2023-06-14 17:31:25 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5d95e39a-712c-41b6-b17b-459d950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-10T05:55:44.000Z" ,
"modified" : "2019-10-10T05:55:44.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "grouping" ,
"spec_version" : "2.1" ,
"id" : "grouping--5d95e39a-712c-41b6-b17b-459d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-10T05:55:44.000Z" ,
"modified" : "2019-10-10T05:55:44.000Z" ,
"name" : "COMpfun successor Reductor: compromise TLS traffic" ,
"context" : "suspicious-activity" ,
"object_refs" : [
"observed-data--5d95e3c6-2aa4-45e6-b0ca-46a5950d210f" ,
"url--5d95e3c6-2aa4-45e6-b0ca-46a5950d210f" ,
"indicator--5d95e44b-9428-43f9-8caf-4e2c950d210f" ,
"indicator--5d95e44b-4d9c-46e9-958e-42e9950d210f" ,
"indicator--5d95e44c-1f40-4f7a-842f-4834950d210f" ,
"indicator--5d95e44c-d36c-480d-b175-4bc9950d210f" ,
"indicator--5d95e44c-39dc-46a5-9820-47c8950d210f" ,
"indicator--5d95e44c-d07c-4b64-922d-472b950d210f" ,
"indicator--5d95e44c-f164-4110-854d-43d9950d210f" ,
"indicator--5d95e498-07f0-44dc-a11c-4453950d210f" ,
"indicator--5d95e498-174c-408d-ac07-4aac950d210f" ,
"observed-data--5d95e4eb-d450-4d33-981b-49bfe387cbd9" ,
"network-traffic--5d95e4eb-d450-4d33-981b-49bfe387cbd9" ,
"ipv4-addr--5d95e4eb-d450-4d33-981b-49bfe387cbd9" ,
"x-misp-attribute--5d95e72f-d3c4-42e0-8040-4fe9950d210f" ,
"indicator--5d9ec7e0-48e0-4106-ac7e-43e2950d210f" ,
"indicator--5d9ec7e0-a730-412b-a02e-4ba1950d210f" ,
"indicator--9499eb17-e165-4ddd-96ff-6a04056a5197" ,
"x-misp-object--2c492ff9-0eaf-47ec-882b-28395b2447c9" ,
"indicator--5d95e5cb-de84-4411-9e52-4c52950d210f" ,
"indicator--5d95e621-1790-4a3f-8d53-4a22950d210f" ,
"indicator--5d95e659-fdbc-41db-8e88-4990950d210f" ,
"indicator--5d95e68b-16c0-47d1-bd8a-4269950d210f" ,
"x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"x-misp-object--5d95eeae-1724-4536-b98c-49b2950d210f" ,
"x-misp-object--5d95eec7-48f8-4b2a-9558-46c5950d210f" ,
"x-misp-object--5d95eeee-23fc-4693-becb-4b7b950d210f" ,
"x-misp-object--5d95ef16-1204-47ba-8bc9-41dd950d210f" ,
"x-misp-object--5d95ef38-f244-4c43-a544-41c5950d210f" ,
"x-misp-object--5d95ef5c-eb2c-48f9-a95f-42ea950d210f" ,
"x-misp-object--5d95ef87-54fc-49aa-a417-4740950d210f" ,
"x-misp-object--5d95ef9f-972c-4b95-b577-41ef950d210f" ,
"x-misp-object--5d95efbc-3038-48e6-b25c-48a8950d210f" ,
"x-misp-object--5d95efd6-61e4-458e-8445-42c4950d210f" ,
"x-misp-object--5d95effb-e4a0-41af-b5a8-48b4950d210f" ,
"relationship--98032714-2a30-4f3e-be64-8d46893cd56d" ,
"relationship--a53e6c7b-4332-47d5-8f27-16c1ee292d91" ,
"relationship--2326aa58-b616-4327-b322-fa598c7fae88" ,
"relationship--05a36987-15ec-40bf-89aa-1f8fb79df9cc" ,
"relationship--9b2552c7-aecc-42ff-94cd-6b162b6374c0" ,
"relationship--904a3f69-5ab0-45da-8da4-17a8b011e0d5" ,
"relationship--439a6a6f-8e85-4a9d-a8bb-e18f0f0dbbff" ,
"relationship--ea037375-e82f-4bea-bd9a-1241ed8511fc" ,
"relationship--4cb42458-0728-4bcc-9893-6f7969838cbf" ,
"relationship--901242f1-2224-4766-886f-6377b5c4669f" ,
"relationship--521b49a2-12bc-472e-bfff-e2fb4782a202" ,
"relationship--3c8a59b7-35b9-4d39-9fc7-9153f5dcfff9"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:threat-actor=\"Turla Group\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:source-type=\"blog-post\"" ,
"estimative-language:likelihood-probability=\"very-likely\"" ,
"misp-galaxy:tool=\"COMpfun\"" ,
"misp-galaxy:tool=\"Reductor\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5d95e3c6-2aa4-45e6-b0ca-46a5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:18:10.000Z" ,
"modified" : "2019-10-03T12:18:10.000Z" ,
"first_observed" : "2019-10-03T12:18:10Z" ,
"last_observed" : "2019-10-03T12:18:10Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5d95e3c6-2aa4-45e6-b0ca-46a5950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5d95e3c6-2aa4-45e6-b0ca-46a5950d210f" ,
"value" : "https://securelist.com/compfun-successor-reductor/93633/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e44b-9428-43f9-8caf-4e2c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:06:35.000Z" ,
"modified" : "2019-10-03T12:06:35.000Z" ,
"pattern" : "[file:hashes.MD5 = '27ce434ad1e240075c48a51722f8e87f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:06:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e44b-4d9c-46e9-958e-42e9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:06:35.000Z" ,
"modified" : "2019-10-03T12:06:35.000Z" ,
"pattern" : "[file:hashes.MD5 = '4e02b1b1d32e23975f496d1d1e0eb7a6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:06:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e44c-1f40-4f7a-842f-4834950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:06:35.000Z" ,
"modified" : "2019-10-03T12:06:35.000Z" ,
"pattern" : "[file:hashes.MD5 = '518ab503808e747c5d0dde6bfb54b95a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:06:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e44c-d36c-480d-b175-4bc9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:06:36.000Z" ,
"modified" : "2019-10-03T12:06:36.000Z" ,
"pattern" : "[file:hashes.MD5 = '7911f8d717dc9d7a78d99e687a12d7ad']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:06:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e44c-39dc-46a5-9820-47c8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:06:36.000Z" ,
"modified" : "2019-10-03T12:06:36.000Z" ,
"pattern" : "[file:hashes.MD5 = '9c7e50e7ce36c1b7d8ca2af2082f4cd5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:06:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e44c-d07c-4b64-922d-472b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:06:36.000Z" ,
"modified" : "2019-10-03T12:06:36.000Z" ,
"pattern" : "[file:hashes.MD5 = 'a0387665fe7e006b5233c66f6bd5bb9d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:06:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e44c-f164-4110-854d-43d9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:06:36.000Z" ,
"modified" : "2019-10-03T12:06:36.000Z" ,
"pattern" : "[file:hashes.MD5 = 'f6caa1bfcca872f0cbe2e7346b006ab4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:06:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e498-07f0-44dc-a11c-4453950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:07:52.000Z" ,
"modified" : "2019-10-03T12:07:52.000Z" ,
"pattern" : "[domain-name:value = 'adstat.pw']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:07:52Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e498-174c-408d-ac07-4aac950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:07:52.000Z" ,
"modified" : "2019-10-03T12:07:52.000Z" ,
"pattern" : "[domain-name:value = 'bill-tat.pw']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:07:52Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5d95e4eb-d450-4d33-981b-49bfe387cbd9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:09:15.000Z" ,
"modified" : "2019-10-03T12:09:15.000Z" ,
"first_observed" : "2019-10-03T12:09:15Z" ,
"last_observed" : "2019-10-03T12:09:15Z" ,
"number_observed" : 1 ,
"object_refs" : [
"network-traffic--5d95e4eb-d450-4d33-981b-49bfe387cbd9" ,
"ipv4-addr--5d95e4eb-d450-4d33-981b-49bfe387cbd9"
] ,
"labels" : [
"misp:type=\"ip-src\"" ,
"misp:category=\"Network activity\""
]
} ,
{
"type" : "network-traffic" ,
"spec_version" : "2.1" ,
"id" : "network-traffic--5d95e4eb-d450-4d33-981b-49bfe387cbd9" ,
"src_ref" : "ipv4-addr--5d95e4eb-d450-4d33-981b-49bfe387cbd9" ,
"protocols" : [
"tcp"
]
} ,
{
"type" : "ipv4-addr" ,
"spec_version" : "2.1" ,
"id" : "ipv4-addr--5d95e4eb-d450-4d33-981b-49bfe387cbd9" ,
"value" : "200.63.45.192"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5d95e72f-d3c4-42e0-8040-4fe9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:18:55.000Z" ,
"modified" : "2019-10-03T12:18:55.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target\u2019s network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capabilities that few other actors in the world have.\r\n\r\nWe called these new modules \u2018Reductor\u2019 after a .pdb path left in some samples. Besides typical RAT functions such as uploading, downloading and executing files, Reductor\u2019s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers.\r\n\r\nThe Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we\u2019re quite sure the new malware was developed by the COMPfun authors.\r\n\r\nThe COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn\u2019t identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus.\r\n\r\nWe registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun\u2019s ability to download files on already infected hosts."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d9ec7e0-48e0-4106-ac7e-43e2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-10T05:55:44.000Z" ,
"modified" : "2019-10-10T05:55:44.000Z" ,
"pattern" : "[file:hashes.MD5 = '3e93f8b7c46a32236c225926d9f063f2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-10T05:55:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d9ec7e0-a730-412b-a02e-4ba1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-10T05:55:44.000Z" ,
"modified" : "2019-10-10T05:55:44.000Z" ,
"pattern" : "[file:hashes.MD5 = '5a5de7165faa9ad0ed3b2094ee6cff89']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-10T05:55:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9499eb17-e165-4ddd-96ff-6a04056a5197" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:07:08.000Z" ,
"modified" : "2019-10-03T12:07:08.000Z" ,
"pattern" : "[file:hashes.MD5 = '7911f8d717dc9d7a78d99e687a12d7ad' AND file:hashes.SHA1 = 'e49666f7882f299c2845c7e31e3d842a387ef10d' AND file:hashes.SHA256 = '4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:07:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--2c492ff9-0eaf-47ec-882b-28395b2447c9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:07:08.000Z" ,
"modified" : "2019-10-03T12:07:08.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-05-19 16:41:15" ,
"category" : "Other" ,
"uuid" : "6f1c02b3-7e03-4457-b0d2-bb57f4594085"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1/analysis/1558284075/" ,
"category" : "Payload delivery" ,
"uuid" : "3b60de42-cdef-418e-97ce-93717a2412ce"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "26/68" ,
"category" : "Payload delivery" ,
"uuid" : "334ec304-ebb4-4527-badb-85b9d0ada237"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e5cb-de84-4411-9e52-4c52950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:12:59.000Z" ,
"modified" : "2019-10-03T12:12:59.000Z" ,
"pattern" : "[x509-certificate:hashes.SHA1 = '119b2be9c17d8c7c5ab0fa1a17aaf69082bab21d' AND x509-certificate:issuer = 'ie-paypal' AND x509-certificate:validity_not_after = '20311117T000000-0800']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:12:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"x509\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e621-1790-4a3f-8d53-4a22950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:14:25.000Z" ,
"modified" : "2019-10-03T12:14:25.000Z" ,
"pattern" : "[x509-certificate:hashes.SHA1 = '546f7a565920aeb0021a1d05525ff0b3df51d020' AND x509-certificate:issuer = 'GeoTrust Rsa CA' AND x509-certificate:validity_not_after = '20311117T000000-0800']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:14:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"x509\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e659-fdbc-41db-8e88-4990950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:15:21.000Z" ,
"modified" : "2019-10-03T12:15:21.000Z" ,
"pattern" : "[x509-certificate:hashes.SHA1 = '959eb6c7f45b7c5c761d5b758e65d9ef7ea20cf3' AND x509-certificate:issuer = 'GeoTrust Rsa CA' AND x509-certificate:validity_not_after = '20311117T000000-0800']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:15:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"x509\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d95e68b-16c0-47d1-bd8a-4269950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:16:11.000Z" ,
"modified" : "2019-10-03T12:16:11.000Z" ,
"pattern" : "[x509-certificate:hashes.SHA1 = '992bace0bc815e43626d59d790cef50907c6ea9b' AND x509-certificate:issuer = 'VeriSign, Inc.' AND x509-certificate:validity_not_after = '20311117T000000-0800']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-10-03T12:16:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"x509\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T13:01:33.000Z" ,
"modified" : "2019-10-03T13:01:33.000Z" ,
"labels" : [
"misp:name=\"command\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "All C2 communications are handled in a standalone malware thread. Reductor sends HTTP POST queries to the /query.php scripts on the C2s listed in its configuration. The POST query contains the target\u2019s unique hardware ID encrypted with AES 128. The C2 returns one of the following encrypted commands." ,
"category" : "Other" ,
"uuid" : "5d95ee8f-dac0-4724-94ca-47b1950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "trigger" ,
"value" : "Network" ,
"category" : "Other" ,
"uuid" : "5d95ee8f-16dc-43b1-855c-40e7950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "location" ,
"value" : "Bundled" ,
"category" : "Other" ,
"uuid" : "5d95ee8f-5850-4ebf-a819-4720950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95eeae-1724-4536-b98c-49b2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:50:54.000Z" ,
"modified" : "2019-10-03T12:50:54.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Get the host name" ,
"category" : "Other" ,
"uuid" : "5d95eeaf-7354-452c-9798-43b6950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "hostinfo" ,
"category" : "Other" ,
"uuid" : "5d95eeaf-1290-4305-be37-498a950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95eec7-48f8-4b2a-9558-46c5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:51:19.000Z" ,
"modified" : "2019-10-03T12:51:19.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Get the timeout value from the corresponding registry value" ,
"category" : "Other" ,
"uuid" : "5d95eec7-cf64-4268-8a63-434a950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "gettimeout" ,
"category" : "Other" ,
"uuid" : "5d95eec7-15a8-4238-adfd-4542950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95eeee-23fc-4693-becb-4b7b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:51:58.000Z" ,
"modified" : "2019-10-03T12:51:58.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Parse strings and set corresponding values in the system registries. So far only one option is supported \u2013 timeout" ,
"category" : "Other" ,
"uuid" : "5d95eeef-4b14-435e-9364-4fb2950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "options" ,
"category" : "Other" ,
"uuid" : "5d95eeef-1d38-409c-8396-4060950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95ef16-1204-47ba-8bc9-41dd950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:52:38.000Z" ,
"modified" : "2019-10-03T12:52:38.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Transmit the current C2 domains used by target" ,
"category" : "Other" ,
"uuid" : "5d95ef16-0388-41d5-a2f7-4569950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "domainlist" ,
"category" : "Other" ,
"uuid" : "5d95ef16-9d5c-4b14-9227-4fbb950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95ef38-f244-4c43-a544-41c5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:53:12.000Z" ,
"modified" : "2019-10-03T12:53:12.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Download the file of interest" ,
"category" : "Other" ,
"uuid" : "5d95ef38-d59c-419e-89e3-42d6950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "downfile" ,
"category" : "Other" ,
"uuid" : "5d95ef38-86b4-44d0-891a-4d3e950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95ef5c-eb2c-48f9-a95f-42ea950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:53:48.000Z" ,
"modified" : "2019-10-03T12:53:48.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Upload the file of interest" ,
"category" : "Other" ,
"uuid" : "5d95ef5c-86f4-4135-836e-41bf950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "upfile" ,
"category" : "Other" ,
"uuid" : "5d95ef5c-4734-4a1c-9d21-4c56950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95ef87-54fc-49aa-a417-4740950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:54:31.000Z" ,
"modified" : "2019-10-03T12:54:31.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Create the process that executes mentioned file" ,
"category" : "Other" ,
"uuid" : "5d95ef87-53d8-449a-9c86-47a1950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "execfile" ,
"category" : "Other" ,
"uuid" : "5d95ef87-deb8-47dc-8bdd-45bb950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95ef9f-972c-4b95-b577-41ef950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:54:55.000Z" ,
"modified" : "2019-10-03T12:54:55.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Do nothing. Possibly used to check the connection with the host" ,
"category" : "Other" ,
"uuid" : "5d95ef9f-3878-4f8f-b286-4bdd950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "nop" ,
"category" : "Other" ,
"uuid" : "5d95ef9f-880c-471d-9849-49a3950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95efbc-3038-48e6-b25c-48a8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:55:24.000Z" ,
"modified" : "2019-10-03T12:55:24.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Delete installed digital certificates, files, cookies and system registry values including those related to COM CLSID or LSA notification package persistence" ,
"category" : "Other" ,
"uuid" : "5d95efbc-e7c8-4d86-9b0d-4c79950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "kill" ,
"category" : "Other" ,
"uuid" : "5d95efbc-18f4-421c-bc70-4f6d950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95efd6-61e4-458e-8445-42c4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:55:50.000Z" ,
"modified" : "2019-10-03T12:55:50.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Delete file at a specified path" ,
"category" : "Other" ,
"uuid" : "5d95efd7-d120-4621-a7e8-43b4950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "deletefile" ,
"category" : "Other" ,
"uuid" : "5d95efd7-74e0-498c-b936-404e950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d95effb-e4a0-41af-b5a8-48b4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-10-03T12:56:27.000Z" ,
