2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5cac8884-5a80-4a5b-b3f9-ada3950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:21:59.000Z" ,
"modified" : "2019-04-09T19:21:59.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5cac8884-5a80-4a5b-b3f9-ada3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:21:59.000Z" ,
"modified" : "2019-04-09T19:21:59.000Z" ,
"name" : "OSINT - STUXSHOP The Oldest Stuxnet Component Dials Up" ,
"published" : "2019-04-09T19:26:39Z" ,
"object_refs" : [
"x-misp-attribute--5cac88a1-c61c-43b2-81cb-2bc9950d210f" ,
"observed-data--5cac88b4-82f0-40c1-bf5c-3009950d210f" ,
"url--5cac88b4-82f0-40c1-bf5c-3009950d210f" ,
"indicator--5cac8f36-c224-4ca1-b482-c1da950d210f" ,
"indicator--5cac8f36-bee8-41f2-97ba-c1da950d210f" ,
"indicator--5cac8f36-a064-4c8f-9b64-c1da950d210f" ,
"indicator--5cac8f36-3c18-4fec-8be3-c1da950d210f" ,
"indicator--5cacea3f-924c-4319-8993-43a302de0b81" ,
"indicator--5cacea3f-0ee0-4dd4-a623-418202de0b81" ,
"indicator--5cacea53-f988-4e9c-8d3a-467302de0b81" ,
"indicator--5cacea6e-5a00-489d-aab9-46c502de0b81" ,
"indicator--5cacea6e-74d8-45d6-905e-45ad02de0b81" ,
"indicator--5cacea82-abf4-4c0d-907c-4bb402de0b81" ,
"indicator--5caceaaa-e558-4992-99be-4a1b02de0b81" ,
"indicator--5caceaaa-2ebc-4fbc-bdbe-411802de0b81" ,
"indicator--5caceaaa-4660-45bc-92c7-4c9702de0b81" ,
"indicator--5caceaaa-78dc-4a6d-83e6-4ff002de0b81" ,
"indicator--5caceaaa-f400-4670-8acd-4c5b02de0b81" ,
"indicator--5caceae8-f6cc-4959-97cf-a79102de0b81" ,
"indicator--5caceed5-75f0-4a37-adbf-4c8702de0b81" ,
"indicator--5cacf076-9a94-4851-83c9-4ecd02de0b81" ,
"indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f" ,
"x-misp-object--d66ade80-17a6-47a9-9efe-7b5a922dfaa1" ,
"indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f" ,
"indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f" ,
"indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f" ,
"indicator--5cacea17-9ba0-4939-95e7-474c02de0b81" ,
"indicator--2868aeaa-a19a-4b36-b693-e55b1a32d633" ,
"x-misp-object--95f4e9d8-aec9-4e52-b133-8688a3857540" ,
"indicator--d7f8c044-89dc-411c-a777-6110c35e1185" ,
"x-misp-object--73ebef95-1302-4712-b237-7aba3002f249" ,
"indicator--308606ca-729c-4050-8d8e-72f00f17a981" ,
"x-misp-object--7403084a-f132-4ff9-a53b-6342ed8032ee" ,
"indicator--dbbdfe4d-13dc-4fc2-b189-0582aec45f8f" ,
"x-misp-object--67191d81-2968-4471-b804-e92b25166e28" ,
"indicator--de4d97dc-5512-4f11-b590-7f56e1877cdc" ,
"x-misp-object--555db026-ee1b-4775-91f4-a1b52245a78c" ,
"indicator--6b9bfb62-ea86-4bb9-9d1e-7aa8ed2150eb" ,
"x-misp-object--ddaf5a99-1963-4a4a-93eb-0b69396bbb46" ,
"indicator--6edd0812-8c25-4923-8e60-1872a7a81a1c" ,
"x-misp-object--b7b2cc69-43cb-4213-9dfd-d7b5043a819d" ,
"indicator--421a889c-305d-4fee-a7c9-6b0114a2beb9" ,
"x-misp-object--596ec4c3-ec57-4be1-8edf-777fb2b48aa0" ,
"x-misp-object--5cacf023-7368-4a33-a5a4-4e8502de0b81" ,
"indicator--5cacf0d7-870c-4b90-a5bb-4c1c02de0b81" ,
2024-04-05 12:15:17 +00:00
"relationship--5c6ee049-92fb-47d2-b2c2-71974c52e2c7" ,
"relationship--d983aecd-eabf-4c5f-a29a-c62252fbb58e" ,
"relationship--aed45e75-6378-4d10-982b-9e6b46201235" ,
"relationship--77bc749a-22cb-4224-b074-17ddf411a876" ,
"relationship--708d8365-3e7f-457f-b72e-2bb4b39757d2" ,
"relationship--aff7243e-c24e-4dc8-bb57-b186cf834fe3" ,
"relationship--83a19e13-850c-4011-bc0b-b16f3bf72677" ,
"relationship--99db8f1a-02d4-4a1f-ad2a-ebd894ee62ad" ,
"relationship--eb510276-19c0-4031-939e-5bde5e37fa93" ,
"relationship--44caf340-7cdc-4fa8-b9a9-ec2ff9f5702e" ,
"relationship--befa07c0-c142-436f-9b0d-42b8c79170cd" ,
"relationship--22a92108-502b-45ce-9394-adc37014cdb3" ,
"relationship--4003c899-dea3-42db-9beb-5bef6b56ff19"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"misp-galaxy:malpedia=\"Stuxnet\"" ,
"misp-galaxy:tool=\"Stuxnet\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5cac88a1-c61c-43b2-81cb-2bc9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T11:57:21.000Z" ,
"modified" : "2019-04-09T11:57:21.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "During our research into the GossipGirl Supra Threat Actor (STA) cluster, we discovered apreviously unknown relationship exemplified in an early Stuxnet component \u00e2\u20ac\u201cbuilt in part on theFlowershop malware framework. While other known versions of Stuxnet were partially linked tothe Flame platform (a.k.a. Flamer, SkyWiper) or the \u00e2\u20ac\u02dcTilded Platform\u00e2\u20ac\u2122 (a.k.a. DuQu), this older1component shares code with Flowershop \u00e2\u20ac\u201can even older malware framework active as early as2002. In an interesting show of longevity, this Stuxnet component \u00e2\u20ac\u201cwhich we\u00e2\u20ac\u2122ve dubbedStuxshop\u00e2\u20ac\u2039\u00e2\u20ac\u201c is configured to communicate with known Stuxnet command-and-control (C&C)servers and even includes logic to suppress dial-up prompts for disconnected (or possiblyairgapped) machines.The value of this recent finding is twofold: First, it suggests that yet another team withits own malware platform was involved in the early development of Stuxnet. And secondly, itsupports the view that Stuxnet is in fact the product of a modular development frameworkmeant to enable collaboration among diverse, independent threat actors. Our recent findings,alongside the outstanding body of previously reported technical analysis on this threat, wouldplace the \u00e2\u20ac\u02dcFlowershop team\u00e2\u20ac\u2122 alongside Equation, Flame, and Duqu as those involved in toolingthe different phases of Stuxnet as an operation active perhaps as early as 2006. Perhaps themost apt metaphor for Stuxnet is that of a \u00e2\u20ac\u02dcplane built as its being flown\u00e2\u20ac\u2122."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5cac88b4-82f0-40c1-bf5c-3009950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T11:57:40.000Z" ,
"modified" : "2019-04-09T11:57:40.000Z" ,
"first_observed" : "2019-04-09T11:57:40Z" ,
"last_observed" : "2019-04-09T11:57:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5cac88b4-82f0-40c1-bf5c-3009950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5cac88b4-82f0-40c1-bf5c-3009950d210f" ,
"value" : "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cac8f36-c224-4ca1-b482-c1da950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T12:25:26.000Z" ,
"modified" : "2019-04-09T12:25:26.000Z" ,
"description" : "Stuxshop samples identified thus far contain four hardcoded C&C servers such as" ,
"pattern" : "[url:value = 'http://211.24.237.226/index.php?data=']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T12:25:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cac8f36-bee8-41f2-97ba-c1da950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T12:25:26.000Z" ,
"modified" : "2019-04-09T12:25:26.000Z" ,
"description" : "Stuxshop samples identified thus far contain four hardcoded C&C servers such as" ,
"pattern" : "[url:value = 'http://todaysfutbol.com/index.php?data=']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T12:25:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cac8f36-a064-4c8f-9b64-c1da950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T12:25:26.000Z" ,
"modified" : "2019-04-09T12:25:26.000Z" ,
"description" : "Stuxshop samples identified thus far contain four hardcoded C&C servers such as" ,
"pattern" : "[url:value = 'http://78.111.169.146/index.php?data=']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T12:25:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cac8f36-3c18-4fec-8be3-c1da950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T12:25:26.000Z" ,
"modified" : "2019-04-09T12:25:26.000Z" ,
"description" : "Stuxshop samples identified thus far contain four hardcoded C&C servers such as" ,
"pattern" : "[url:value = 'http://mypremierfutbol.com/index.php?data=']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T12:25:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cacea3f-924c-4319-8993-43a302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:53:51.000Z" ,
"modified" : "2019-04-09T18:53:51.000Z" ,
"description" : "Stuxshop Modules" ,
"pattern" : "[file:hashes.SHA256 = 'c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:53:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cacea3f-0ee0-4dd4-a623-418202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:53:51.000Z" ,
"modified" : "2019-04-09T18:53:51.000Z" ,
"description" : "Stuxshop Modules" ,
"pattern" : "[file:hashes.SHA256 = '1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:53:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cacea53-f988-4e9c-8d3a-467302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:54:11.000Z" ,
"modified" : "2019-04-09T18:54:11.000Z" ,
"description" : "Stuxnet Installer with Embedded Stuxshop" ,
"pattern" : "[file:hashes.SHA256 = 'f34c85bb4fcd87225468d0e8ee4441ebc92f42b3f69500d85e28be3c553ce433']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:54:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cacea6e-5a00-489d-aab9-46c502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:54:38.000Z" ,
"modified" : "2019-04-09T18:54:38.000Z" ,
"description" : "Stuxnet Installers with Resource 231" ,
"pattern" : "[file:hashes.SHA256 = '77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:54:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cacea6e-74d8-45d6-905e-45ad02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:54:38.000Z" ,
"modified" : "2019-04-09T18:54:38.000Z" ,
"description" : "Stuxnet Installers with Resource 231" ,
"pattern" : "[file:hashes.SHA256 = 'a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:54:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cacea82-abf4-4c0d-907c-4bb402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:54:58.000Z" ,
"modified" : "2019-04-09T18:54:58.000Z" ,
"description" : "Deobfuscated Resource 231/Stuxshop modules" ,
"pattern" : "[file:hashes.SHA256 = 'a248c9eeb8e53bbebce42f55e2bfa71bfc70ffcd9dff3271bfd338e1578f37a1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:54:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5caceaaa-e558-4992-99be-4a1b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:55:38.000Z" ,
"modified" : "2019-04-09T18:55:38.000Z" ,
"description" : "Flowershop samples with relevant code overlap" ,
"pattern" : "[file:hashes.SHA256 = '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:55:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5caceaaa-2ebc-4fbc-bdbe-411802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:55:38.000Z" ,
"modified" : "2019-04-09T18:55:38.000Z" ,
"description" : "Flowershop samples with relevant code overlap" ,
"pattern" : "[file:hashes.SHA256 = '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:55:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5caceaaa-4660-45bc-92c7-4c9702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:55:38.000Z" ,
"modified" : "2019-04-09T18:55:38.000Z" ,
"description" : "Flowershop samples with relevant code overlap" ,
"pattern" : "[file:hashes.SHA256 = '683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:55:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5caceaaa-78dc-4a6d-83e6-4ff002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:55:38.000Z" ,
"modified" : "2019-04-09T18:55:38.000Z" ,
"description" : "Flowershop samples with relevant code overlap" ,
"pattern" : "[file:hashes.SHA256 = 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:55:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5caceaaa-f400-4670-8acd-4c5b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:55:38.000Z" ,
"modified" : "2019-04-09T18:55:38.000Z" ,
"description" : "Flowershop samples with relevant code overlap" ,
"pattern" : "[file:hashes.SHA256 = 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:55:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5caceae8-f6cc-4959-97cf-a79102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:56:40.000Z" ,
"modified" : "2019-04-09T18:56:40.000Z" ,
"pattern" : "[rule STUXSHOP_OSCheck\r\n{\r\nmeta:\r\nauthor = \"\u00e2\u20ac\u2039 Silas Cutler (havex@Chronicle.Security)\u00e2\u20ac\u2039 \"\r\ndesc = \"\u00e2\u20ac\u2039 Identifies the OS Check function in STUXSHOP and CheshireCat\u00e2\u20ac\u2039 \"\r\nhash = \"\u00e2\u20ac\u2039 c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579\u00e2\u20ac\u2039 \"\r\nstrings:\r\n$ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00\r\n00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05\r\n5E }\r\n$ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80\r\n68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6\r\n}\r\ncondition:\r\nany of them\r\n}]" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2019-04-09T18:56:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5caceed5-75f0-4a37-adbf-4c8702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:13:25.000Z" ,
"modified" : "2019-04-09T19:13:25.000Z" ,
"pattern" : "[rule STUXSHOP_config\r\n{\r\n\tmeta:\r\n desc \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039 \"Stuxshop standalone sample configuration\"\r\n author = \"JAG-S (turla@chronicle.security)\"\r\n hash \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039 \"c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579\"\r\n strings:\r\n $cnc1 = \"http://211.24.237.226/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n $cnc2 = \"http://todaysfutbol.com/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n $cnc3 = \"http://78.111.169.146/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\"\r\n $cnc4 = \"http://mypremierfutbol.com/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n\r\n\t $regkey1 \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\MS-DOS Emulation\" ascii wide\r\n $regkey2 = \"NTVDMParams\"\u00e2\u20ac\u2039 ascii wide\r\n $flowerOverlap1 = {85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15\u00e2\u20ac\u2039}\r\n $flowerOverlap2 = {85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15\u00e2\u20ac\u2039}\r\n $flowerOverlap3 = {55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 50 68 19 00 02 00 6A 00 FF 75 0C FF 75 08\u00e2\u20ac\u2039}\r\n $flowerOverlap4 = {55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 }\r\n $flowerOverlap5 \u00e2\u20ac\u2039= {85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06\u00e2\u20ac\u2039}\r\n $flowerOverlap6 = {85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15\u00e2\u20ac\u2039}\r\n condition:\r\n all of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $flowerOverlap\u00e2\u20ac\u2039 *)\r\n or\r\n 2\u00e2\u20ac\u2039 of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $cnc\u00e2\u20ac\u2039 *)\r\n or\r\n all of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $regkey\u00e2\u20ac\u2039 *)\r\n}]" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2019-04-09T19:13:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cacf076-9a94-4851-83c9-4ecd02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:20:22.000Z" ,
"modified" : "2019-04-09T19:20:22.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKEY_CURRENT_USER\\\\Control Panel\\\\Appearance\\\\Old']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T19:20:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T12:21:53.000Z" ,
"modified" : "2019-04-09T12:21:53.000Z" ,
"pattern" : "[file:hashes.MD5 = '455abb43295b9a69e355e4e43457bf30' AND file:hashes.SHA1 = '1e0fe0400e04440942a4a1a5bcd3bcd3150a2eea' AND file:hashes.SHA256 = 'c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T12:21:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--d66ade80-17a6-47a9-9efe-7b5a922dfaa1" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T12:07:08.000Z" ,
"modified" : "2019-04-09T12:07:08.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-09T09:00:19" ,
"category" : "Other" ,
"uuid" : "fe2cf46c-9b9f-45e4-9909-009d17c89312"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579/analysis/1554800419/" ,
"category" : "Payload delivery" ,
"uuid" : "4dc602d6-a883-4d96-9a6d-08d62774f5af"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "44/70" ,
"category" : "Payload delivery" ,
"uuid" : "6127da9f-dbd0-4a70-b003-f73444bdafa6"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T12:21:03.000Z" ,
"modified" : "2019-04-09T12:21:03.000Z" ,
"pattern" : " [ f i l e : h a s h e s . M D 5 = ' 455 a b b 43295 b 9 a 69e355 e 4e43457 b f 30 ' A N D f i l e : h a s h e s . S H A 1 = ' 1e0 f e 0 400e04440942 a 4 a 1 a 5 b c d 3 b c d 3150 a 2 e e a ' A N D f i l e : h a s h e s . S H A 256 = ' c 1961e54 d 60e34 b b e c 397 c 9120564e8 d 0 8 f 2 f 243 a e 349 d 2 f b 20 f 736510716579 ' A N D f i l e : n a m e = ' c 1961e54 d 60e34 b b e c 397 c 9120564e8 d 0 8 f 2 f 243 a e 349 d 2 f b 20 f 736510716579 ' A N D f i l e : s i z e = ' 72456 ' A N D ( f i l e : c o n t e n t _ r e f . p a y l o a d _ b i n = ' U E s D B B Q A C Q A I A A h h i U 6 C b w f / 0 U o A A A g b A Q A g A B w A N D U 1 Y W J i N D M y O T V i O W E 2 O W U z N T V l N G U 0 M z Q 1 N 2 J m M z B V V A k A A y + L r F w v i 6 x c d X g L A A E E I Q A A A A Q h A A A A X W x 30 p z G 0 q X D i h D n t I G F c B 3 u L B J t 8 j 5 o o / C Z 15 N 7 n Y m 4 U o m L e s E 9 t r J g B K v o 1 h L o z 6 n V v w 7 + u W a R J I F 9 a k w x N c m O 5 J 0 k Z J p L F J 52 C R L n Q S y Z M C i + 5 x 5 n t E j Z + E L b A V Q L z Z u G Y I U p 2 t n I k r N W 6 z q 6 B j y h + m e e a Y Q c F O O O + W 7 O D f 1 z C v e m b S y d 6 K b C j G R t m U o s b F H D R G R N Y 0 Q P n G v 88 X 3 Y T B S q 4 l 5 K y l x K R f V 6 m b q F F d 9 r 0 p 9 m 5 d 5 a T U e G 3 / m d j q Z F 5 y d D M j + f w 8 j L e 5 E b n g h y 5 y A 855 h g e d P 7 f N y o h V R Q H 5 m 47 p r W u s 9 W F O s p n y C 9 t Q H a T T P w I 4 e d e C w P Z V 0 C m c I l J f L / + V S g Y 0 X V f G F u 7 h y j / u O q O v n A 3 L i l Y 6 l G O m E Y 174 v u 55150 a O g G V k a K Y 8 a 8 D W i l c N 8 j h A Y b 1 n e q a V u v U D Y 5 J P k D b i N r k w q s 8 W f 5 T h H I m 65 j f a 64 K i / r x 8 m V U D s 315 i r 0 I + o J u o q x n E J d T I 97 l K Z A 4 Y B n 5 Q K D E h W 5 C J g 3 O F 10 y I Y P A R f C y 65 G z p 9 y 6 V K b Y x O T j h Z B N 3 O x u y K 4 H A U Y Q i 78 A v 9 w K j A V 3 z V 0 7 n g N B l w I O w q I X e j Z i Z l s J B h f d p x 66 p g G F V W J y z e X D z S B i o K H w w n u X K 8 G v K T j 3 + y v U O n R l W i 9 x 3 j A T L Z t U 3 k i m / v L 4 v x 4 X B 8 + c g b V F d y b / h i L 0 l p e R F H X 0 U 13 Y D v 0 V l O z s g w 8 T c 0 f c p 0 G z 1 n G 0 7 y J P 9 B z X t X Z H 9 l X 1 K h y K c h 4 b q 9 r 42 J x m n 6 S A V E l W 2 T Q B 6 P 5 M S u z 6 j R 7 K 0 R U 8 Q X p k Q J 9 a h p h / 3 c U d L D s p m v G v k Y / Y i l 57 N s I R L K Z 3 q J c z q 7 b 3 u x F W 4 f + o t a d + 9 e N z U Y 5 c g c L X a z s 9 U h E E H V x p 8 q A F u Z G h g m Q g F E R L j 3 I a y E z a d e / S A u r 19 O / 1 B 3 S D l t J u 22 j 4 o s v R C F M 8 O t u C s f a X f J d F j K F Q i O Y q A v c o 9 C O w z v O t Y Y t T t c Q C F g t R X 6 x q u k v j j 20 q T v N Q P R T q 4 / 6 u k w v E O v g R r U 6 y 1 A V c y 5 r t d u E 3 g i U n 1 d w 90 C a 4 F N 3 t h 5 I j W U C B 1 M I C j B 1 f q 3 Y w Q m 9 A A W a h L D W 5 E V G W P G s e h Z j f f a K b y 9 V H L b 5 + 2 N E j + G q 1 q T j j i U h S V d k g 3 m z v k A W 17 d 48 y + R z Z E J 6 Y u u i E d B 67 H A h N T 7 W N m D G Z Z Y N A z g e m v i X W c 0 p d k 3 w 9 e g m 0 V t 99 H 8E+2 G k J t 8 Z 9 n 9 g n v 0 b p I b b 6 C i r R 6 t J m 6 V b N / r O T g 9 Q h Q W 8 Z o S f Y / F a X D f 4 C z 7 o Q 6 v e n u Z A r 68 b d / s s a J P a c W w r Y 0 F Y + U b N 4 l 1 c H g W b s f X i h 6 f G z k 20 j y S t m 8 T j v Y j + r I o q 1 K i d H 9 o e g c j 6 D K a Z N P K r n 9 Y H t J 9 R t O z t Q e O i z s G T w P C B h 7 U x N 21 a 1 S z / w x d t I m K g 0 o g X Y o o W x 4 w v b v F m c T t l B E p L J r / R 9 G w a x x t O k t A b l 88 E E l 9 r s P B 8 + 6 h e N h Y k X k 4 t 5 D x j s A B z 0 t r n I g 69 y X V o h / F H d 7 Q Z M B b D k R O F o N L c v a Q T w L t w H L H 4 A X s I C G 0 J L 4 M I T G + j r 0 U n g T R n w b e W f h U t R 1 a K y 9 d T M 2 E D s 9 X 0 l C P + n r 8 I B y U y z J e w j 3 U z S p G d f P y E r Q e A O 2 c p u W 9 O 3 t f v F 5 G g s Y 6 S m l T + 5 W 3 j i z n 3 k M P E B 13 X k p z Q y K x 3 D d U 0 M q R 6 z z m x F z + B o L o c u 0 4 n 7 b + 2 R q q T v r u N f 7 k a d n h 8 W c N //C1v6TBnJ57GGFxzsPqjm0940LqszT252bjCOHgfUauE0RNWJolklFHfZ47dZACsYyshYIYsN2+lkrSkI/foYHCSFGMiZbInROpdzu2aUmkqxOfqyCAgp1lDG+qg94jpqVdzZsTUINvDxVbTk+fnvHxjM/kMVazoDBdK2z30Pc09ZigwQ3+4w5vKSH6w5D3ap3TnqubKIaWksaTPiTYxVTZRoju1jYBOdmiQNoPfCN/dOCPoOj4rWZr1Xw0650g5ZHw0KkXRIKosS5zgY/RUUyeO3qYbw7ksKHcQI3+PsdSqmlsuKqR6wWumn2wlB4EiJWo72k2hZGgxYS53QgqMXARf7CQ+aN65iES9m0i45zqalyi3NyDfqqHrbTL+Wcln29fyfnjS9unQYFupnbbGYMdKjaT1dhN95K0W/t6A+kdrTXE77bc0+B29UzY2fh4WRrxyUvPpxPJ6f4POJ+9FHeI7p4SlikWHn3nfxWzmW1LwHLIugwUQmFN0u9gkEG2qWH/4gYEjTwi8iyfVxjUe+YotocfjNJTR2rXuiPeX9D6z4YCFi5cNMYcJBvwa0XNu1jN6a+ZcrFyD78+Qgy+bZASsD2hVsK2i1sQ4xx3aFxK0bFfrR4TX2vdulocaYjOZsu4Q9Xmu51eHVm/VZBC8IBKDkwT6+0wBhoCrfYhnsVKuaMRmh7k+YCfWXkB8QROmAtcS5FX3ZlRl/+v1fLzGG+DsLe0NZXss+DrLVikXu5GzK2WMkutuWj2VJzdyKSyIV+wnXEZk5H72imoChGAbd2Gug2t2uIAH3kwibgVOMorUavXFYsBPC85CQRjRP/Yx3dWnbx4YtX6ik+RG81XGDdr1auOrP4jvh8ihjx683kOufdZ7B/w6v2kk01Dmx0XAdqjardedU0tXWZOFrxer9CFxljLOxQvMj5z6CO9OjFbZt9zXMGjx+QztjRfAO8Sg+CsucxKZ7IvgewbGtb9Ngcs0vCeNNPN6FSTKE07SnrasWivIszEmKfd4sX9+l1pBTTD1GpvUPsSwrVo1EWk5e4spnh3uNAWXuj1RF8GmoDR6CQIeYpE9HxkiCdMHbjRalPyxAZi4ra21G5rh8cVi6ZEPIS7rfKNvrZGacq6tMZJA35/EaxOZtQrCO6a3YFI9VbuoWAj/CUl8dGBYXUF9re9QS175hW+/ZY4UrJTX/a+HvO/5RUSsXnyR7Q/hInugDt7WeBblRF2Kj63ntBRKp0c1iEjLUIBbkoEdcGJ0Pw+fEZZxD735NtMBVDntDLRbHwSPcHhLY+RAi4yEqz3orJgVuJjUfyKxLZaRm8Jb3dM/cQUq5TZ1fuOFm1y15f7RDCXAECIp9xkxX/C/B6QPDkfHXWUYJb6O7kgvONoreG6NiRf2Dh6LA3X2cNDuibwQy0cy94d77vwr3gGnW0vmOPxSQQQ3wmlkm5eLq3brm0ZNlr5JZOUur3FB4Lcu+y/5W8ihsOexgSbjrKyS20Vxt1dxyj2adJGl4XmLU2NvbdcBTdo0Tr7T/HVxa6MPORBCAefwlX4xPzWiLH1Ls6OWvpkC6vyhnDYq2408iuzMQUAV/y2Tolif3jIIjFAJ4xCXBfT4WOT0umag3YV0rMZYab5Cz558e7a30XKoMRHahC3Df8b9t9hKAU4X1Ljk/nYa8bZp0Ew9UYyAP9ZiTgwoCM+xRfHQezPm6lC8pHqieLLpQV5X5HaIyMmCGEFMCxkESunnWQqQsae+7oiV3w+5Dz8pVCLSh0y6FAnlnGZ6dYIuo+MTwv6VJSw9OaI1nJHNMe9guGM9wYMxX25HDH9JUItQIhtyyFIkFkiK/BrleAaEmqOrQvovkzmttGJ96TcvK5hGadJOq4lIq4ZYyyaEt5YQ6AxUOFVOggjyekGQgvINoFrE+z4o5odPHVv9NoBmLhiI8kATeCBAcG15RTn97v6
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T12:21:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T12:15:05.000Z" ,
"modified" : "2019-04-09T12:15:05.000Z" ,
"pattern" : "[domain-name:value = 'todaysfutbol.com' AND domain-name:resolves_to_refs[*].value = '211.24.237.226']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T12:15:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T12:19:13.000Z" ,
"modified" : "2019-04-09T12:19:13.000Z" ,
"pattern" : "[domain-name:value = 'mypremierfutbol.com' AND domain-name:resolves_to_refs[*].value = '78.111.169.146']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T12:19:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cacea17-9ba0-4939-95e7-474c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T18:53:11.000Z" ,
"modified" : "2019-04-09T18:53:11.000Z" ,
"pattern" : "[file:hashes.MD5 = '360752e2f6938ae91ac8fb212c62c0c4' AND file:hashes.SHA1 = '346de24b4081b0dbccd0f3458734b08258eed8a7' AND file:hashes.SHA256 = 'f34c85bb4fcd87225468d0e8ee4441ebc92f42b3f69500d85e28be3c553ce433' AND file:x_misp_text = 'We wondered about the deployment of these curious samples. All of the functionality pointed to\r\na command-and-control module meant to function alongside other components, and not as a\r\nstandalone piece. As we hunted, we came across an unpacked/unobfuscated sample of\r\nStuxnet presumably compiled in 2009 that contained Stuxshop in its entirety' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T18:53:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--2868aeaa-a19a-4b36-b693-e55b1a32d633" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:10.000Z" ,
"modified" : "2019-04-09T19:14:10.000Z" ,
"pattern" : "[file:hashes.MD5 = 'fa1e5eec39910a34ede1c4351ccecec8' AND file:hashes.SHA1 = 'ca3c5872080ec86a041b2b887caec9f28ba7b884' AND file:hashes.SHA256 = 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T19:14:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--95f4e9d8-aec9-4e52-b133-8688a3857540" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:10.000Z" ,
"modified" : "2019-04-09T19:14:10.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-09T14:27:10" ,
"category" : "Other" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "b0d502dd-ff60-4d76-a5a3-7ffd57be3fe0"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532/analysis/1554820030/" ,
"category" : "Payload delivery" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "6094c770-b3db-4eff-9f59-3e51787a615a"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "45/70" ,
"category" : "Payload delivery" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "eb3ecbbe-9ed5-487c-9321-967a75105a4d"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d7f8c044-89dc-411c-a777-6110c35e1185" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:10.000Z" ,
"modified" : "2019-04-09T19:14:10.000Z" ,
"pattern" : "[file:hashes.MD5 = '984c7734a61f5b0c22291a4e26b224be' AND file:hashes.SHA1 = '2a1cc9c615cc2a798cf491a81e52ca050d4e828b' AND file:hashes.SHA256 = '683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T19:14:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--73ebef95-1302-4712-b237-7aba3002f249" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:10.000Z" ,
"modified" : "2019-04-09T19:14:10.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-09T17:37:54" ,
"category" : "Other" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "ad8d9850-f381-49c6-b650-62a57c8bf3b6"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3/analysis/1554831474/" ,
"category" : "Payload delivery" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "1a976776-aafe-414e-bcf5-acd3caf060cf"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "27/65" ,
"category" : "Payload delivery" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "bcf66b81-63ce-495d-aee2-1dffdf10aae4"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--308606ca-729c-4050-8d8e-72f00f17a981" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:10.000Z" ,
"modified" : "2019-04-09T19:14:10.000Z" ,
"pattern" : "[file:hashes.MD5 = '4e0a3498438adda8c50c3e101cfa86c5' AND file:hashes.SHA1 = '0655670f1cb40e84ba12adb9711f001269712054' AND file:hashes.SHA256 = 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T19:14:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--7403084a-f132-4ff9-a53b-6342ed8032ee" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:10.000Z" ,
"modified" : "2019-04-09T19:14:10.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-09T14:27:24" ,
"category" : "Other" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "7176c395-37ca-4d30-941c-0b19c00a2996"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300/analysis/1554820044/" ,
"category" : "Payload delivery" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "958ba48c-fd6d-489d-8c11-2f6bc6f79191"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "45/69" ,
"category" : "Payload delivery" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "c149c768-5027-4e7e-a5d6-8ebac9b6bb3c"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--dbbdfe4d-13dc-4fc2-b189-0582aec45f8f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:10.000Z" ,
"modified" : "2019-04-09T19:14:10.000Z" ,
"pattern" : "[file:hashes.MD5 = '3ba57784d7fd4302fe74beb648b28dc1' AND file:hashes.SHA1 = '648a62d74ab1076e66a7a70f0899b8093eca2b01' AND file:hashes.SHA256 = '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T19:14:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--67191d81-2968-4471-b804-e92b25166e28" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:10.000Z" ,
"modified" : "2019-04-09T19:14:10.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-09T14:25:43" ,
"category" : "Other" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "0052a797-5299-43f8-bb60-fc6f0e5b8827"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a/analysis/1554819943/" ,
"category" : "Payload delivery" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "fafdb38f-5748-48f9-8873-6c6086237764"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "44/70" ,
"category" : "Payload delivery" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "5d48d630-34cc-4288-aabf-4186fcaede15"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--de4d97dc-5512-4f11-b590-7f56e1877cdc" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:11.000Z" ,
"modified" : "2019-04-09T19:14:11.000Z" ,
"pattern" : "[file:hashes.MD5 = '300d2a3f47803c2814a45382d84d3446' AND file:hashes.SHA1 = 'ec5dd52971f550a77c3544819c56674378976509' AND file:hashes.SHA256 = '1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T19:14:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--555db026-ee1b-4775-91f4-a1b52245a78c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:11.000Z" ,
"modified" : "2019-04-09T19:14:11.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-09T17:37:53" ,
"category" : "Other" ,
"comment" : "Stuxshop Modules" ,
"uuid" : "54971c2b-ffc5-4568-a9dc-9ba3ec8e95e3"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f/analysis/1554831473/" ,
"category" : "Payload delivery" ,
"comment" : "Stuxshop Modules" ,
"uuid" : "ae87b543-4eaf-4790-847a-9e81e2576099"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "43/68" ,
"category" : "Payload delivery" ,
"comment" : "Stuxshop Modules" ,
"uuid" : "e44ee586-67fa-4411-a3d4-329acf59622b"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--6b9bfb62-ea86-4bb9-9d1e-7aa8ed2150eb" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:11.000Z" ,
"modified" : "2019-04-09T19:14:11.000Z" ,
"pattern" : "[file:hashes.MD5 = '7b0e7297d5157586f4075098be9efc8c' AND file:hashes.SHA1 = '421156c4858878ef8beeadf54c4549095445b682' AND file:hashes.SHA256 = '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T19:14:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--ddaf5a99-1963-4a4a-93eb-0b69396bbb46" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:11.000Z" ,
"modified" : "2019-04-09T19:14:11.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-09T14:20:50" ,
"category" : "Other" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "46da9467-63b7-4c06-9c57-d83d362007b6"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb/analysis/1554819650/" ,
"category" : "Payload delivery" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "2de83530-15bd-4536-a3d9-51752d3a52fd"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "45/71" ,
"category" : "Payload delivery" ,
"comment" : "Flowershop samples with relevant code overlap" ,
"uuid" : "ffca2167-370b-44d8-8eb2-7bfbd7118538"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--6edd0812-8c25-4923-8e60-1872a7a81a1c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:11.000Z" ,
"modified" : "2019-04-09T19:14:11.000Z" ,
"pattern" : "[file:hashes.MD5 = '79c02836b6b6939ecea43691278424e8' AND file:hashes.SHA1 = '62e021e7ce7e6c382820b5a083221732ef5649b9' AND file:hashes.SHA256 = 'a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T19:14:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--b7b2cc69-43cb-4213-9dfd-d7b5043a819d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:11.000Z" ,
"modified" : "2019-04-09T19:14:11.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-09T17:37:55" ,
"category" : "Other" ,
"comment" : "Stuxnet Installers with Resource 231" ,
"uuid" : "be7cd761-b99d-441d-8fe3-98c0fe63ff8a"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803/analysis/1554831475/" ,
"category" : "Payload delivery" ,
"comment" : "Stuxnet Installers with Resource 231" ,
"uuid" : "9a5f1b2c-0306-4d7f-8ad9-d8d57a895f7b"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "44/64" ,
"category" : "Payload delivery" ,
"comment" : "Stuxnet Installers with Resource 231" ,
"uuid" : "01cbe4d0-780b-4530-9812-d999bc1938d2"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--421a889c-305d-4fee-a7c9-6b0114a2beb9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:11.000Z" ,
"modified" : "2019-04-09T19:14:11.000Z" ,
"pattern" : "[file:hashes.MD5 = '6df1c77d4aabc3e3d91fcfdba8e7986d' AND file:hashes.SHA1 = '39b106c2405c3b5d65ddbb17571fc53b26893e9a' AND file:hashes.SHA256 = '77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T19:14:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--596ec4c3-ec57-4be1-8edf-777fb2b48aa0" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:14:11.000Z" ,
"modified" : "2019-04-09T19:14:11.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-09T17:37:55" ,
"category" : "Other" ,
"comment" : "Stuxnet Installers with Resource 231" ,
"uuid" : "ea99549b-5bd3-47dd-aa68-bda0ce2c3b42"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac/analysis/1554831475/" ,
"category" : "Payload delivery" ,
"comment" : "Stuxnet Installers with Resource 231" ,
"uuid" : "e50ac7c2-3672-445d-92bb-bc78d3742ba2"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "53/70" ,
"category" : "Payload delivery" ,
"comment" : "Stuxnet Installers with Resource 231" ,
"uuid" : "a6e18bf7-3d93-4c64-9b6d-021a3b2c3542"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5cacf023-7368-4a33-a5a4-4e8502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:18:59.000Z" ,
"modified" : "2019-04-09T19:18:59.000Z" ,
"labels" : [
"misp:name=\"malware-config\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "password" ,
"value" : "F117FA1CE233C1D7BB7726C0E49615C4622E2D1895F0D8AD4B23BADC4FD70C" ,
"category" : "Other" ,
"uuid" : "5cacf023-5f50-43d4-a585-44cc02de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "config" ,
"value" : "not included" ,
"category" : "Other" ,
"uuid" : "5cacf023-fdf0-45af-9095-431502de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "format" ,
"value" : "other" ,
"category" : "Other" ,
"uuid" : "5cacf023-a61c-4c80-9eff-40e202de0b81"
}
] ,
"x_misp_comment" : "The control server response is decoded using the same 31-byte XOR encoding, with yet another\r\nkey" ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "malware-config"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cacf0d7-870c-4b90-a5bb-4c1c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-09T19:21:59.000Z" ,
"modified" : "2019-04-09T19:21:59.000Z" ,
