misp-circl-feed/feeds/circl/misp/5d95e39a-712c-41b6-b17b-459d950d210f.json

1064 lines
46 KiB
JSON
Raw Normal View History

2023-06-14 17:31:25 +00:00
{
"type": "bundle",
"id": "bundle--5d95e39a-712c-41b6-b17b-459d950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-10T05:55:44.000Z",
"modified": "2019-10-10T05:55:44.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5d95e39a-712c-41b6-b17b-459d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-10T05:55:44.000Z",
"modified": "2019-10-10T05:55:44.000Z",
"name": "COMpfun successor Reductor: compromise TLS traffic",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5d95e3c6-2aa4-45e6-b0ca-46a5950d210f",
"url--5d95e3c6-2aa4-45e6-b0ca-46a5950d210f",
"indicator--5d95e44b-9428-43f9-8caf-4e2c950d210f",
"indicator--5d95e44b-4d9c-46e9-958e-42e9950d210f",
"indicator--5d95e44c-1f40-4f7a-842f-4834950d210f",
"indicator--5d95e44c-d36c-480d-b175-4bc9950d210f",
"indicator--5d95e44c-39dc-46a5-9820-47c8950d210f",
"indicator--5d95e44c-d07c-4b64-922d-472b950d210f",
"indicator--5d95e44c-f164-4110-854d-43d9950d210f",
"indicator--5d95e498-07f0-44dc-a11c-4453950d210f",
"indicator--5d95e498-174c-408d-ac07-4aac950d210f",
"observed-data--5d95e4eb-d450-4d33-981b-49bfe387cbd9",
"network-traffic--5d95e4eb-d450-4d33-981b-49bfe387cbd9",
"ipv4-addr--5d95e4eb-d450-4d33-981b-49bfe387cbd9",
"x-misp-attribute--5d95e72f-d3c4-42e0-8040-4fe9950d210f",
"indicator--5d9ec7e0-48e0-4106-ac7e-43e2950d210f",
"indicator--5d9ec7e0-a730-412b-a02e-4ba1950d210f",
"indicator--9499eb17-e165-4ddd-96ff-6a04056a5197",
"x-misp-object--2c492ff9-0eaf-47ec-882b-28395b2447c9",
"indicator--5d95e5cb-de84-4411-9e52-4c52950d210f",
"indicator--5d95e621-1790-4a3f-8d53-4a22950d210f",
"indicator--5d95e659-fdbc-41db-8e88-4990950d210f",
"indicator--5d95e68b-16c0-47d1-bd8a-4269950d210f",
"x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"x-misp-object--5d95eeae-1724-4536-b98c-49b2950d210f",
"x-misp-object--5d95eec7-48f8-4b2a-9558-46c5950d210f",
"x-misp-object--5d95eeee-23fc-4693-becb-4b7b950d210f",
"x-misp-object--5d95ef16-1204-47ba-8bc9-41dd950d210f",
"x-misp-object--5d95ef38-f244-4c43-a544-41c5950d210f",
"x-misp-object--5d95ef5c-eb2c-48f9-a95f-42ea950d210f",
"x-misp-object--5d95ef87-54fc-49aa-a417-4740950d210f",
"x-misp-object--5d95ef9f-972c-4b95-b577-41ef950d210f",
"x-misp-object--5d95efbc-3038-48e6-b25c-48a8950d210f",
"x-misp-object--5d95efd6-61e4-458e-8445-42c4950d210f",
"x-misp-object--5d95effb-e4a0-41af-b5a8-48b4950d210f",
"relationship--98032714-2a30-4f3e-be64-8d46893cd56d",
"relationship--a53e6c7b-4332-47d5-8f27-16c1ee292d91",
"relationship--2326aa58-b616-4327-b322-fa598c7fae88",
"relationship--05a36987-15ec-40bf-89aa-1f8fb79df9cc",
"relationship--9b2552c7-aecc-42ff-94cd-6b162b6374c0",
"relationship--904a3f69-5ab0-45da-8da4-17a8b011e0d5",
"relationship--439a6a6f-8e85-4a9d-a8bb-e18f0f0dbbff",
"relationship--ea037375-e82f-4bea-bd9a-1241ed8511fc",
"relationship--4cb42458-0728-4bcc-9893-6f7969838cbf",
"relationship--901242f1-2224-4766-886f-6377b5c4669f",
"relationship--521b49a2-12bc-472e-bfff-e2fb4782a202",
"relationship--3c8a59b7-35b9-4d39-9fc7-9153f5dcfff9"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:threat-actor=\"Turla Group\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"very-likely\"",
"misp-galaxy:tool=\"COMpfun\"",
"misp-galaxy:tool=\"Reductor\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5d95e3c6-2aa4-45e6-b0ca-46a5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:18:10.000Z",
"modified": "2019-10-03T12:18:10.000Z",
"first_observed": "2019-10-03T12:18:10Z",
"last_observed": "2019-10-03T12:18:10Z",
"number_observed": 1,
"object_refs": [
"url--5d95e3c6-2aa4-45e6-b0ca-46a5950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5d95e3c6-2aa4-45e6-b0ca-46a5950d210f",
"value": "https://securelist.com/compfun-successor-reductor/93633/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e44b-9428-43f9-8caf-4e2c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:06:35.000Z",
"modified": "2019-10-03T12:06:35.000Z",
"pattern": "[file:hashes.MD5 = '27ce434ad1e240075c48a51722f8e87f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:06:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e44b-4d9c-46e9-958e-42e9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:06:35.000Z",
"modified": "2019-10-03T12:06:35.000Z",
"pattern": "[file:hashes.MD5 = '4e02b1b1d32e23975f496d1d1e0eb7a6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:06:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e44c-1f40-4f7a-842f-4834950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:06:35.000Z",
