2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--59722019-3260-4062-bec5-4eea950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--59722019-3260-4062-bec5-4eea950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"name" : "OSINT - Linux.Bew: un backdoor para el minado de Bitcoin" ,
"published" : "2017-07-21T15:45:08Z" ,
"object_refs" : [
"observed-data--59722024-b7ec-415d-a9d6-4032950d210f" ,
"url--59722024-b7ec-415d-a9d6-4032950d210f" ,
"x-misp-attribute--59722036-ecec-4b53-a575-40ce950d210f" ,
"indicator--5972204b-2690-47f3-b113-4dc3950d210f" ,
"indicator--59722068-7e70-418e-b27b-cf65950d210f" ,
"indicator--5972207d-12d4-4674-8603-49fe950d210f" ,
"indicator--5972207d-b374-4e26-b02b-4100950d210f" ,
"indicator--59722091-daf0-4356-ac59-46a7950d210f" ,
"indicator--597220a8-2828-4a80-8910-4076950d210f" ,
"x-misp-attribute--597220ce-d71c-4ec0-b402-41d0950d210f" ,
"indicator--597220eb-0b04-447b-9d6a-471002de0b81" ,
"indicator--597220eb-f6a0-4b53-8948-400802de0b81" ,
"observed-data--597220eb-8224-4341-9cf0-495d02de0b81" ,
"url--597220eb-8224-4341-9cf0-495d02de0b81"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59722024-b7ec-415d-a9d6-4032950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"first_observed" : "2017-07-21T15:42:35Z" ,
"last_observed" : "2017-07-21T15:42:35Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59722024-b7ec-415d-a9d6-4032950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59722024-b7ec-415d-a9d6-4032950d210f" ,
"value" : "https://www.securityartwork.es/2017/07/21/linux-bew-backdoor-minado-bitcoin/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59722036-ecec-4b53-a575-40ce950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "En el siguiente art\u00c3\u00adculo vamos a analizar una muestra del binario catalogado por varias firmas antivirus como Linux.Bew. (Virustotal), malware de tipo ELF del cual hemos detectado actividad durante este \u00c3\u00baltimo mes."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5972204b-2690-47f3-b113-4dc3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"pattern" : "[file:hashes.SHA256 = '80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-07-21T15:42:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59722068-7e70-418e-b27b-cf65950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"pattern" : "[file:name = '/root/.config/kdeinit4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-07-21T15:42:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5972207d-12d4-4674-8603-49fe950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"pattern" : "[domain-name:value = 'hfir.u230.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-07-21T15:42:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5972207d-b374-4e26-b02b-4100950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.211.49.214']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-07-21T15:42:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59722091-daf0-4356-ac59-46a7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"description" : "tcp/443" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.58.49.98']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-07-21T15:42:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--597220a8-2828-4a80-8910-4076950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"pattern" : "[rule LinuxBew: MALW\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Linux.Bew Backdoor\"\r\n\t\tauthor = \"Joan Soriano / @w0lfvan\"\r\n\t\tdate = \"2017-07-10\"\r\n\t\tversion = \"1.0\"\r\n\t\tMD5 = \"27d857e12b9be5d43f935b8cc86eaabf\"\r\n\t\tSHA256 = \"80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06\"\r\n\tstrings:\r\n\t\t$a = \"src/secp256k1.c\"\r\n\t\t$b = \"hfir.u230.org\"\r\n\t\t$c = \u00e2\u20ac\u0153tempfile-x11session\u00e2\u20ac\u009d\r\n\tcondition:\r\n\t\tall of them\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-07-21T15:42:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--597220ce-d71c-4ec0-b402-41d0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"Antivirus detection\""
] ,
"x_misp_category" : "Antivirus detection" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Linux.Bew"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--597220eb-0b04-447b-9d6a-471002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"description" : "- Xchecked via VT: 80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06" ,
"pattern" : "[file:hashes.SHA1 = '4c614317fd1686f8c865c0a8d367c8e22b94087f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-07-21T15:42:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--597220eb-f6a0-4b53-8948-400802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"description" : "- Xchecked via VT: 80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06" ,
"pattern" : "[file:hashes.MD5 = 'f42c73e5291392c4c39852670addd7f9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-07-21T15:42:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--597220eb-8224-4341-9cf0-495d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-07-21T15:42:35.000Z" ,
"modified" : "2017-07-21T15:42:35.000Z" ,
"first_observed" : "2017-07-21T15:42:35Z" ,
"last_observed" : "2017-07-21T15:42:35Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--597220eb-8224-4341-9cf0-495d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--597220eb-8224-4341-9cf0-495d02de0b81" ,
"value" : "https://www.virustotal.com/file/80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06/analysis/1499436533/"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}