2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5c812baa-d614-4f99-88e0-426d950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:54:20.000Z" ,
"modified" : "2019-03-07T14:54:20.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5c812baa-d614-4f99-88e0-426d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:54:20.000Z" ,
"modified" : "2019-03-07T14:54:20.000Z" ,
"name" : "OSINT - New SLUB Backdoor Uses GitHub, Communicates via Slack" ,
"published" : "2019-03-07T14:54:40Z" ,
"object_refs" : [
"observed-data--5c812bb7-f9a4-4e40-8386-2d92950d210f" ,
"url--5c812bb7-f9a4-4e40-8386-2d92950d210f" ,
"x-misp-attribute--5c812bd5-5ff0-4398-aa70-44d7950d210f" ,
"vulnerability--5c812c3b-92e4-4dca-ae5d-423f950d210f" ,
"observed-data--5c812c61-3fb8-4dd4-a066-426f950d210f" ,
"file--5c812c61-3fb8-4dd4-a066-426f950d210f" ,
"artifact--5c812c61-3fb8-4dd4-a066-426f950d210f" ,
"observed-data--5c812ca0-4fb4-4e00-89a3-424b950d210f" ,
"file--5c812ca0-4fb4-4e00-89a3-424b950d210f" ,
"artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f" ,
"indicator--5c812cd9-3bd0-4fb8-aebf-426f950d210f" ,
"indicator--5c812e19-f324-4fb4-8321-41b2950d210f" ,
"indicator--5c812e19-02cc-4e58-ad6f-4531950d210f" ,
"indicator--caa8ad96-cb54-41af-87e6-0d652834620b" ,
"x-misp-object--e326acd3-60af-46c8-bdb0-e3879b6dea8b" ,
"indicator--4712ac16-d976-47b2-8e95-99e0fbbfb94a" ,
"x-misp-object--ae0fe876-57e2-4670-8a0d-d6fed9a7d0d3" ,
2024-04-05 12:15:17 +00:00
"relationship--752ae440-0b53-4816-8778-780fafad44a0" ,
"relationship--2a3ddfad-5d88-4fbe-9cc1-9e0f71001bd8"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"" ,
"misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c812bb7-f9a4-4e40-8386-2d92950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:33:27.000Z" ,
"modified" : "2019-03-07T14:33:27.000Z" ,
"first_observed" : "2019-03-07T14:33:27Z" ,
"last_observed" : "2019-03-07T14:33:27Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5c812bb7-f9a4-4e40-8386-2d92950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5c812bb7-f9a4-4e40-8386-2d92950d210f" ,
"value" : "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5c812bd5-5ff0-4398-aa70-44d7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:33:57.000Z" ,
"modified" : "2019-03-07T14:33:57.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "We recently came across a previously unknown malware that piqued our interest in multiple ways. For starters, we discovered it being spread via watering hole attacks, a technique that involves an attacker compromising a website before adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only once. The infection was done by exploiting CVE-2018-8174, a VBScript engine vulnerability that was patched by Microsoft back in May 2018.\r\n\r\nSecond, it uses a multi-stage infection scheme. After it exploits the vulnerability, it downloads a DLL and runs it in PowerShell (PS). This file, which is a downloader, then downloads and runs the second executable file containing a backdoor. The first stage downloader also checks for the existence of different kinds of antivirus software processes, and then proceeds to exit if any is found. At the time of discovery, the backdoor was seemingly unknown to AV products.\r\n\r\nIn addition to the previously mentioned facts, we quickly noticed that the malware was connecting to the Slack platform, a collaborative messaging system that lets users create and use their own workspaces through the use of channels, similar to the IRC chatting system. We found this quite interesting, since we haven\u00e2\u20ac\u2122t observed any malware to date that communicates using Slack.\r\n\r\nOur technical investigation and analysis of the attacker\u00e2\u20ac\u2122s tools, techniques, and procedures (TTP) lead us to think that this threat is actually a stealthy targeted attack run by capable actors, and not a typical cybercriminal scheme.\r\n\r\nNote that as soon as this malware was discovered, we informed the Canadian Centre for Cyber Security, which acts as Canada\u00e2\u20ac\u2122s National Computer Security Incident Response Team (CSIRT). The Cyber Centre alerted the site operator, helped them understand the malware that was found, and offered mitigation advice."
} ,
{
"type" : "vulnerability" ,
"spec_version" : "2.1" ,
"id" : "vulnerability--5c812c3b-92e4-4dca-ae5d-423f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:35:39.000Z" ,
"modified" : "2019-03-07T14:35:39.000Z" ,
"name" : "CVE-2018-8174" ,
"labels" : [
"misp:type=\"vulnerability\"" ,
"misp:category=\"Payload delivery\""
] ,
"external_references" : [
{
"source_name" : "cve" ,
"external_id" : "CVE-2018-8174"
}
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c812c61-3fb8-4dd4-a066-426f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:36:17.000Z" ,
"modified" : "2019-03-07T14:36:17.000Z" ,
"first_observed" : "2019-03-07T14:36:17Z" ,
"last_observed" : "2019-03-07T14:36:17Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5c812c61-3fb8-4dd4-a066-426f950d210f" ,
"artifact--5c812c61-3fb8-4dd4-a066-426f950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5c812c61-3fb8-4dd4-a066-426f950d210f" ,
"name" : "SLUB-Figure-5-1.jpg" ,
"content_ref" : "artifact--5c812c61-3fb8-4dd4-a066-426f950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5c812c61-3fb8-4dd4-a066-426f950d210f" ,
"payload_bin" : " / 9 j / 4 A A Q S k Z J R g A B A g E A l g C W A A D / 7 g A O Q W R v Y m U A Z A A A A A A B / + E A S k V 4 a W Y A A E 1 N A C o A A A A I A A M B G g A F A A A A A Q A A A D I B G w A F A A A A A Q A A A D o B K A A D A A A A A Q A C A A A A A A A A A J Y A A A A B A A A A l g A A A A E A A P / t A C x Q a G 90 b 3 N o b 3 A g M y 4 w A D h C S U 0 D 7 Q A A A A A A E A C W A A A A A Q A B A J Y A A A A B A A H / 4 V K f a H R 0 c D o v L 25 z L m F k b 2 J l L m N v b S 94 Y X A v M S 4 w L w A 8 P 3 h w Y W N r Z X Q g Y m V n a W 49 I u + 7 v y I g a W Q 9 I l c 1 T T B N c E N l a G l I e n J l U 3 p O V G N 6 a 2 M 5 Z C I / P g 0 K P H g 6 e G 1 w b W V 0 Y S B 4 b W x u c z p 4 P S J h Z G 9 i Z T p u c z p t Z X R h L y I g e D p 4 b X B 0 a z 0 i Q W R v Y m U g W E 1 Q I E N v c m U g N S 4 z L W M w M T E g N j Y u M T Q 1 N j Y x L C A y M D E y L z A y L z A 2 L T E 0 O j U 2 O j I 3 I C A g I C A g I C A i P g 0 K C T x y Z G Y 6 U k R G I H h t b G 5 z O n J k Z j 0 i a H R 0 c D o v L 3 d 3 d y 53 M y 5 v c m c v M T k 5 O S 8 w M i 8 y M i 1 y Z G Y t c 3 l u d G F 4 L W 5 z I y I + D Q o J C T x y Z G Y 6 R G V z Y 3 J p c H R p b 24 g c m R m O m F i b 3 V 0 P S I i I H h t b G 5 z O m R j P S J o d H R w O i 8 v c H V y b C 5 v c m c v Z G M v Z W x l b W V u d H M v M S 4 x L y I + D Q o J C Q k 8 Z G M 6 Z m 9 y b W F 0 P m l t Y W d l L 2 p w Z W c 8 L 2 R j O m Z v c m 1 h d D 4 N C g k J C T x k Y z p 0 a X R s Z T 4 N C g k J C Q k 8 c m R m O k F s d D 4 N C g k J C Q k J P H J k Z j p s a S B 4 b W w 6 b G F u Z z 0 i e C 1 k Z W Z h d W x 0 I j 5 G S W d 1 c m U t N T w v c m R m O m x p P g 0 K C Q k J C T w v c m R m O k F s d D 4 N C g k J C T w v Z G M 6 d G l 0 b G U + D Q o J C T w v c m R m O k R l c 2 N y a X B 0 a W 9 u P g 0 K C Q k 8 c m R m O k R l c 2 N y a X B 0 a W 9 u I H J k Z j p h Y m 91 d D 0 i I i B 4 b W x u c z p 4 b X A 9 I m h 0 d H A 6 L y 9 u c y 5 h Z G 9 i Z S 5 j b 20 v e G F w L z E u M C 8 i I H h t b G 5 z O n h t c E d J b W c 9 I m h 0 d H A 6 L y 9 u c y 5 h Z G 9 i Z S 5 j b 20 v e G F w L z E u M C 9 n L 2 l t Z y 8 i P g 0 K C Q k J P H h t c D p N Z X R h Z G F 0 Y U R h d G U + M j A x O S 0 w M y 0 w N V Q x N z o z N j o z N S s w O D o w M D w v e G 1 w O k 1 l d G F k Y X R h R G F 0 Z T 4 N C g k J C T x 4 b X A 6 T W 9 k a W Z 5 R G F 0 Z T 4 y M D E 5 L T A z L T A 1 V D A 5 O j M 2 O j M 2 W j w v e G 1 w O k 1 v Z G l m e U R h d G U + D Q o J C Q k 8 e G 1 w O k N y Z W F 0 Z U R h d G U + M j A x O S 0 w M y 0 w N V Q x N z o z N j o z N S s w O D o w M D w v e G 1 w O k N y Z W F 0 Z U R h d G U + D Q o J C Q k 8 e G 1 w O k N y Z W F 0 b 3 J U b 29 s P k F k b 2 J l I E l s b H V z d H J h d G 9 y I E N T N i A o V 2 l u Z G 93 c y k 8 L 3 h t c D p D c m V h d G 9 y V G 9 v b D 4 N C g k J C T x 4 b X A 6 V G h 1 b W J u Y W l s c z 4 N C g k J C Q k 8 c m R m O k F s d D 4 N C g k J C Q k J P H J k Z j p s a S B y Z G Y 6 c G F y c 2 V U e X B l P S J S Z X N v d X J j Z S I + D Q o J C Q k J C Q k 8 e G 1 w R 0 l t Z z p 3 a W R 0 a D 4 y N T Y 8 L 3 h t c E d J b W c 6 d 2 l k d G g + D Q o J C Q k J C Q k 8 e G 1 w R 0 l t Z z p o Z W l n a H Q + M T U y P C 94 b X B H S W 1 n O m h l a W d o d D 4 N C g k J C Q k J C T x 4 b X B H S W 1 n O m Z v c m 1 h d D 5 K U E V H P C 94 b X B H S W 1 n O m Z v c m 1 h d D 4 N C g k J C Q k J C T x 4 b X B H S W 1 n O m l t Y W d l P i 85 a i 80 Q U F R U 2 t a S l J n Q U J B Z 0 V B b G d D V 0 F B R C 83 U U F z V U d o d m R H O X p h R z l 3 S U R N d U 1 B Q T R R a 2 x O Q S s w Q U F B Q U F B Q k F B b G d B Q U F B R U E N C k F R Q 1 d B Q U F B Q V F B Q i 8 r S U 1 X R W x E U T E 5 U V V r O U d T V X h G Q U F F Q k F B Q U 1 T R X h w Y m 0 4 Q 0 V B Q U F i V z U w Y 2 x K S F F p Q l l X V m 9 n Q j g 0 Q U F n Q U o N C k F B W U F N U U F B W V d O e m N F M V R S b F F B Q U F B Q V N V V k R J S E 5 T U j B J Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B U G J X Q U F F Q U F B Q U E w e T F J V U N B Z 0 F B Q U E N C k F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B U l k z Q n l k Q U F B Q V Z B Q U F B Q X o N C l p H V n p Z d 0 F B Q V l R Q U F B Q n N k M 1 J 3 Z E F B Q U F m Q U F B Q U F V W W 10 d 2 R B Q U F B Z 1 F B Q U F B V W N s a F p X Z 0 F B Q W h n Q U F B Q V V a M W h a V 2 d B Q U F p d 0 E N C k F B Q V V Z b G h a V 2 d B Q U F r Q U F B Q U F V W k c x d V p B Q U F B b F F B Q U F C d 1 p H M W t a Q U F B Q X N R Q U F B Q 0 l k b l Z s W k F B Q U E w d 0 F B Q U N H Z G 1 s b G R 3 Q U E N C k E 5 U U F B Q U F r Y k h W d G F R Q U F B L 2 d B Q U F B V W J X V m h j d 0 F B Q k F 3 Q U F B Q W t k R 1 Z q Y U F B Q U J E Q U F B Q U F N Y 2 x S U 1 F 3 Q U F C R H d B Q U F n T V o x U l M N C l F 3 Q U F C R H d B Q U F n T V l s U l N R d 0 F B Q k R 3 Q U F B Z 0 1 k R 1 Y 0 Z E F B Q U F B Q k R i M 0 I 1 Y 21 s b m F I U W d L R 0 1 w S U R F N U 9 U Z 2 d T R 1 Y z Y k d W M G R D M V E N C l l X T n J Z W E p r S U V O d m J Y Q m h i b m t B Q U d S b G M y T U F B Q U F B Q U F B Q U V u T l N S M E l n U 1 V W R E 5 q R T V O a l l 0 T W k 0 e E F B Q U F B Q U F B Q U F B Q U F B Q V M N C m M x S k h R a U J K U l V N M k 1 U a z J O a T B 5 T G p F Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U E N C k F B Q U F B Q U F B Q U F B Q U F G a F p X a U F B Q U F B Q U F B R H p V U U F C Q U F B Q U F S Y k 1 X R m x h S U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U J Z V 1 Z v Z 0 F B Q U E N C k F B Q U F i N k l B Q U R q M U F B Q U R r R m h a V 2 l B Q U F B Q U F B Q U J p b V F B Q X Q 0 V U F B Q m p h V 0 Z s Y U l B Q U F B Q U F B Q U N T Z 0 F B Q V B o Q U F B d H M 5 a 1 p Y T m o N C k F B Q U F B Q U F B Q U J a S l J V T W d h S F I w Y 0 R v d k w z Z D N k e T V w W l d N d V k y Z 0 F B Q U F B Q U F B Q U F B Q U F B Q l p K U l V N Z 2 F I U j B j R G 92 T D N k M 2 R 5 N X A N C l p X T X V Z M m d B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B W k d W e l l 3 Q U E N C k F B Q U F B Q U F 1 U 1 V W R E l E W X h P V F k y T F R J d U 1 T Q k V a V 1 p o Z F d 4 M E l G S k h R a U J q Y j J 4 d m R Y S W d j M 0 J o W T J V Z 0 x T Q n p V a 2 R D Q U F B Q U F B Q U E N C k F B Q U F B Q U F 1 U 1 V W R E l E W X h P V F k y T F R J d U 1 T Q k V a V 1 p o Z F d 4 M E l G S k h R a U J q Y j J 4 d m R Y S W d j M 0 J o W T J V Z 0 x T Q n p V a 2 R D Q U F B Q U F B Q U E N C k F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U d S b G M y T U F B Q U F B Q U F B Q U x G S m x a b V Z 5 W l c 1 a l p T Q l d h V 1 Y z Y V c 1 b k l F T n Z i b V J w Z E d s d m J p Q n A N C m J p Q k p S V U 0 y T V R r M k 5 p M H l M a k V B Q U F B Q U F B Q U F B Q U F B Q U N 4 U 1 p X W m x j b V Z 1 W T J V Z 1 Z t b G x k M m x 1 W n l C R G I y N W t h W F J w Y j I 0 Z 2 F X N G c N C l N V V k R O a k U 1 T m p Z d E 1 p N H h B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q j J h V 1 Y z Q U F B Q U F B Q V R w U D R B R k Y 4 d U F C R F A N C k Z B Q U Q 3 Y 3 d B Q k J N T E F B T m N u Z 0 F B Q U F G W V d W b 2 d B Q U F B Q U F C T U N W W U F V Q U F B Q U Z j Z j U y M W x Z W E 1 B Q U F B Q U F B Q U F B U U F B Q U F B Q U F B Q U E N C k F B Q U F B Q U F B Q U F B Q U F B S 1 B B Q U F B Q W 5 O c F p 5 Q U F B Q U F B U T F K V U l H T j F j b l l B Q U F B Q U F B Q U V B Q U F B Q U F V Q U N n Q V B B Q l F B R 1 F B Z U F D T U E N C k t B Q X R B R E l B T n d B N 0 F F Q U F S U U J L Q U U 4 Q V Z B Q l p B R j R B W X d C b 0 F H M E F j Z 0 I z Q U h 3 Q W d R Q 0 d B S X N B a 0 F D V k F K b 0 F u d 0 N r Q U t r Q X J n Q 3 k N C k F M Y 0 F 2 Q U R C Q U 1 Z Q X l 3 R F F B T l V B M n d E Z 0 F P V U E 2 d 0 R 3 Q V B Z Q S t 3 R U J B U W N
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c812ca0-4fb4-4e00-89a3-424b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:37:20.000Z" ,
"modified" : "2019-03-07T14:37:20.000Z" ,
"first_observed" : "2019-03-07T14:37:20Z" ,
"last_observed" : "2019-03-07T14:37:20Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5c812ca0-4fb4-4e00-89a3-424b950d210f" ,
"artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5c812ca0-4fb4-4e00-89a3-424b950d210f" ,
"name" : "SLUB-Figure-9.jpg" ,
"content_ref" : "artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f" ,
"payload_bin" : " / 9 j / 4 A A Q S k Z J R g A B A Q E A 3 A D c A A D / 2 w B D A A I B A Q I B A Q I C A g I C A g I C A w U D A w M D A w Y E B A M F B w Y H B w c G B w c I C Q s J C A g K C A c H C g 0 K C g s M D A w M B w k O D w 0 M D g s M D A z / 2 w B D A Q I C A g M D A w Y D A w Y M C A c I D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A z / w A A R C A I Y B O s D A S I A A h E B A x E B / 8 Q A H w A A A Q U B A Q E B A Q E A A A A A A A A A A A E C A w Q F B g c I C Q o L / 8 Q A t R A A A g E D A w I E A w U F B A Q A A A F 9 A Q I D A A Q R B R I h M U E G E 1 F h B y J x F D K B k a E I I 0 K x w R V S 0 f A k M 2 J y g g k K F h c Y G R o l J i c o K S o 0 N T Y 3 O D k 6 Q 0 R F R k d I S U p T V F V W V 1 h Z W m N k Z W Z n a G l q c 3 R 1 d n d 4 e X q D h I W G h 4 i J i p K T l J W W l 5 i Z m q K j p K W m p 6 i p q r K z t L W 2 t 7 i 5 u s L D x M X G x 8 j J y t L T 1 N X W 19 j Z 2 u H i 4 + T l 5 u f o 6 e r x 8 v P 0 9 f b 3 + P n 6 / 8 Q A H w E A A w E B A Q E B A Q E B A Q A A A A A A A A E C A w Q F B g c I C Q o L / 8 Q A t R E A A g E C B A Q D B A c F B A Q A A Q J 3 A A E C A x E E B S E x B h J B U Q d h c R M i M o E I F E K R o b H B C S M z U v A V Y n L R C h Y k N O E l 8 R c Y G R o m J y g p K j U 2 N z g 5 O k N E R U Z H S E l K U 1 R V V l d Y W V p j Z G V m Z 2 h p a n N 0 d X Z 3 e H l 6 g o O E h Y a H i I m K k p O U l Z a X m J m a o q O k p a a n q K m q s r O 0 t b a 3 u L m 6 w s P E x c b H y M n K 0 t P U 1 d b X 2 N n a 4 u P k 5 e b n 6 O n q 8 v P 0 9 f b 3 + P n 6 / 9 o A D A M B A A I R A x E A P w D 9 / K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i j N F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A e e f t V / t L e H f 2 Q f g D 4 l + I n i l 