"pattern" : "[windows-registry-key:key = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\MS-DOS Emulation' AND windows-registry-key:values[0].data = '19790509' AND windows-registry-key:values[0].data_type = 'REG_NONE' AND windows-registry-key:values[0].name = 'NTVDM \u00e2\u20ac\u2039 TRACE' AND windows-registry-key:x_misp_root_keys = 'HKCC']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-09T19:21:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"registry-key\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--5c6ee049-92fb-47d2-b2c2-71974c52e2c7" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T12:07:08.000Z" ,
"modified" : "2019-04-09T12:07:08.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f" ,
"target_ref" : "x-misp-object--d66ade80-17a6-47a9-9efe-7b5a922dfaa1"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--d983aecd-eabf-4c5f-a29a-c62252fbb58e" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T12:21:25.000Z" ,
"modified" : "2019-04-09T12:21:25.000Z" ,
"relationship_type" : "connects-to" ,
"source_ref" : "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f" ,
"target_ref" : "indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--aed45e75-6378-4d10-982b-9e6b46201235" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T12:21:53.000Z" ,
"modified" : "2019-04-09T12:21:53.000Z" ,
"relationship_type" : "connects-to" ,
"source_ref" : "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f" ,
"target_ref" : "indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--77bc749a-22cb-4224-b074-17ddf411a876" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T12:20:32.000Z" ,
"modified" : "2019-04-09T12:20:32.000Z" ,
"relationship_type" : "connects-to" ,
"source_ref" : "indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f" ,
"target_ref" : "indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--708d8365-3e7f-457f-b72e-2bb4b39757d2" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T12:21:02.000Z" ,
"modified" : "2019-04-09T12:21:02.000Z" ,
"relationship_type" : "connects-to" ,
"source_ref" : "indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f" ,
"target_ref" : "indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--aff7243e-c24e-4dc8-bb57-b186cf834fe3" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T19:14:11.000Z" ,
"modified" : "2019-04-09T19:14:11.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--2868aeaa-a19a-4b36-b693-e55b1a32d633" ,
"target_ref" : "x-misp-object--95f4e9d8-aec9-4e52-b133-8688a3857540"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--83a19e13-850c-4011-bc0b-b16f3bf72677" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T19:14:11.000Z" ,
"modified" : "2019-04-09T19:14:11.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--d7f8c044-89dc-411c-a777-6110c35e1185" ,
"target_ref" : "x-misp-object--73ebef95-1302-4712-b237-7aba3002f249"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--99db8f1a-02d4-4a1f-ad2a-ebd894ee62ad" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T19:14:11.000Z" ,
"modified" : "2019-04-09T19:14:11.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--308606ca-729c-4050-8d8e-72f00f17a981" ,
"target_ref" : "x-misp-object--7403084a-f132-4ff9-a53b-6342ed8032ee"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--eb510276-19c0-4031-939e-5bde5e37fa93" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T19:14:12.000Z" ,
"modified" : "2019-04-09T19:14:12.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--dbbdfe4d-13dc-4fc2-b189-0582aec45f8f" ,
"target_ref" : "x-misp-object--67191d81-2968-4471-b804-e92b25166e28"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--44caf340-7cdc-4fa8-b9a9-ec2ff9f5702e" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T19:14:12.000Z" ,
"modified" : "2019-04-09T19:14:12.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--de4d97dc-5512-4f11-b590-7f56e1877cdc" ,
"target_ref" : "x-misp-object--555db026-ee1b-4775-91f4-a1b52245a78c"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--befa07c0-c142-436f-9b0d-42b8c79170cd" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T19:14:12.000Z" ,
"modified" : "2019-04-09T19:14:12.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--6b9bfb62-ea86-4bb9-9d1e-7aa8ed2150eb" ,
"target_ref" : "x-misp-object--ddaf5a99-1963-4a4a-93eb-0b69396bbb46"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--22a92108-502b-45ce-9394-adc37014cdb3" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T19:14:12.000Z" ,
"modified" : "2019-04-09T19:14:12.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--6edd0812-8c25-4923-8e60-1872a7a81a1c" ,
"target_ref" : "x-misp-object--b7b2cc69-43cb-4213-9dfd-d7b5043a819d"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--4003c899-dea3-42db-9beb-5bef6b56ff19" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-09T19:14:12.000Z" ,
"modified" : "2019-04-09T19:14:12.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--421a889c-305d-4fee-a7c9-6b0114a2beb9" ,
"target_ref" : "x-misp-object--596ec4c3-ec57-4be1-8edf-777fb2b48aa0"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
