTNT targeting Kubernetes environments. In addition to the same tools and domains identified in TeamTNT\u2019s previous campaigns, this new malware carries multiple new capabilities that make it more stealthy and persistent. In particular, we found that TeamTNT\u2019s Hildegard malware:\r\n\r\nUses two ways to establish command and control (C2) connections: a tmate reverse shell and an Internet Relay Chat (IRC) channel.\r\nUses a known Linux process name (bioset) to disguise the malicious process.\r\nUses a library injection technique based on LD_PRELOAD to hide the malicious processes.\r\nEncrypts the malicious payload inside a binary to make automated static analysis more difficult.\r\nWe believe that this new malware campaign is still under development due to its seemingly incomplete codebase and infrastructure. At the time of writing, most of Hildegard\u2019s infrastructure has been online for only a month. The C2 domain borg[.]wtf was registered on Dec. 24, 2020, the IRC server went online on Jan. 9, 2021, and some malicious scripts have been updated frequently. The malware campaign has ~25.05 KH/s hashing power, and there is 11 XMR (~$1,500) in the wallet.\r\n\r\nThere has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponization stage. However, knowing this malware\u2019s capabilities and target environments, we have good reason to believe that the group will soon launch a larger-scale attack. The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters.",
"category": "Other",
"uuid": "9e0c3854-65ec-491c-9338-42613794b6e4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
chg: [export] updated
2023-05-19 09:05:37 +00:00
{
"type": "note",
"spec_version": "2.1",
"id": "note--2b0419ad-bb80-44c9-895c-eb6d227715f7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-02-04T11:21:12.000Z",
"modified": "2021-02-04T11:21:12.000Z",
"abstract": "Report from - https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ (1612437672)",
"content": "html [if IE]> <div class=\"alert alert-warning\"> You are using an <strong>outdated</strong> browser. Please <a href=\"http://browsehappy.com/\">upgrade your browser</a> to improve your experience. </div> <![endif] \n* Tools\n * ATOMs\n * Speaking Events\n * About Us\n \n By Jay Chen, Aviv Sasson and Ariel Zelivansky \n\n February 3, 2021 at 6:00 AM\n\n Category: Unit 42\n\n Tags: Cloud, containers, cryptojacking, Docker, Kubernetes, public cloud, TeamTnT\n\n This post is also available in: \u65e5\u672c\u8a9e (Japanese)\n\n## Executive Summary\n\n In January 2021, Unit 42 researchers detected a new malware campaign targeting Kubernetes clusters. The attackers gained initial access via a misconfigured kubelet that allowed anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible and eventually launched cryptojacking operations. Based on the tactics, techniques and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT. We refer to this new malware as **Hildegard**, the username of the tmate account that the malware used.\n\n TeamTNT is known for exploiting unsecured Docker daemons and deploying malicious container images, as documented in previous research (Cetus, Black-T and TeamTNT DDoS). However, this is the first time we found TeamTNT targeting Kubernetes environments. In addition to the same tools and domains identified in TeamTNT\u2019s previous campaigns, this new malware carries multiple new capabilities that make it more stealthy and persistent. In particular, we found that TeamTNT\u2019s Hildegard malware:\n\n \n * Uses two ways to establish command and control (C2) connections: a tmate reverse shell and an Internet Relay Chat (IRC) channel.\n * Uses a known Linux process name (bioset) to disguise the malicious process.\n * Uses a library injection technique based on LD\\_PRELOAD to hide the malicious processes.\n * Encrypts the malicious payload inside a binary to make automated static analysis more difficult.\n \n We believe that this new malware campaign is still under development due to its seemingly incomplete codebase and infrastructure. At the time of writing, most of Hildegard\u2019s infrastructure has been online for only a month. The C2 domain borg[.]wtf was registered on Dec. 24, 2020, the IRC server went online on Jan. 9, 2021, and some malicious scripts have been updated frequently. The malware campaign has ~25.05 KH/s hashing power, and there is 11 XMR (~$1,500) in the wallet.