2023-06-14 17:31:25 +00:00
|
|
|
{
|
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--5ccf3134-ea64-43c1-a356-f9f3950d210f",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "identity",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-13T09:20:09.000Z",
|
|
|
|
"modified": "2019-05-13T09:20:09.000Z",
|
|
|
|
"name": "MalwareMustDie",
|
|
|
|
"identity_class": "organization"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "grouping",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "grouping--5ccf3134-ea64-43c1-a356-f9f3950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-13T09:20:09.000Z",
|
|
|
|
"modified": "2019-05-13T09:20:09.000Z",
|
|
|
|
"name": "SystemTen (ELF trojan installer, miner, bot and rootkit) / ex-Rocke",
|
|
|
|
"context": "suspicious-activity",
|
|
|
|
"object_refs": [
|
|
|
|
"observed-data--5ccf331e-da90-4718-94c8-49d3950d210f",
|
|
|
|
"url--5ccf331e-da90-4718-94c8-49d3950d210f",
|
|
|
|
"observed-data--5ccf331e-1534-4301-9d4c-4d32950d210f",
|
|
|
|
"url--5ccf331e-1534-4301-9d4c-4d32950d210f",
|
|
|
|
"observed-data--5ccf338a-a70c-4aef-ae6c-4b95950d210f",
|
|
|
|
"file--5ccf338a-a70c-4aef-ae6c-4b95950d210f",
|
|
|
|
"observed-data--5ccf338a-41ec-4332-86d4-4ee9950d210f",
|
|
|
|
"file--5ccf338a-41ec-4332-86d4-4ee9950d210f",
|
|
|
|
"observed-data--5ccf338a-3788-4d10-8dfb-45b6950d210f",
|
|
|
|
"file--5ccf338a-3788-4d10-8dfb-45b6950d210f",
|
|
|
|
"observed-data--5ccf338b-8d84-4997-9c96-454a950d210f",
|
|
|
|
"file--5ccf338b-8d84-4997-9c96-454a950d210f",
|
|
|
|
"observed-data--5ccf338b-2d54-4f22-afff-4296950d210f",
|
|
|
|
"file--5ccf338b-2d54-4f22-afff-4296950d210f",
|
|
|
|
"observed-data--5ccf338b-9b24-43ce-ba79-400f950d210f",
|
|
|
|
"file--5ccf338b-9b24-43ce-ba79-400f950d210f",
|
|
|
|
"observed-data--5ccf338b-7164-4214-b2af-489a950d210f",
|
|
|
|
"file--5ccf338b-7164-4214-b2af-489a950d210f",
|
|
|
|
"observed-data--5ccf338b-29f4-4d56-91a8-4ec9950d210f",
|
|
|
|
"file--5ccf338b-29f4-4d56-91a8-4ec9950d210f",
|
|
|
|
"observed-data--5ccf338b-8848-4992-830d-4f87950d210f",
|
|
|
|
"file--5ccf338b-8848-4992-830d-4f87950d210f",
|
|
|
|
"observed-data--5ccf338b-0c80-4351-9fe5-4ae4950d210f",
|
|
|
|
"file--5ccf338b-0c80-4351-9fe5-4ae4950d210f",
|
|
|
|
"observed-data--5ccf338b-e194-463f-86b2-4c83950d210f",
|
|
|
|
"file--5ccf338b-e194-463f-86b2-4c83950d210f",
|
|
|
|
"observed-data--5ccf338b-dc8c-4e16-930c-4ea4950d210f",
|
|
|
|
"file--5ccf338b-dc8c-4e16-930c-4ea4950d210f",
|
|
|
|
"observed-data--5ccf338b-d720-4e12-9828-400b950d210f",
|
|
|
|
"file--5ccf338b-d720-4e12-9828-400b950d210f",
|
|
|
|
"observed-data--5ccf338b-9eec-415d-8713-4dba950d210f",
|
|
|
|
"file--5ccf338b-9eec-415d-8713-4dba950d210f",
|
|
|
|
"observed-data--5ccf338b-9ca0-4ff6-906a-4949950d210f",
|
|
|
|
"file--5ccf338b-9ca0-4ff6-906a-4949950d210f",
|
|
|
|
"observed-data--5ccf338b-34c4-4ceb-9797-4327950d210f",
|
|
|
|
"file--5ccf338b-34c4-4ceb-9797-4327950d210f",
|
|
|
|
"observed-data--5ccf338b-1e8c-4620-b81d-48a7950d210f",
|
|
|
|
"file--5ccf338b-1e8c-4620-b81d-48a7950d210f",
|
|
|
|
"observed-data--5ccf338b-d71c-4be9-bf9f-424d950d210f",
|
|
|
|
"file--5ccf338b-d71c-4be9-bf9f-424d950d210f",
|
|
|
|
"observed-data--5ccf338b-20fc-4572-980b-4937950d210f",
|
|
|
|
"file--5ccf338b-20fc-4572-980b-4937950d210f",
|
|
|
|
"observed-data--5ccf338b-77c0-4310-b0b8-4155950d210f",
|
|
|
|
"file--5ccf338b-77c0-4310-b0b8-4155950d210f",
|
|
|
|
"observed-data--5ccf338b-5f70-42cf-b488-4660950d210f",
|
|
|
|
"file--5ccf338b-5f70-42cf-b488-4660950d210f",
|
|
|
|
"observed-data--5ccf338b-fc44-4109-98ee-4ea1950d210f",
|
|
|
|
"file--5ccf338b-fc44-4109-98ee-4ea1950d210f",
|
|
|
|
"observed-data--5ccf33c6-84b8-4b61-8d12-4c63950d210f",
|
|
|
|
"file--5ccf33c6-84b8-4b61-8d12-4c63950d210f",
|
|
|
|
"observed-data--5ccf33c6-8bd4-4b84-ae73-43ef950d210f",
|
|
|
|
"file--5ccf33c6-8bd4-4b84-ae73-43ef950d210f",
|
|
|
|
"observed-data--5ccf33c6-2c48-49d9-bdc6-4af6950d210f",
|
|
|
|
"file--5ccf33c6-2c48-49d9-bdc6-4af6950d210f",
|
|
|
|
"observed-data--5ccf33c6-1690-4a1c-a41e-4b65950d210f",
|
|
|
|
"file--5ccf33c6-1690-4a1c-a41e-4b65950d210f",
|
|
|
|
"observed-data--5ccf33c6-f0d4-4a32-9cc7-405e950d210f",
|
|
|
|
"file--5ccf33c6-f0d4-4a32-9cc7-405e950d210f",
|
|
|
|
"indicator--5ccf343e-6444-410e-9d87-415c950d210f",
|
|
|
|
"indicator--5ccf343e-3880-492a-93ba-423d950d210f",
|
|
|
|
"indicator--5ccf343e-6234-48a2-88f4-4734950d210f",
|
|
|
|
"indicator--5ccf343e-0500-4226-90d9-477b950d210f",
|
|
|
|
"indicator--5ccf343e-59ac-4de1-be7e-408b950d210f",
|
|
|
|
"indicator--5ccf343e-5098-44d0-bb39-4100950d210f",
|
|
|
|
"indicator--5ccf343e-31a4-4dfe-8318-4e1e950d210f",
|
|
|
|
"indicator--5ccf343e-a4c8-4a2a-99ee-45d6950d210f",
|
|
|
|
"indicator--5ccf343e-f58c-4fdd-95f2-46dd950d210f",
|
|
|
|
"indicator--5ccf343e-aa74-4740-8638-495d950d210f",
|
|
|
|
"indicator--5ccf343e-2c70-41eb-a61c-45b3950d210f",
|
|
|
|
"indicator--5ccf343e-f75c-4aae-b652-4e03950d210f",
|
|
|
|
"indicator--5ccf343e-0e58-4347-8020-4d32950d210f",
|
|
|
|
"indicator--5ccf355f-6d0c-41a1-a55a-4dc7950d210f",
|
|
|
|
"indicator--5ccf355f-04d4-4359-8fbb-47cf950d210f",
|
|
|
|
"indicator--5ccf355f-93a0-48b2-b7fc-427d950d210f",
|
|
|
|
"indicator--5ccf355f-39dc-4d46-beeb-4488950d210f",
|
|
|
|
"indicator--5ccf355f-f5f8-439d-bb9f-49f8950d210f",
|
|
|
|
"indicator--5ccf355f-9aa4-4759-8b0d-4838950d210f",
|
|
|
|
"indicator--5ccf355f-3460-4721-8f60-4d31950d210f",
|
|
|
|
"indicator--5ccf355f-f270-4244-9357-4038950d210f",
|
|
|
|
"indicator--5ccf355f-c340-44b6-92e4-41db950d210f",
|
|
|
|
"indicator--5ccf355f-7d68-4c6f-bdd4-41f3950d210f",
|
|
|
|
"indicator--5ccf355f-2e94-48e5-b56a-42e1950d210f",
|
|
|
|
"x-misp-attribute--5ccf35e3-4f10-4cff-bb9a-4eed950d210f",
|
|
|
|
"x-misp-attribute--5ccf362e-9478-4f19-b38c-41d1950d210f",
|
|
|
|
"vulnerability--5ccf3763-4e98-46e5-b64c-4985950d210f",
|
|
|
|
"vulnerability--5ccf3763-64f0-41eb-a327-4194950d210f",
|
|
|
|
"vulnerability--5ccf3763-b7f8-47ae-9128-4942950d210f",
|
|
|
|
"vulnerability--5ccf3763-eaf8-4649-9c25-489b950d210f",
|
|
|
|
"vulnerability--5ccf3763-2438-4331-92c7-4ddd950d210f",
|
|
|
|
"x-misp-attribute--5ccf37df-cc1c-4c56-9a7d-4079950d210f",
|
|
|
|
"observed-data--5ccf38a2-4590-42df-a18a-4fe6950d210f",
|
|
|
|
"url--5ccf38a2-4590-42df-a18a-4fe6950d210f",
|
|
|
|
"x-misp-attribute--5ccf3940-ddec-4518-b17f-4419950d210f",
|
|
|
|
"x-misp-attribute--5ccf39ae-2d8c-4d58-af04-419e950d210f",
|
|
|
|
"observed-data--5ccf3d10-ac0c-447c-814e-43c2950d210f",
|
|
|
|
"network-traffic--5ccf3d10-ac0c-447c-814e-43c2950d210f",
|
|
|
|
"ipv4-addr--5ccf3d10-ac0c-447c-814e-43c2950d210f",
|
|
|
|
"observed-data--5ccf3d10-b734-4496-b135-4bc8950d210f",
|
|
|
|
"network-traffic--5ccf3d10-b734-4496-b135-4bc8950d210f",
|
|
|
|
"ipv4-addr--5ccf3d10-b734-4496-b135-4bc8950d210f",
|
|
|
|
"observed-data--5ccf3d10-2f7c-4ceb-892e-46f0950d210f",
|
|
|
|
"network-traffic--5ccf3d10-2f7c-4ceb-892e-46f0950d210f",
|
|
|
|
"ipv4-addr--5ccf3d10-2f7c-4ceb-892e-46f0950d210f",
|
|
|
|
"observed-data--5ccf3d10-bed0-4d85-945b-46d0950d210f",
|
|
|
|
"network-traffic--5ccf3d10-bed0-4d85-945b-46d0950d210f",
|
|
|
|
"ipv4-addr--5ccf3d10-bed0-4d85-945b-46d0950d210f",
|
|
|
|
"indicator--5cd59ac0-f68c-4751-9022-4456950d210f",
|
|
|
|
"indicator--5cd59b28-c838-44a7-a2d8-48cb950d210f",
|
|
|
|
"x-misp-attribute--5cd925f5-0688-4fcc-8d9b-4d2f950d210f",
|
|
|
|
"vulnerability--5cd926d2-96a0-4029-b68f-48bb950d210f",
|
|
|
|
"x-misp-attribute--5cd93263-3988-4927-8996-4817950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"Threat-Report",
|
|
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
|
|
"ms-caro-malware:malware-platform=\"Linux\"",
|
|
|
|
"adversary:infrastructure-state=\"active\"",
|
|
|
|
"circl:incident-classification=\"malware\"",
|
|
|
|
"malware_classification:malware-category=\"Downloader\"",
|
|
|
|
"malware_classification:malware-category=\"Rootkit\"",
|
|
|
|
"malware_classification:malware-category=\"Botnet\"",
|
|
|
|
"OSINT"
|
|
|
|
],
|
|
|
|
"object_marking_refs": [
|
|
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf331e-da90-4718-94c8-49d3950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:01:50.000Z",
|
|
|
|
"modified": "2019-05-05T19:01:50.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:01:50Z",
|
|
|
|
"last_observed": "2019-05-05T19:01:50Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5ccf331e-da90-4718-94c8-49d3950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5ccf331e-da90-4718-94c8-49d3950d210f",
|
|
|
|
"value": "https://imgur.com/a/H7YuWuj"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf331e-1534-4301-9d4c-4d32950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:01:50.000Z",
|
|
|
|
"modified": "2019-05-05T19:01:50.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:01:50Z",
|
|
|
|
"last_observed": "2019-05-05T19:01:50Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5ccf331e-1534-4301-9d4c-4d32950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5ccf331e-1534-4301-9d4c-4d32950d210f",
|
|
|
|
"value": "https://old.reddit.com/r/LinuxMalware/comments/bfaea2/fun_in_dissecting_lsd_packer_elf_golang_miner/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338a-a70c-4aef-ae6c-4b95950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:38.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:38Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:38Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338a-a70c-4aef-ae6c-4b95950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338a-a70c-4aef-ae6c-4b95950d210f",
|
|
|
|
"name": "/tmp/kerberods (elf trojan installer)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338a-41ec-4332-86d4-4ee9950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:38.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:38Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:38Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338a-41ec-4332-86d4-4ee9950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338a-41ec-4332-86d4-4ee9950d210f",
|
|
|
|
"name": "/tmp/khugepageds (elf monero miner xmrig)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338a-3788-4d10-8dfb-45b6950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:38.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:38Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:38Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338a-3788-4d10-8dfb-45b6950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338a-3788-4d10-8dfb-45b6950d210f",
|
|
|
|
"name": "/tmp/kthrotlds (elf trojan bot)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-8d84-4997-9c96-454a950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:38.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:38Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:38Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-8d84-4997-9c96-454a950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-8d84-4997-9c96-454a950d210f",
|
|
|
|
"name": "/tmp/kintegrityds (elf trojan bot)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-2d54-4f22-afff-4296950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-2d54-4f22-afff-4296950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-2d54-4f22-afff-4296950d210f",
|
|
|
|
"name": "/tmp/kpsmouseds (elf trojan installer)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-9b24-43ce-ba79-400f950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-9b24-43ce-ba79-400f950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-9b24-43ce-ba79-400f950d210f",
|
|
|
|
"name": "/tmp/kerb (elf trojan bot)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-7164-4214-b2af-489a950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-7164-4214-b2af-489a950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-7164-4214-b2af-489a950d210f",
|
|
|
|
"name": "/etc/cron.d/tomcat (persistence)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-29f4-4d56-91a8-4ec9950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-29f4-4d56-91a8-4ec9950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-29f4-4d56-91a8-4ec9950d210f",
|
|
|
|
"name": "/etc/cron.d/root (persistence)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-8848-4992-830d-4f87950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-8848-4992-830d-4f87950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-8848-4992-830d-4f87950d210f",
|
|
|
|
"name": "/var/spool/cron/root (persistence)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-0c80-4351-9fe5-4ae4950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-0c80-4351-9fe5-4ae4950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-0c80-4351-9fe5-4ae4950d210f",
|
|
|
|
"name": "/var/spool/cron/crontabs/root (persistence)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-e194-463f-86b2-4c83950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-e194-463f-86b2-4c83950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-e194-463f-86b2-4c83950d210f",
|
|
|
|
"name": "/usr/sbin/kthrotlds (elf trojan bot)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-dc8c-4e16-930c-4ea4950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-dc8c-4e16-930c-4ea4950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-dc8c-4e16-930c-4ea4950d210f",
|
|
|
|
"name": "/usr/sbin/kintegrityds (elf trojan bot)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-d720-4e12-9828-400b950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-d720-4e12-9828-400b950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-d720-4e12-9828-400b950d210f",
|
|
|
|
"name": "/usr/sbin/kerberods (elf trojan installer)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-9eec-415d-8713-4dba950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-9eec-415d-8713-4dba950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-9eec-415d-8713-4dba950d210f",
|
|
|
|
"name": "/usr/sbin/kpsmouseds (elf trojan installer)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-9ca0-4ff6-906a-4949950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-9ca0-4ff6-906a-4949950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-9ca0-4ff6-906a-4949950d210f",
|
|
|
|
"name": "/etc/rc.d/init.d/kthrotlds (persistence)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-34c4-4ceb-9797-4327950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-34c4-4ceb-9797-4327950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-34c4-4ceb-9797-4327950d210f",
|
|
|
|
"name": "/etc/rc.d/init.d/kerberods (persistence)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-1e8c-4620-b81d-48a7950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-1e8c-4620-b81d-48a7950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-1e8c-4620-b81d-48a7950d210f",
|
|
|
|
"name": "/etc/rc.d/init.d/kpsmouseds (persistence)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-d71c-4be9-bf9f-424d950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-d71c-4be9-bf9f-424d950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-d71c-4be9-bf9f-424d950d210f",
|
|
|
|
"name": "/etc/rc.d/init.d/kintegrityds (persistence)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-20fc-4572-980b-4937950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-20fc-4572-980b-4937950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-20fc-4572-980b-4937950d210f",
|
|
|
|
"name": "/tmp/ld.so.preload (rootkit preload module)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-77c0-4310-b0b8-4155950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-77c0-4310-b0b8-4155950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-77c0-4310-b0b8-4155950d210f",
|
|
|
|
"name": "/usr/local/lib/libpamcd.so (rootkit preload module)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-5f70-42cf-b488-4660950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:03:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:03:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:03:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-5f70-42cf-b488-4660950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-5f70-42cf-b488-4660950d210f",
|
|
|
|
"name": "/usr/local/lib/libcset.so (rootkit preload module)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf338b-fc44-4109-98ee-4ea1950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-13T09:20:09.000Z",
|
|
|
|
"modified": "2019-05-13T09:20:09.000Z",
|
|
|
|
"first_observed": "2019-05-13T09:20:09Z",
|
|
|
|
"last_observed": "2019-05-13T09:20:09Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf338b-fc44-4109-98ee-4ea1950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf338b-fc44-4109-98ee-4ea1950d210f",
|
|
|
|
"name": "/usr/local/lib/libdb-0.1.so (rootkit preload module)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf33c6-84b8-4b61-8d12-4c63950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:08:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:08:39.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:08:39Z",
|
|
|
|
"last_observed": "2019-05-05T19:08:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf33c6-84b8-4b61-8d12-4c63950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf33c6-84b8-4b61-8d12-4c63950d210f",
|
|
|
|
"hashes": {
|
|
|
|
"MD5": "8ecf8e7653e6a67d61ff03e0c61f3825"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf33c6-8bd4-4b84-ae73-43ef950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:08:49.000Z",
|
|
|
|
"modified": "2019-05-05T19:08:49.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:08:49Z",
|
|
|
|
"last_observed": "2019-05-05T19:08:49Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf33c6-8bd4-4b84-ae73-43ef950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf33c6-8bd4-4b84-ae73-43ef950d210f",
|
|
|
|
"hashes": {
|
|
|
|
"MD5": "a1e0e218b3b7c063bbf3f21003763548"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf33c6-2c48-49d9-bdc6-4af6950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:09:08.000Z",
|
|
|
|
"modified": "2019-05-05T19:09:08.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:09:08Z",
|
|
|
|
"last_observed": "2019-05-05T19:09:08Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf33c6-2c48-49d9-bdc6-4af6950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf33c6-2c48-49d9-bdc6-4af6950d210f",
|
|
|
|
"hashes": {
|
|
|
|
"MD5": "bedc270205ee06817ab6b3d58f260794"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf33c6-1690-4a1c-a41e-4b65950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:09:18.000Z",
|
|
|
|
"modified": "2019-05-05T19:09:18.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:09:18Z",
|
|
|
|
"last_observed": "2019-05-05T19:09:18Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf33c6-1690-4a1c-a41e-4b65950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf33c6-1690-4a1c-a41e-4b65950d210f",
|
|
|
|
"hashes": {
|
|
|
|
"MD5": "5301972a7ef320e894274a38f0bb2b2c"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf33c6-f0d4-4a32-9cc7-405e950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:08:59.000Z",
|
|
|
|
"modified": "2019-05-05T19:08:59.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:08:59Z",
|
|
|
|
"last_observed": "2019-05-05T19:08:59Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5ccf33c6-f0d4-4a32-9cc7-405e950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5ccf33c6-f0d4-4a32-9cc7-405e950d210f",
|
|
|
|
"hashes": {
|
|
|
|
"MD5": "17e9e888b8d0f374b5c623ae6b6d6cc6"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-6444-410e-9d87-415c950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'd.heheda.tk.']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-3880-492a-93ba-423d950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'c.heheda.tk']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-6234-48a2-88f4-4734950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'dd.heheda.tk']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-0500-4226-90d9-477b950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'systemten.org']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-59ac-4de1-be7e-408b950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'w.3ei.xyz']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-5098-44d0-bb39-4100950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'w.21-3n.xyz']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-31a4-4dfe-8318-4e1e950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 't.w2wz.cn']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-a4c8-4a2a-99ee-45d6950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = '1.z9ls.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-f58c-4fdd-95f2-46dd950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'yxarsh.shop']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-aa74-4740-8638-495d950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'i.ooxx.ooo']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-2c70-41eb-a61c-45b3950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'baocangwh.cn']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-f75c-4aae-b652-4e03950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'img.sobot.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf343e-0e58-4347-8020-4d32950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:06:38.000Z",
|
|
|
|
"modified": "2019-05-05T19:06:38.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'sowcar.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:06:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf355f-6d0c-41a1-a55a-4dc7950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:11:27.000Z",
|
|
|
|
"modified": "2019-05-05T19:11:27.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '42.56.76.104']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:11:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf355f-04d4-4359-8fbb-47cf950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:11:27.000Z",
|
|
|
|
"modified": "2019-05-05T19:11:27.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.90.213.21']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:11:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf355f-93a0-48b2-b7fc-427d950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:11:27.000Z",
|
|
|
|
"modified": "2019-05-05T19:11:27.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '116.62.232.226']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:11:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf355f-39dc-4d46-beeb-4488950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:11:27.000Z",
|
|
|
|
"modified": "2019-05-05T19:11:27.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '211.91.160.238']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:11:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf355f-f5f8-439d-bb9f-49f8950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:11:27.000Z",
|
|
|
|
"modified": "2019-05-05T19:11:27.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '221.204.60.69']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:11:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf355f-9aa4-4759-8b0d-4838950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:11:27.000Z",
|
|
|
|
"modified": "2019-05-05T19:11:27.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.52.216.35']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:11:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf355f-3460-4721-8f60-4d31950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:11:27.000Z",
|
|
|
|
"modified": "2019-05-05T19:11:27.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.63.0.102']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:11:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf355f-f270-4244-9357-4038950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:11:27.000Z",
|
|
|
|
"modified": "2019-05-05T19:11:27.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.238.151.101']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:11:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf355f-c340-44b6-92e4-41db950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:11:27.000Z",
|
|
|
|
"modified": "2019-05-05T19:11:27.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.248.53.213']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:11:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf355f-7d68-4c6f-bdd4-41f3950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:11:27.000Z",
|
|
|
|
"modified": "2019-05-05T19:11:27.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '134.209.104.20']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:11:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5ccf355f-2e94-48e5-b56a-42e1950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:11:27.000Z",
|
|
|
|
"modified": "2019-05-05T19:11:27.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.204.231.250']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-05T19:11:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--5ccf35e3-4f10-4cff-bb9a-4eed950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:13:39.000Z",
|
|
|
|
"modified": "2019-05-05T19:13:39.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"github-repository\"",
|
|
|
|
"misp:category=\"Social network\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Social network",
|
|
|
|
"x_misp_comment": "The alleged account utilized by adversary",
|
|
|
|
"x_misp_type": "github-repository",
|
|
|
|
"x_misp_value": "helegedada"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--5ccf362e-9478-4f19-b38c-41d1950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:14:54.000Z",
|
|
|
|
"modified": "2019-05-05T19:14:54.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"other\"",
|
|
|
|
"misp:category=\"Social network\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Social network",
|
|
|
|
"x_misp_comment": "The pastebin account that is allegedly owned by adversary",
|
|
|
|
"x_misp_type": "other",
|
|
|
|
"x_misp_value": "https://pastebin.com/u/SYSTEMTEN"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "vulnerability",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "vulnerability--5ccf3763-4e98-46e5-b64c-4985950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:20:03.000Z",
|
|
|
|
"modified": "2019-05-05T19:20:03.000Z",
|
|
|
|
"name": "CVE-2019-3395",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"vulnerability\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
],
|
|
|
|
"external_references": [
|
|
|
|
{
|
|
|
|
"source_name": "cve",
|
|
|
|
"external_id": "CVE-2019-3395"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "vulnerability",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "vulnerability--5ccf3763-64f0-41eb-a327-4194950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:20:03.000Z",
|
|
|
|
"modified": "2019-05-05T19:20:03.000Z",
|
|
|
|
"name": "CVE-2019-3396",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"vulnerability\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
],
|
|
|
|
"external_references": [
|
|
|
|
{
|
|
|
|
"source_name": "cve",
|
|
|
|
"external_id": "CVE-2019-3396"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "vulnerability",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "vulnerability--5ccf3763-b7f8-47ae-9128-4942950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:20:03.000Z",
|
|
|
|
"modified": "2019-05-05T19:20:03.000Z",
|
|
|
|
"name": "CVE-2019-1003033",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"vulnerability\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
],
|
|
|
|
"external_references": [
|
|
|
|
{
|
|
|
|
"source_name": "cve",
|
|
|
|
"external_id": "CVE-2019-1003033"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "vulnerability",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "vulnerability--5ccf3763-eaf8-4649-9c25-489b950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:20:03.000Z",
|
|
|
|
"modified": "2019-05-05T19:20:03.000Z",
|
|
|
|
"name": "CVE-2019-1003030",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"vulnerability\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
],
|
|
|
|
"external_references": [
|
|
|
|
{
|
|
|
|
"source_name": "cve",
|
|
|
|
"external_id": "CVE-2019-1003030"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "vulnerability",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "vulnerability--5ccf3763-2438-4331-92c7-4ddd950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:20:03.000Z",
|
|
|
|
"modified": "2019-05-05T19:20:03.000Z",
|
|
|
|
"name": "CVE-2019-1003029",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"vulnerability\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
],
|
|
|
|
"external_references": [
|
|
|
|
{
|
|
|
|
"source_name": "cve",
|
|
|
|
"external_id": "CVE-2019-1003029"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--5ccf37df-cc1c-4c56-9a7d-4079950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:22:07.000Z",
|
|
|
|
"modified": "2019-05-05T19:22:07.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"text\"",
|
|
|
|
"misp:category=\"Internal reference\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Internal reference",
|
|
|
|
"x_misp_comment": "The data to be grep'ed by the malware for the upgrade and anti-competitive function which is useful to prevent similar threat.",
|
|
|
|
"x_misp_type": "text",
|
|
|
|
"x_misp_value": "hwlh3wlh44lh\r\nCircle_MI\r\nxmr\r\nxig\r\nddgs\r\nqW3xT\r\nwnTKYg\r\nt00ls.ru\r\nsustes\r\nthisxxs\r\nhashfish\r\nkworkerds\r\ntmp/devtool\r\nsystemctI\r\nplfsbce\r\nluyybce\r\n6Tx3Wq\r\ndblaunchs\r\nvmlinuz\r\nget.bi-chi.com\r\nhashvault.pro\r\nnanopool.org\r\n119.9.106.27\r\n104.130.210.206"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf38a2-4590-42df-a18a-4fe6950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:25:22.000Z",
|
|
|
|
"modified": "2019-05-05T19:25:22.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:25:22Z",
|
|
|
|
"last_observed": "2019-05-05T19:25:22Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5ccf38a2-4590-42df-a18a-4fe6950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"Internal reference\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5ccf38a2-4590-42df-a18a-4fe6950d210f",
|
|
|
|
"value": "https://community.atlassian.com/t5/Confluence-questions/How-come-my-confluence-installation-was-hacked-by-Kerberods/qaq-p/1054605#M141274"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--5ccf3940-ddec-4518-b17f-4419950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:28:00.000Z",
|
|
|
|
"modified": "2019-05-05T19:28:00.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"other\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Payload delivery",
|
|
|
|
"x_misp_comment": "Certification attached in the malware sample (the ELF binary installer ones)",
|
|
|
|
"x_misp_type": "other",
|
|
|
|
"x_misp_value": "-----BEGIN CERTIFICATE-----\r\nMIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\nMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\nMTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\nA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\nCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\nmdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\nYMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\nR7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\nKNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\ngZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH\r\n/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV\r\nBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz\r\ndCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ\r\nSsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H\r\nDBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF\r\npjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf\r\nm/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n-----END CERTIFICATE-----"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--5ccf39ae-2d8c-4d58-af04-419e950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:29:50.000Z",
|
|
|
|
"modified": "2019-05-05T19:29:50.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"other\"",
|
|
|
|
"misp:category=\"Network activity\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Network activity",
|
|
|
|
"x_misp_comment": "SSL Certification used by the adversary for encrypting the SSL traffic communication",
|
|
|
|
"x_misp_type": "other",
|
|
|
|
"x_misp_value": "Handshake Protocol: Certificate\r\nCertificate Length: 1374\r\nCertificate (id-at-commonName=d.heheda.tk)\r\nversion: v3 (2)\r\nserialNumber : 0x0391959ec679153960186df2c0768f78425e\r\nsignature (sha256WithRSAEncryption)\r\nAlgorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)\r\nrdnSequence: 3 items\r\n(id-at-commonName=Let's Encrypt Authority X3,\r\nid-at-organizationName=Let's Encrypt,\r\nid-at-countryName=US )\r\nValidity not before: utcTime: 19-04-22 01:13:26 (UTC)\r\nValidity not after: utcTime: 19-07-21 01:13:26 (UTC)\r\nissuer: rdnSequence (0) rdnSequence: 2 items\r\n(id-at-commonName=DST Root CA X3,\r\nid-at-organizationName=Digital Signature Trust Co.)"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf3d10-ac0c-447c-814e-43c2950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:44:16.000Z",
|
|
|
|
"modified": "2019-05-05T19:44:16.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:44:16Z",
|
|
|
|
"last_observed": "2019-05-05T19:44:16Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"network-traffic--5ccf3d10-ac0c-447c-814e-43c2950d210f",
|
|
|
|
"ipv4-addr--5ccf3d10-ac0c-447c-814e-43c2950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Network activity\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "network-traffic",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "network-traffic--5ccf3d10-ac0c-447c-814e-43c2950d210f",
|
|
|
|
"dst_ref": "ipv4-addr--5ccf3d10-ac0c-447c-814e-43c2950d210f",
|
|
|
|
"dst_port": 53,
|
|
|
|
"protocols": [
|
|
|
|
"tcp"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "ipv4-addr",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "ipv4-addr--5ccf3d10-ac0c-447c-814e-43c2950d210f",
|
|
|
|
"value": "1.1.1.1"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf3d10-b734-4496-b135-4bc8950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:44:16.000Z",
|
|
|
|
"modified": "2019-05-05T19:44:16.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:44:16Z",
|
|
|
|
"last_observed": "2019-05-05T19:44:16Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"network-traffic--5ccf3d10-b734-4496-b135-4bc8950d210f",
|
|
|
|
"ipv4-addr--5ccf3d10-b734-4496-b135-4bc8950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Network activity\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "network-traffic",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "network-traffic--5ccf3d10-b734-4496-b135-4bc8950d210f",
|
|
|
|
"dst_ref": "ipv4-addr--5ccf3d10-b734-4496-b135-4bc8950d210f",
|
|
|
|
"dst_port": 53,
|
|
|
|
"protocols": [
|
|
|
|
"tcp"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "ipv4-addr",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "ipv4-addr--5ccf3d10-b734-4496-b135-4bc8950d210f",