5 R o / h u 3 E z x x Y 825 k Z g k c S Z 43 O 7 K o + t f g 98 b f 8 A g 49 / a K + I f j W 7 v P D G r a R 4 J 0 U y s b W w t N O h u W j j z 8 o e S Z W L N j q Q A M 9 q / R 3 / A I O Z L + a z / w C C a T x x O U S 68 V a d F K B / G o W d 8 f 8 A f S q f w r + e a u m j B N X Z z V p t O y P s v / h / 7 + 1 V / w B F I j / 8 E t j / A P G q P + H / A L + 1 V / 0 U i P 8 A 8 E t j / w D G q + N K K 25 V 2 M u d 9 z 7 L / w C H / v 7 V X / R S I / 8 A w S 2 P / w A a o / 4 f + / t V f 9 F I j / 8 A B L Y //Gq+NKKOVdg533Psv/h/7+1V/wBFIj/8Etj/APGqP+H/AL+1V/0UiP8A8Etj/wDGq+NKKOVdg533Psv/AIf+/tVf9FIj/wDBLY//ABqj/h/7+1V/0UiP/wAEtj/8ar40oo5V2Dnfc+y/+H/v7VX/AEUiP/wS2P8A8ao/4f8Av7VX/RSI/wDwS2P/AMar40oo5V2Dnfc+y/8Ah/7+1V/0UiP/AMEtj/8AGqP+H/v7VX/RSI//AAS2P/xqvjSijlXYOd9z7L/4f+/tVf8ARSI//BLY/wDxqj/h/wC/tVf9FIj/APBLY/8AxqvjSijlXYOd9z7L/wCH/v7VX/RSI/8AwS2P/wAao/4f+/tVf9FIj/8ABLY//Gq+NKKOVdg533Psv/h/7+1V/wBFIj/8Etj/APGqUf8ABf39qoEH/hZEZx/1BbH/AONV8Z0Uci7BzvufuJ/wR2/4L2+IP2nPjBYfCz4uW2mf27rmU0XXLKIW63MyqW8iaP7oZgDtZccjGOQa/Vyv5Qf+Cd9xJbft+fA9o3ZGPj7Q1yODg6hACPxBI/Gv6vq5q0UnodFGTa1CiiisTYKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiig0AGaK/n6/4LC/8FoPiT8Xf2ifE3gb4e+KdY8H+AvCl/NpatpN01rcazJExjkmkljIcxlg21AQpXBIz0+KR+178V/+imePv/B9df8AxdbxoNq7ZhKuk7JH9bdFfySf8NffFf8A6KZ4+/8AB9df/F0f8NffFf8A6KZ4+/8AB9df/F0/q/mL6x5H9bdFfySf8NffFf8A6KZ4+/8AB9df/F0f8NffFf8A6KZ4+/8AB9df/F0fV/MPrHkf1t0V/JJ/w198V/8Aopnj7/wfXX/xdH/DX3xX/wCimePv/B9df/F0fV/MPrHkf1t
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c812cd9-3bd0-4fb8-aebf-426f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:38:17.000Z" ,
"modified" : "2019-03-07T14:38:17.000Z" ,
"pattern" : "[url:value = 'https://gist.github.com/kancc14522/626a3a68a2cc2a91c1ece1eed7610c8a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-07T14:38:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c812e19-f324-4fb4-8321-41b2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:43:37.000Z" ,
"modified" : "2019-03-07T14:43:37.000Z" ,
"description" : "Trojan.Win32.CVE20151701.E" ,
"pattern" : "[file:hashes.SHA256 = '3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-07T14:43:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c812e19-02cc-4e58-ad6f-4531950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:43:37.000Z" ,
"modified" : "2019-03-07T14:43:37.000Z" ,
"description" : "Backdoor.Win32.SLUB.A" ,
"pattern" : "[file:hashes.SHA256 = '43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-07T14:43:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--caa8ad96-cb54-41af-87e6-0d652834620b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:43:58.000Z" ,
"modified" : "2019-03-07T14:43:58.000Z" ,