"modified" : "2019-10-03T12:56:27.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Renew the digital certificates installed on target" ,
"category" : "Other" ,
"uuid" : "5d95effc-6a30-4f50-833b-4fef950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "certlist" ,
"category" : "Other" ,
"uuid" : "5d95effc-2bd8-4075-b30e-4892950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--98032714-2a30-4f3e-be64-8d46893cd56d" ,
"created" : "2019-10-03T12:07:08.000Z" ,
"modified" : "2019-10-03T12:07:08.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--9499eb17-e165-4ddd-96ff-6a04056a5197" ,
"target_ref" : "x-misp-object--2c492ff9-0eaf-47ec-882b-28395b2447c9"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--a53e6c7b-4332-47d5-8f27-16c1ee292d91" ,
"created" : "2019-10-03T12:57:03.000Z" ,
"modified" : "2019-10-03T12:57:03.000Z" ,
"relationship_type" : "includes" ,
"source_ref" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"target_ref" : "x-misp-object--5d95ef87-54fc-49aa-a417-4740950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--2326aa58-b616-4327-b322-fa598c7fae88" ,
"created" : "2019-10-03T12:57:36.000Z" ,
"modified" : "2019-10-03T12:57:36.000Z" ,
"relationship_type" : "includes" ,
"source_ref" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"target_ref" : "x-misp-object--5d95eeae-1724-4536-b98c-49b2950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--05a36987-15ec-40bf-89aa-1f8fb79df9cc" ,
"created" : "2019-10-03T12:58:22.000Z" ,
"modified" : "2019-10-03T12:58:22.000Z" ,
"relationship_type" : "includes" ,
"source_ref" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"target_ref" : "x-misp-object--5d95eec7-48f8-4b2a-9558-46c5950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--9b2552c7-aecc-42ff-94cd-6b162b6374c0" ,
"created" : "2019-10-03T12:58:48.000Z" ,
"modified" : "2019-10-03T12:58:48.000Z" ,
"relationship_type" : "includes" ,
"source_ref" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"target_ref" : "x-misp-object--5d95ef16-1204-47ba-8bc9-41dd950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--904a3f69-5ab0-45da-8da4-17a8b011e0d5" ,
"created" : "2019-10-03T12:59:08.000Z" ,
"modified" : "2019-10-03T12:59:08.000Z" ,
"relationship_type" : "includes" ,
"source_ref" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"target_ref" : "x-misp-object--5d95ef9f-972c-4b95-b577-41ef950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--439a6a6f-8e85-4a9d-a8bb-e18f0f0dbbff" ,
"created" : "2019-10-03T12:59:32.000Z" ,
"modified" : "2019-10-03T12:59:32.000Z" ,
"relationship_type" : "includes" ,
"source_ref" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"target_ref" : "x-misp-object--5d95efbc-3038-48e6-b25c-48a8950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--ea037375-e82f-4bea-bd9a-1241ed8511fc" ,
"created" : "2019-10-03T13:00:11.000Z" ,
"modified" : "2019-10-03T13:00:11.000Z" ,
"relationship_type" : "includes" ,
"source_ref" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"target_ref" : "x-misp-object--5d95effb-e4a0-41af-b5a8-48b4950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--4cb42458-0728-4bcc-9893-6f7969838cbf" ,
"created" : "2019-10-03T13:00:31.000Z" ,
"modified" : "2019-10-03T13:00:31.000Z" ,
"relationship_type" : "includes" ,
"source_ref" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"target_ref" : "x-misp-object--5d95efd6-61e4-458e-8445-42c4950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--901242f1-2224-4766-886f-6377b5c4669f" ,
"created" : "2019-10-03T13:00:49.000Z" ,
"modified" : "2019-10-03T13:00:49.000Z" ,
"relationship_type" : "includes" ,
"source_ref" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"target_ref" : "x-misp-object--5d95ef38-f244-4c43-a544-41c5950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--521b49a2-12bc-472e-bfff-e2fb4782a202" ,
"created" : "2019-10-03T13:01:12.000Z" ,
"modified" : "2019-10-03T13:01:12.000Z" ,
"relationship_type" : "includes" ,
"source_ref" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"target_ref" : "x-misp-object--5d95eeee-23fc-4693-becb-4b7b950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--3c8a59b7-35b9-4d39-9fc7-9153f5dcfff9" ,
"created" : "2019-10-03T13:01:33.000Z" ,
"modified" : "2019-10-03T13:01:33.000Z" ,
"relationship_type" : "includes" ,
"source_ref" : "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f" ,
"target_ref" : "x-misp-object--5d95ef5c-eb2c-48f9-a95f-42ea950d210f"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}