|
|
|
|
"value": "8.8.8.8"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf3d10-2f7c-4ceb-892e-46f0950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:44:16.000Z",
|
|
|
|
"modified": "2019-05-05T19:44:16.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:44:16Z",
|
|
|
|
"last_observed": "2019-05-05T19:44:16Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"network-traffic--5ccf3d10-2f7c-4ceb-892e-46f0950d210f",
|
|
|
|
"ipv4-addr--5ccf3d10-2f7c-4ceb-892e-46f0950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Network activity\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "network-traffic",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "network-traffic--5ccf3d10-2f7c-4ceb-892e-46f0950d210f",
|
|
|
|
"dst_ref": "ipv4-addr--5ccf3d10-2f7c-4ceb-892e-46f0950d210f",
|
|
|
|
"dst_port": 5353,
|
|
|
|
"protocols": [
|
|
|
|
"tcp"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "ipv4-addr",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "ipv4-addr--5ccf3d10-2f7c-4ceb-892e-46f0950d210f",
|
|
|
|
"value": "208.67.222.222"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5ccf3d10-bed0-4d85-945b-46d0950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-05T19:44:16.000Z",
|
|
|
|
"modified": "2019-05-05T19:44:16.000Z",
|
|
|
|
"first_observed": "2019-05-05T19:44:16Z",
|
|
|
|
"last_observed": "2019-05-05T19:44:16Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"network-traffic--5ccf3d10-bed0-4d85-945b-46d0950d210f",
|
|
|
|
"ipv4-addr--5ccf3d10-bed0-4d85-945b-46d0950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Network activity\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "network-traffic",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "network-traffic--5ccf3d10-bed0-4d85-945b-46d0950d210f",
|
|
|
|
"dst_ref": "ipv4-addr--5ccf3d10-bed0-4d85-945b-46d0950d210f",
|
|
|
|
"dst_port": 443,
|
|
|
|
"protocols": [
|
|
|
|
"tcp"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "ipv4-addr",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "ipv4-addr--5ccf3d10-bed0-4d85-945b-46d0950d210f",
|
|
|
|
"value": "208.67.222.222"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5cd59ac0-f68c-4751-9022-4456950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-10T15:37:36.000Z",
|
|
|
|
"modified": "2019-05-10T15:37:36.000Z",
|
|
|
|
"description": "The origin of IP addresses used by the adversaries for their C2 servers",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.95.85.22']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-10T15:37:36Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5cd59b28-c838-44a7-a2d8-48cb950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-10T15:39:20.000Z",
|
|
|
|
"modified": "2019-05-10T15:39:20.000Z",
|
|
|
|
"description": "Malware contacted C2 hostnames",
|
|
|
|
"pattern": "[domain-name:value = 'gwjyhs.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-10T15:39:20Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--5cd925f5-0688-4fcc-8d9b-4d2f950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-13T09:00:28.000Z",
|
|
|
|
"modified": "2019-05-13T09:00:28.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"whois-registrant-email\"",
|
|
|
|
"misp:category=\"Social network\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Social network",
|
|
|
|
"x_misp_comment": "QQ identification used by adversary's utilized payload domains \"gwjyhs .com\", \"baocangwh .cn\"",
|
|
|
|
"x_misp_type": "whois-registrant-email",
|
|
|
|
"x_misp_value": "4592248@qq.com"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "vulnerability",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "vulnerability--5cd926d2-96a0-4029-b68f-48bb950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-13T08:12:02.000Z",
|
|
|
|
"modified": "2019-05-13T08:12:02.000Z",
|
|
|
|
"name": "CVE-2018-1000861",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"vulnerability\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
],
|
|
|
|
"external_references": [
|
|
|
|
{
|
|
|
|
"source_name": "cve",
|
|
|
|
"external_id": "CVE-2018-1000861"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--5cd93263-3988-4927-8996-4817950d210f",
|
|
|
|
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
|
|
|
|
"created": "2019-05-13T09:01:23.000Z",
|
|
|
|
"modified": "2019-05-13T09:01:23.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"whois-registrant-email\"",
|
|
|
|
"misp:category=\"Social network\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Social network",
|
|
|
|
"x_misp_comment": "Same number as QQ ID used to register \"w2wz .cn under Gmail address",
|
|
|
|
"x_misp_type": "whois-registrant-email",
|
|
|
|
"x_misp_value": "4592248@gmail.com"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "marking-definition",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
|
|
"definition_type": "tlp",
|
|
|
|
"name": "TLP:WHITE",
|
|
|
|
"definition": {
|
|
|
|
"tlp": "white"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|