\n\n **There has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponization stage.** However, knowing this malware\u2019s capabilities and target environments, we have good reason to believe that the group will soon launch a larger-scale attack. The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters.\n\n Palo Alto Networks customers running Prisma Cloud are protected from this threat by the Runtime Protection feature, Cryptominer Detection feature and the Prisma Cloud Compute Kubernetes Compliance Protection, which alerts on an insufficient Kubernetes configuration and provides secure alternatives.\n\n # \n\n Figure 1. Attacker and malware\u2019s movement. ## Tactics, Techniques and Procedures\n\n Figure 1 illustrates how the attacker entered, moved laterally and eventually performed cryptojacking in multiple containers.\n\n \n 2. The attacker started by exploiting an unsecured Kubelet on the internet and searched for containers running inside the Kubernetes nodes. After finding container 1 in Node A, the attacker attempted to perform remote code execution (RCE) in container 1.\n 4. The attacker downloaded tmate and issued a command to run it and establish a reverse shell to tmate.io from container 1. The attacker then continued the atta
"object_refs": [
"report--2e29b34e-9558-46ba-96b2-211295ece344"
]
},
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "relationship",
"spec_version": "2.1",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"id": "relationship--1f719788-4295-4109-bc96-6fbccdbced71",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--d5ed01ea-338f-445b-90e6-e5344378aa83",
"target_ref": "x-misp-object--62edf8d4-05c9-4862-8d42-f8a4806a36bc"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"id": "relationship--d1592dbc-b397-4ef3-862f-6015c4bf79ec",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--387943cb-ee93-42dd-98b0-2c27066365df",
"target_ref": "x-misp-object--10416647-701f-4247-93af-3e201abed9b2"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"id": "relationship--b0260e5d-e9ba-4fb5-a032-5ae84f04e7d2",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--13c55aeb-731f-4f9f-bed7-54bc16691ee0",
"target_ref": "x-misp-object--663a8f21-2bf4-499e-9f5c-ba6bd04faa87"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"id": "relationship--d080e640-a14f-48ec-ba98-4c865b64203d",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--1cc03dbc-d46a-4ee2-aef9-82cc7ef7c97a",
"target_ref": "x-misp-object--1247892f-3395-4415-933b-581bc19ca772"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"id": "relationship--4c64cc00-f01c-43a8-9f7c-2983a49f91b5",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--0c47742b-164b-4df9-8c71-ef7acafe77cc",
"target_ref": "x-misp-object--7454fe7f-f8e1-45bc-acb5-b270c3d9d93d"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"id": "relationship--8dfb29d2-17a6-49b5-80a2-7c118088f854",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--b7657286-0c79-4c4e-9e45-b5c47795b70e",
"target_ref": "x-misp-object--16f3ee0a-c011-439f-8bf5-2f88b5671de2"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"id": "relationship--396e7b50-305e-4581-8a19-968c4cd52741",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--cd4e86bb-5672-428e-ad55-00bd5ec27323",
"target_ref": "x-misp-object--31ac78bf-1fb8-40f3-8c88-a6f5c1c1ed9c"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"id": "relationship--56a9a8de-385e-4fd7-b87b-f3df6f8b1c72",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--172dce95-5a65-4cf0-b710-277a5832b326",
"target_ref": "x-misp-object--cd6c16c4-35f5-474c-b49d-e5d213880efc"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"id": "relationship--81bf0673-cccb-48c8-aa04-f6eaf4bdaa6a",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--de8d5991-babe-4c5d-9343-0a1bd17eaba9",
"target_ref": "x-misp-object--a38d8b07-b456-42ae-b58a-036d656a2a25"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"id": "relationship--26124060-62b9-4bc4-88cb-27b61829ad29",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "1970-01-01T00:00:00.000Z",
"modified": "1970-01-01T00:00:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--3b265851-d607-41db-883a-3cdf383f8c65",
"target_ref": "x-misp-object--383195f4-cd06-40ad-b1f9-8a3f078d3c81"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink