2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--585b9a80-9910-4d24-a695-4ac4950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:28:54.000Z" ,
"modified" : "2016-12-22T09:28:54.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--585b9a80-9910-4d24-a695-4ac4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:28:54.000Z" ,
"modified" : "2016-12-22T09:28:54.000Z" ,
"name" : "OSINT - New Linux/Rakos threat: devices and servers under SSH scan (again)" ,
"published" : "2016-12-22T09:29:15Z" ,
"object_refs" : [
"observed-data--585b9ab7-3758-4e28-8a36-420d950d210f" ,
"url--585b9ab7-3758-4e28-8a36-420d950d210f" ,
"x-misp-attribute--585b9acb-d250-4b85-9788-454d950d210f" ,
"indicator--585b9b48-e214-418d-a783-4282950d210f" ,
"indicator--585b9b49-9dbc-48f4-805c-4440950d210f" ,
"indicator--585b9b49-1e04-4b8b-bf8d-4094950d210f" ,
"indicator--585b9b4a-ac98-421e-9bad-4177950d210f" ,
"indicator--585b9b4a-1170-424a-a910-47e2950d210f" ,
"indicator--585b9b4b-e118-4029-acad-457c950d210f" ,
"indicator--585b9b4b-f3e4-4409-9055-4e76950d210f" ,
"indicator--585b9b4c-50fc-4127-8fe1-4124950d210f" ,
"indicator--585b9b4d-8288-425a-b8ee-4ca7950d210f" ,
"indicator--585b9b4d-db34-4230-90a2-4661950d210f" ,
"indicator--585b9b5f-495c-448d-bf2f-453a950d210f" ,
"indicator--585b9b5f-a210-4acc-afcb-4dc9950d210f" ,
"indicator--585b9b60-ad74-4c0d-9e30-4464950d210f" ,
"indicator--585b9b60-8f78-45ab-a703-42a7950d210f" ,
"indicator--585b9b61-2478-4795-8f7f-4fd7950d210f" ,
"indicator--585b9b62-9ef4-47e7-b2d5-42cc950d210f" ,
"indicator--585b9b62-8c0c-435b-bbf7-4be8950d210f" ,
"indicator--585b9b63-a688-4ec8-af50-4fe8950d210f" ,
"indicator--585b9b63-0f50-43f1-b3e2-4e46950d210f" ,
"indicator--585b9b64-2a68-480f-b9e2-4241950d210f" ,
"indicator--585b9b64-a638-4fe0-b8ea-4b4d950d210f" ,
"observed-data--585b9bb7-0e94-45e9-bc34-41d4950d210f" ,
"url--585b9bb7-0e94-45e9-bc34-41d4950d210f" ,
"indicator--585b9c37-6438-41d6-949a-47cd02de0b81" ,
"indicator--585b9c38-6028-4ccd-b272-463302de0b81" ,
"observed-data--585b9c38-f430-495f-9bdf-4cb802de0b81" ,
"url--585b9c38-f430-495f-9bdf-4cb802de0b81" ,
"indicator--585b9c39-5eac-4ab3-8d4d-46aa02de0b81" ,
"indicator--585b9c3a-7244-475b-ab43-4a9302de0b81" ,
"observed-data--585b9c3b-0fbc-42f5-93d8-43c902de0b81" ,
"url--585b9c3b-0fbc-42f5-93d8-43c902de0b81" ,
"indicator--585b9c3c-1334-426d-86a9-4aca02de0b81" ,
"indicator--585b9c3c-33b4-45ad-baee-4b5f02de0b81" ,
"observed-data--585b9c3d-a0d0-4704-9c9b-46d902de0b81" ,
"url--585b9c3d-a0d0-4704-9c9b-46d902de0b81" ,
"indicator--585b9c3e-5974-4d0d-89eb-4bb802de0b81" ,
"indicator--585b9c3e-c5c0-404a-9afb-41c602de0b81" ,
"observed-data--585b9c3f-5838-4479-af90-4fdf02de0b81" ,
"url--585b9c3f-5838-4479-af90-4fdf02de0b81" ,
"indicator--585b9c40-a4c4-45ee-a6ee-4d2d02de0b81" ,
"indicator--585b9c41-9ce4-4657-8bf7-4add02de0b81" ,
"observed-data--585b9c41-1c94-44e6-93f6-440b02de0b81" ,
"url--585b9c41-1c94-44e6-93f6-440b02de0b81" ,
"indicator--585b9c42-30e0-4919-b4cc-4bd902de0b81" ,
"indicator--585b9c43-b8f0-4bd5-9366-4f9502de0b81" ,
"observed-data--585b9c44-fad4-4ea6-a16a-4b6c02de0b81" ,
"url--585b9c44-fad4-4ea6-a16a-4b6c02de0b81" ,
"indicator--585b9c44-f7d0-4d5d-bb8b-417f02de0b81" ,
"indicator--585b9c45-e288-4c14-9377-4e3b02de0b81" ,
"observed-data--585b9c46-725c-4e0a-8f2a-41d802de0b81" ,
"url--585b9c46-725c-4e0a-8f2a-41d802de0b81" ,
"indicator--585b9c46-39d0-42e2-a244-41f802de0b81" ,
"indicator--585b9c47-89cc-4c82-8a7e-440802de0b81" ,
"observed-data--585b9c47-9508-4c02-b9dd-494402de0b81" ,
"url--585b9c47-9508-4c02-b9dd-494402de0b81" ,
"indicator--585b9c48-d588-436a-b429-45e802de0b81" ,
"indicator--585b9c49-9cf0-478b-96a0-4bbb02de0b81" ,
"observed-data--585b9c49-f154-4061-9dd2-418a02de0b81" ,
"url--585b9c49-f154-4061-9dd2-418a02de0b81" ,
"indicator--585b9c4a-c2c4-4696-9479-47cf02de0b81" ,
"indicator--585b9c4a-ba88-4e51-9f22-4bab02de0b81" ,
"observed-data--585b9c4b-5124-4940-b839-484202de0b81" ,
"url--585b9c4b-5124-4940-b839-484202de0b81" ,
"indicator--585b9cd6-d508-4a59-bc68-4d69950d210f"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"ms-caro-malware:malware-platform=\"Linux\"" ,
"osint:source-type=\"blog-post\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9ab7-3758-4e28-8a36-420d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:19:51.000Z" ,
"modified" : "2016-12-22T09:19:51.000Z" ,
"first_observed" : "2016-12-22T09:19:51Z" ,
"last_observed" : "2016-12-22T09:19:51Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9ab7-3758-4e28-8a36-420d950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9ab7-3758-4e28-8a36-420d950d210f" ,
"value" : "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--585b9acb-d250-4b85-9788-454d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:20:11.000Z" ,
"modified" : "2016-12-22T09:20:11.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "Apparently, frustrated users complain more often recently on various forums about their embedded devices being overloaded with computing and network tasks. What these particular posts have in common is the name of the process causing the problem. It is executed from a temporary directory and disguised as a part of the Java framework, namely \u00e2\u20ac\u0153.javaxxx\u00e2\u20ac\u009d. Additional names like \u00e2\u20ac\u0153.swap\u00e2\u20ac\u009d or \u00e2\u20ac\u0153kworker\u00e2\u20ac\u009d are also used. A few weeks ago, we discussed the recent Mirai incidents and Mirai-connected IoT security problems in The Hive Mind: When IoT devices go rogue and all that was written then still holds true.\r\nAttack vector\r\n\r\nThe attack is performed via brute force attempts at SSH logins, in a similar way to that in which many Linux worms operate, including Linux/Moose (which spread by attacking Telnet logins) \u00e2\u20ac\u201c also referenced here \u00e2\u20ac\u201c as analyzed by ESET since last year. The targets include both embedded devices and servers with an open SSH port and where a very weak password has been set. The obvious aim of this trojan is to assemble a list of unsecured devices and to have an opportunity to create a botnet consisting of as many zombies as possible. The scan starts with not too extensive list of IPs and spreads incrementally to more targets. Only machines that represent low-hanging fruit from the security perspective are compromised. Note that victims reported cases when they had had a strong password but they forgot their device that had online service enabled and it was reverted to a default password after a factory reset. Just a couple of hours of online exposure was enough for such a reset machine to end up compromised!"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b48-e214-418d-a783-4282950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:16.000Z" ,
"modified" : "2016-12-22T09:22:16.000Z" ,
"description" : "EM_X86_64 - 688" ,
"pattern" : "[file:hashes.SHA1 = 'f80836349d6e97251030190ecd30dda0047f1ee6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b49-9dbc-48f4-805c-4440950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:17.000Z" ,
"modified" : "2016-12-22T09:22:17.000Z" ,
"description" : "EM_X86_64 - 694" ,
"pattern" : "[file:hashes.SHA1 = 'def04ec688ac6b41580dd3a6e78445b56536ba34']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b49-1e04-4b8b-bf8d-4094950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:17.000Z" ,
"modified" : "2016-12-22T09:22:17.000Z" ,
"description" : "EM_X86_64 - 695" ,
"pattern" : "[file:hashes.SHA1 = '3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b4a-ac98-421e-9bad-4177950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:18.000Z" ,
"modified" : "2016-12-22T09:22:18.000Z" ,
"description" : "EM_X86_64\t- 697" ,
"pattern" : "[file:hashes.SHA1 = 'e53c73fe6a552eab720e7ee685ea4e159ebd4fdd']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b4a-1170-424a-a910-47e2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:18.000Z" ,
"modified" : "2016-12-22T09:22:18.000Z" ,
"description" : "EM_X86_64 - 698" ,
"pattern" : "[file:hashes.SHA1 = 'c93bddd9cdb4f2e185b54a4931257954e25e7c37']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b4b-e118-4029-acad-457c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:19.000Z" ,
"modified" : "2016-12-22T09:22:19.000Z" ,
"description" : "EM_MIPS - ???" ,
"pattern" : "[file:hashes.SHA1 = '14af6254d9ca310b4d52778d050cb8dd7a5de1d8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b4b-f3e4-4409-9055-4e76950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:19.000Z" ,
"modified" : "2016-12-22T09:22:19.000Z" ,
"description" : "EM_386 - 700" ,
"pattern" : "[file:hashes.SHA1 = 'c54d50025d9f66ce2ace3361a8626aee468d94ba']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b4c-50fc-4127-8fe1-4124950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:20.000Z" ,
"modified" : "2016-12-22T09:22:20.000Z" ,
"description" : "EM_386 - 706" ,
"pattern" : "[file:hashes.SHA1 = '36b2fffe98f517355425797fc242f2cb82271c0c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b4d-8288-425a-b8ee-4ca7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:21.000Z" ,
"modified" : "2016-12-22T09:22:21.000Z" ,
"description" : "EM_386\t - 708" ,
"pattern" : "[file:hashes.SHA1 = 'e46e8e5e823eb0466981afb7683fd918d6fe78a9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b4d-db34-4230-90a2-4661950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:21.000Z" ,
"modified" : "2016-12-22T09:22:21.000Z" ,
"description" : "EM_386\t - 711" ,
"pattern" : "[file:hashes.SHA1 = '0492e5c07c1426af9ce73ad33e00a3fd8477c6c2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b5f-495c-448d-bf2f-453a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:39.000Z" ,
"modified" : "2016-12-22T09:22:39.000Z" ,
"description" : "C&C Servers" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.12.208.28']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b5f-a210-4acc-afcb-4dc9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:39.000Z" ,
"modified" : "2016-12-22T09:22:39.000Z" ,
"description" : "C&C Servers" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.12.203.31']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b60-ad74-4c0d-9e30-4464950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:40.000Z" ,
"modified" : "2016-12-22T09:22:40.000Z" ,
"description" : "C&C Servers" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.169.245.68']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b60-8f78-45ab-a703-42a7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:40.000Z" ,
"modified" : "2016-12-22T09:22:40.000Z" ,
"description" : "C&C Servers" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.8.44.55']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b61-2478-4795-8f7f-4fd7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:41.000Z" ,
"modified" : "2016-12-22T09:22:41.000Z" ,
"description" : "C&C Servers" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.123.210.100']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b62-9ef4-47e7-b2d5-42cc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:41.000Z" ,
"modified" : "2016-12-22T09:22:41.000Z" ,
"description" : "C&C Servers" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.34.183.231']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b62-8c0c-435b-bbf7-4be8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:42.000Z" ,
"modified" : "2016-12-22T09:22:42.000Z" ,
"description" : "C&C Servers" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.34.180.64']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b63-a688-4ec8-af50-4fe8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:43.000Z" ,
"modified" : "2016-12-22T09:22:43.000Z" ,
"description" : "C&C Servers" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.82.216.125']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b63-0f50-43f1-b3e2-4e46950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:43.000Z" ,
"modified" : "2016-12-22T09:22:43.000Z" ,
"description" : "C&C Servers" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.14.30.78']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b64-2a68-480f-b9e2-4241950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:44.000Z" ,
"modified" : "2016-12-22T09:22:44.000Z" ,
"description" : "C&C Servers" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.14.29.65']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9b64-a638-4fe0-b8ea-4b4d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:22:44.000Z" ,
"modified" : "2016-12-22T09:22:44.000Z" ,
"description" : "C&C Servers" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.184.117']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:22:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9bb7-0e94-45e9-bc34-41d4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:24:07.000Z" ,
"modified" : "2016-12-22T09:24:07.000Z" ,
"first_observed" : "2016-12-22T09:24:07Z" ,
"last_observed" : "2016-12-22T09:24:07Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9bb7-0e94-45e9-bc34-41d4950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9bb7-0e94-45e9-bc34-41d4950d210f" ,
"value" : "https://github.com/eset/malware-ioc/tree/master/rakos"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c37-6438-41d6-949a-47cd02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:15.000Z" ,
"modified" : "2016-12-22T09:26:15.000Z" ,
"description" : "EM_386\t - 711 - Xchecked via VT: 0492e5c07c1426af9ce73ad33e00a3fd8477c6c2" ,
"pattern" : "[file:hashes.SHA256 = '62f875a31c5f8541a68176d03c3b9d6d0ee6fa90cf54307d7d07aed5fc573797']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c38-6028-4ccd-b272-463302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:16.000Z" ,
"modified" : "2016-12-22T09:26:16.000Z" ,
"description" : "EM_386\t - 711 - Xchecked via VT: 0492e5c07c1426af9ce73ad33e00a3fd8477c6c2" ,
"pattern" : "[file:hashes.MD5 = '7b88cf30540ab8df0ded406097c51b46']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9c38-f430-495f-9bdf-4cb802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:16.000Z" ,
"modified" : "2016-12-22T09:26:16.000Z" ,
"first_observed" : "2016-12-22T09:26:16Z" ,
"last_observed" : "2016-12-22T09:26:16Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9c38-f430-495f-9bdf-4cb802de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9c38-f430-495f-9bdf-4cb802de0b81" ,
"value" : "https://www.virustotal.com/file/62f875a31c5f8541a68176d03c3b9d6d0ee6fa90cf54307d7d07aed5fc573797/analysis/1481878860/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c39-5eac-4ab3-8d4d-46aa02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:17.000Z" ,
"modified" : "2016-12-22T09:26:17.000Z" ,
"description" : "EM_386\t - 708 - Xchecked via VT: e46e8e5e823eb0466981afb7683fd918d6fe78a9" ,
"pattern" : "[file:hashes.SHA256 = '90cd3e16d6d0069e758bb7c1ec929354be24f52857bd77fdd246e20e4aaca75d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c3a-7244-475b-ab43-4a9302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:18.000Z" ,
"modified" : "2016-12-22T09:26:18.000Z" ,
"description" : "EM_386\t - 708 - Xchecked via VT: e46e8e5e823eb0466981afb7683fd918d6fe78a9" ,
"pattern" : "[file:hashes.MD5 = 'ca21c63269febcfe73fec9e1041ed903']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9c3b-0fbc-42f5-93d8-43c902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:19.000Z" ,
"modified" : "2016-12-22T09:26:19.000Z" ,
"first_observed" : "2016-12-22T09:26:19Z" ,
"last_observed" : "2016-12-22T09:26:19Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9c3b-0fbc-42f5-93d8-43c902de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9c3b-0fbc-42f5-93d8-43c902de0b81" ,
"value" : "https://www.virustotal.com/file/90cd3e16d6d0069e758bb7c1ec929354be24f52857bd77fdd246e20e4aaca75d/analysis/1481878661/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c3c-1334-426d-86a9-4aca02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:20.000Z" ,
"modified" : "2016-12-22T09:26:20.000Z" ,
"description" : "EM_386 - 706 - Xchecked via VT: 36b2fffe98f517355425797fc242f2cb82271c0c" ,
"pattern" : "[file:hashes.SHA256 = '2a77e8d43b347c4ccf80271493eedf7b7b7f45d1e30e818e321657cf9a14f1d9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c3c-33b4-45ad-baee-4b5f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:20.000Z" ,
"modified" : "2016-12-22T09:26:20.000Z" ,
"description" : "EM_386 - 706 - Xchecked via VT: 36b2fffe98f517355425797fc242f2cb82271c0c" ,
"pattern" : "[file:hashes.MD5 = '96c5ec03c20491389a240ead5cbd72fe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9c3d-a0d0-4704-9c9b-46d902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:21.000Z" ,
"modified" : "2016-12-22T09:26:21.000Z" ,
"first_observed" : "2016-12-22T09:26:21Z" ,
"last_observed" : "2016-12-22T09:26:21Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9c3d-a0d0-4704-9c9b-46d902de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9c3d-a0d0-4704-9c9b-46d902de0b81" ,
"value" : "https://www.virustotal.com/file/2a77e8d43b347c4ccf80271493eedf7b7b7f45d1e30e818e321657cf9a14f1d9/analysis/1482355624/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c3e-5974-4d0d-89eb-4bb802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:22.000Z" ,
"modified" : "2016-12-22T09:26:22.000Z" ,
"description" : "EM_386 - 700 - Xchecked via VT: c54d50025d9f66ce2ace3361a8626aee468d94ba" ,
"pattern" : "[file:hashes.SHA256 = 'efedce38a1908a27115e05b3e62fab52f68fae2db5ae1c50c455f007f964c6d2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c3e-c5c0-404a-9afb-41c602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:22.000Z" ,
"modified" : "2016-12-22T09:26:22.000Z" ,
"description" : "EM_386 - 700 - Xchecked via VT: c54d50025d9f66ce2ace3361a8626aee468d94ba" ,
"pattern" : "[file:hashes.MD5 = 'ce12f465f353bb1b64f790a5e4cd45af']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9c3f-5838-4479-af90-4fdf02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:23.000Z" ,
"modified" : "2016-12-22T09:26:23.000Z" ,
"first_observed" : "2016-12-22T09:26:23Z" ,
"last_observed" : "2016-12-22T09:26:23Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9c3f-5838-4479-af90-4fdf02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9c3f-5838-4479-af90-4fdf02de0b81" ,
"value" : "https://www.virustotal.com/file/efedce38a1908a27115e05b3e62fab52f68fae2db5ae1c50c455f007f964c6d2/analysis/1482355624/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c40-a4c4-45ee-a6ee-4d2d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:24.000Z" ,
"modified" : "2016-12-22T09:26:24.000Z" ,
"description" : "EM_MIPS - ??? - Xchecked via VT: 14af6254d9ca310b4d52778d050cb8dd7a5de1d8" ,
"pattern" : "[file:hashes.SHA256 = 'a7ce7dc40bb8abf835efae5ebacc82cb8af2cc57b5021f0d28dc14924022c85d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c41-9ce4-4657-8bf7-4add02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:25.000Z" ,
"modified" : "2016-12-22T09:26:25.000Z" ,
"description" : "EM_MIPS - ??? - Xchecked via VT: 14af6254d9ca310b4d52778d050cb8dd7a5de1d8" ,
"pattern" : "[file:hashes.MD5 = '9a0ea27a15899e47bfe6fcc7c9df36c6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9c41-1c94-44e6-93f6-440b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:25.000Z" ,
"modified" : "2016-12-22T09:26:25.000Z" ,
"first_observed" : "2016-12-22T09:26:25Z" ,
"last_observed" : "2016-12-22T09:26:25Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9c41-1c94-44e6-93f6-440b02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9c41-1c94-44e6-93f6-440b02de0b81" ,
"value" : "https://www.virustotal.com/file/a7ce7dc40bb8abf835efae5ebacc82cb8af2cc57b5021f0d28dc14924022c85d/analysis/1482355624/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c42-30e0-4919-b4cc-4bd902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:26.000Z" ,
"modified" : "2016-12-22T09:26:26.000Z" ,
"description" : "EM_X86_64 - 698 - Xchecked via VT: c93bddd9cdb4f2e185b54a4931257954e25e7c37" ,
"pattern" : "[file:hashes.SHA256 = 'd59ffe12b75f596a4a30074690f96497800a6ed97be8248c573e4048adac7e05']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c43-b8f0-4bd5-9366-4f9502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:27.000Z" ,
"modified" : "2016-12-22T09:26:27.000Z" ,
"description" : "EM_X86_64 - 698 - Xchecked via VT: c93bddd9cdb4f2e185b54a4931257954e25e7c37" ,
"pattern" : "[file:hashes.MD5 = 'eedab74ca1303647ade4fb0b0b588a36']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9c44-fad4-4ea6-a16a-4b6c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:28.000Z" ,
"modified" : "2016-12-22T09:26:28.000Z" ,
"first_observed" : "2016-12-22T09:26:28Z" ,
"last_observed" : "2016-12-22T09:26:28Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9c44-fad4-4ea6-a16a-4b6c02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9c44-fad4-4ea6-a16a-4b6c02de0b81" ,
"value" : "https://www.virustotal.com/file/d59ffe12b75f596a4a30074690f96497800a6ed97be8248c573e4048adac7e05/analysis/1482355623/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c44-f7d0-4d5d-bb8b-417f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:28.000Z" ,
"modified" : "2016-12-22T09:26:28.000Z" ,
"description" : "EM_X86_64\t- 697 - Xchecked via VT: e53c73fe6a552eab720e7ee685ea4e159ebd4fdd" ,
"pattern" : "[file:hashes.SHA256 = '3fe9e1e0a2e626ef10cc443ec1725a8c17cbfa323864e0eb9359399177998470']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c45-e288-4c14-9377-4e3b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:29.000Z" ,
"modified" : "2016-12-22T09:26:29.000Z" ,
"description" : "EM_X86_64\t- 697 - Xchecked via VT: e53c73fe6a552eab720e7ee685ea4e159ebd4fdd" ,
"pattern" : "[file:hashes.MD5 = '19705141888917dddda4cac32ec8b6fc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9c46-725c-4e0a-8f2a-41d802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:30.000Z" ,
"modified" : "2016-12-22T09:26:30.000Z" ,
"first_observed" : "2016-12-22T09:26:30Z" ,
"last_observed" : "2016-12-22T09:26:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9c46-725c-4e0a-8f2a-41d802de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9c46-725c-4e0a-8f2a-41d802de0b81" ,
"value" : "https://www.virustotal.com/file/3fe9e1e0a2e626ef10cc443ec1725a8c17cbfa323864e0eb9359399177998470/analysis/1482355623/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c46-39d0-42e2-a244-41f802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:30.000Z" ,
"modified" : "2016-12-22T09:26:30.000Z" ,
"description" : "EM_X86_64 - 695 - Xchecked via VT: 3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0" ,
"pattern" : "[file:hashes.SHA256 = 'd731ccb407a924ca56fa9b3690e0b7debd1cce61c6de8ec63ede3a992c8af33e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c47-89cc-4c82-8a7e-440802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:31.000Z" ,
"modified" : "2016-12-22T09:26:31.000Z" ,
"description" : "EM_X86_64 - 695 - Xchecked via VT: 3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0" ,
"pattern" : "[file:hashes.MD5 = '1c672ba32e481faeccade0ad43ea5a08']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9c47-9508-4c02-b9dd-494402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:31.000Z" ,
"modified" : "2016-12-22T09:26:31.000Z" ,
"first_observed" : "2016-12-22T09:26:31Z" ,