"pattern" : "[file:hashes.MD5 = '142ea550d65fbd90cc2a47aeaef0c210' AND file:hashes.SHA1 = 'e092e130a0627015331c3d3e0265befd65c167b4' AND file:hashes.SHA256 = '3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-07T14:43:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--e326acd3-60af-46c8-bdb0-e3879b6dea8b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:43:59.000Z" ,
"modified" : "2019-03-07T14:43:59.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-03-01T01:49:19" ,
"category" : "Other" ,
"comment" : "Trojan.Win32.CVE20151701.E" ,
"uuid" : "40be40ac-66c7-45ea-a2d7-0ffaea92ce0a"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7/analysis/1551404959/" ,
"category" : "Payload delivery" ,
"comment" : "Trojan.Win32.CVE20151701.E" ,
"uuid" : "442cf993-0cb9-48a6-8bb1-e1ab6fcb3a0a"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "32/63" ,
"category" : "Payload delivery" ,
"comment" : "Trojan.Win32.CVE20151701.E" ,
"uuid" : "49b64f75-c33f-42ab-a43d-8ea7bfafbe12"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--4712ac16-d976-47b2-8e95-99e0fbbfb94a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:44:00.000Z" ,
"modified" : "2019-03-07T14:44:00.000Z" ,
"pattern" : "[file:hashes.MD5 = 'f3004ddaef5b8c18883e716dda966141' AND file:hashes.SHA1 = '786e366ab9edbbba315ee1cc0de12132b107ba9c' AND file:hashes.SHA256 = '43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-07T14:44:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--ae0fe876-57e2-4670-8a0d-d6fed9a7d0d3" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-07T14:44:00.000Z" ,
"modified" : "2019-03-07T14:44:00.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-03-06T16:37:38" ,
"category" : "Other" ,
"comment" : "Backdoor.Win32.SLUB.A" ,
"uuid" : "a77369bd-22fd-4be7-883e-933bd72867cc"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7/analysis/1551890258/" ,
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.SLUB.A" ,
"uuid" : "81801a81-6192-4cfb-8aaf-ead1f36da2e8"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "7/69" ,
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.SLUB.A" ,
"uuid" : "a1fe3994-9403-415e-b117-30f4b38e65d4"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--752ae440-0b53-4816-8778-780fafad44a0" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-03-07T14:44:00.000Z" ,
"modified" : "2019-03-07T14:44:00.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--caa8ad96-cb54-41af-87e6-0d652834620b" ,
"target_ref" : "x-misp-object--e326acd3-60af-46c8-bdb0-e3879b6dea8b"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--2a3ddfad-5d88-4fbe-9cc1-9e0f71001bd8" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-03-07T14:44:00.000Z" ,
"modified" : "2019-03-07T14:44:00.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--4712ac16-d976-47b2-8e95-99e0fbbfb94a" ,
"target_ref" : "x-misp-object--ae0fe876-57e2-4670-8a0d-d6fed9a7d0d3"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