"last_observed" : "2016-12-22T09:26:31Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9c47-9508-4c02-b9dd-494402de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9c47-9508-4c02-b9dd-494402de0b81" ,
"value" : "https://www.virustotal.com/file/d731ccb407a924ca56fa9b3690e0b7debd1cce61c6de8ec63ede3a992c8af33e/analysis/1482355623/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c48-d588-436a-b429-45e802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:32.000Z" ,
"modified" : "2016-12-22T09:26:32.000Z" ,
"description" : "EM_X86_64 - 694 - Xchecked via VT: def04ec688ac6b41580dd3a6e78445b56536ba34" ,
"pattern" : "[file:hashes.SHA256 = '83160da5a4cb335ea2a9a72bc96c833cd7eab9df96a61c1d6f01e13668046b25']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:32Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c49-9cf0-478b-96a0-4bbb02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:33.000Z" ,
"modified" : "2016-12-22T09:26:33.000Z" ,
"description" : "EM_X86_64 - 694 - Xchecked via VT: def04ec688ac6b41580dd3a6e78445b56536ba34" ,
"pattern" : "[file:hashes.MD5 = '4416e7bfbfa7318f10c8c08cff3fce5d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9c49-f154-4061-9dd2-418a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:33.000Z" ,
"modified" : "2016-12-22T09:26:33.000Z" ,
"first_observed" : "2016-12-22T09:26:33Z" ,
"last_observed" : "2016-12-22T09:26:33Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9c49-f154-4061-9dd2-418a02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9c49-f154-4061-9dd2-418a02de0b81" ,
"value" : "https://www.virustotal.com/file/83160da5a4cb335ea2a9a72bc96c833cd7eab9df96a61c1d6f01e13668046b25/analysis/1482355623/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c4a-c2c4-4696-9479-47cf02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:34.000Z" ,
"modified" : "2016-12-22T09:26:34.000Z" ,
"description" : "EM_X86_64 - 688 - Xchecked via VT: f80836349d6e97251030190ecd30dda0047f1ee6" ,
"pattern" : "[file:hashes.SHA256 = 'ce4bb2ce2bf66ab721b808acf9d74a7a8afddd03cbaa6aa56c7788ff7b7251bb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9c4a-ba88-4e51-9f22-4bab02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:34.000Z" ,
"modified" : "2016-12-22T09:26:34.000Z" ,
"description" : "EM_X86_64 - 688 - Xchecked via VT: f80836349d6e97251030190ecd30dda0047f1ee6" ,
"pattern" : "[file:hashes.MD5 = '841eac692e4c5fb09f18c229c59a3fcb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:26:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--585b9c4b-5124-4940-b839-484202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:26:35.000Z" ,
"modified" : "2016-12-22T09:26:35.000Z" ,
"first_observed" : "2016-12-22T09:26:35Z" ,
"last_observed" : "2016-12-22T09:26:35Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--585b9c4b-5124-4940-b839-484202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--585b9c4b-5124-4940-b839-484202de0b81" ,
"value" : "https://www.virustotal.com/file/ce4bb2ce2bf66ab721b808acf9d74a7a8afddd03cbaa6aa56c7788ff7b7251bb/analysis/1482247676/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--585b9cd6-d508-4a59-bc68-4d69950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-12-22T09:28:54.000Z" ,
"modified" : "2016-12-22T09:28:54.000Z" ,
"pattern" : "[rule linux_rakos\r\n{\r\n meta:\r\n description = \"Linux/Rakos.A executable\"\r\n author = \"Peter K\u00c3\u00a1lnai\"\r\n date = \"2016-12-13\"\r\n reference = \"http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/\"\r\n version = \"1\"\r\n contact = \"threatintel@eset.com\"\r\n license = \"BSD 2-Clause\"\r\n\r\n\r\n strings:\r\n $ = \"upgrade/vars.yaml\"\r\n $ = \"MUTTER\"\r\n $ = \"/tmp/.javaxxx\"\r\n $ = \"uckmydi\"\r\n\r\n condition:\r\n 3 of them\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-12-22T09:28:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}