"modified": "2019-10-03T12:06:35.000Z",
"pattern": "[file:hashes.MD5 = '518ab503808e747c5d0dde6bfb54b95a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:06:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e44c-d36c-480d-b175-4bc9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:06:36.000Z",
"modified": "2019-10-03T12:06:36.000Z",
"pattern": "[file:hashes.MD5 = '7911f8d717dc9d7a78d99e687a12d7ad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:06:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e44c-39dc-46a5-9820-47c8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:06:36.000Z",
"modified": "2019-10-03T12:06:36.000Z",
"pattern": "[file:hashes.MD5 = '9c7e50e7ce36c1b7d8ca2af2082f4cd5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:06:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e44c-d07c-4b64-922d-472b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:06:36.000Z",
"modified": "2019-10-03T12:06:36.000Z",
"pattern": "[file:hashes.MD5 = 'a0387665fe7e006b5233c66f6bd5bb9d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:06:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e44c-f164-4110-854d-43d9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:06:36.000Z",
"modified": "2019-10-03T12:06:36.000Z",
"pattern": "[file:hashes.MD5 = 'f6caa1bfcca872f0cbe2e7346b006ab4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:06:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e498-07f0-44dc-a11c-4453950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:07:52.000Z",
"modified": "2019-10-03T12:07:52.000Z",
"pattern": "[domain-name:value = 'adstat.pw']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:07:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e498-174c-408d-ac07-4aac950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:07:52.000Z",
"modified": "2019-10-03T12:07:52.000Z",
"pattern": "[domain-name:value = 'bill-tat.pw']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:07:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5d95e4eb-d450-4d33-981b-49bfe387cbd9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:09:15.000Z",
"modified": "2019-10-03T12:09:15.000Z",
"first_observed": "2019-10-03T12:09:15Z",
"last_observed": "2019-10-03T12:09:15Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5d95e4eb-d450-4d33-981b-49bfe387cbd9",
"ipv4-addr--5d95e4eb-d450-4d33-981b-49bfe387cbd9"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5d95e4eb-d450-4d33-981b-49bfe387cbd9",
"src_ref": "ipv4-addr--5d95e4eb-d450-4d33-981b-49bfe387cbd9",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5d95e4eb-d450-4d33-981b-49bfe387cbd9",
"value": "200.63.45.192"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5d95e72f-d3c4-42e0-8040-4fe9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:18:55.000Z",
"modified": "2019-10-03T12:18:55.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target\u2019s network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capabilities that few other actors in the world have.\r\n\r\nWe called these new modules \u2018Reductor\u2019 after a .pdb path left in some samples. Besides typical RAT functions such as uploading, downloading and executing files, Reductor\u2019s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers.\r\n\r\nThe Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we\u2019re quite sure the new malware was developed by the COMPfun authors.\r\n\r\nThe COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn\u2019t identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus.\r\n\r\nWe registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun\u2019s ability to download files on already infected hosts."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9ec7e0-48e0-4106-ac7e-43e2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-10T05:55:44.000Z",
"modified": "2019-10-10T05:55:44.000Z",
"pattern": "[file:hashes.MD5 = '3e93f8b7c46a32236c225926d9f063f2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-10T05:55:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9ec7e0-a730-412b-a02e-4ba1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-10T05:55:44.000Z",
"modified": "2019-10-10T05:55:44.000Z",
"pattern": "[file:hashes.MD5 = '5a5de7165faa9ad0ed3b2094ee6cff89']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-10T05:55:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9499eb17-e165-4ddd-96ff-6a04056a5197",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:07:08.000Z",
"modified": "2019-10-03T12:07:08.000Z",
"pattern": "[file:hashes.MD5 = '7911f8d717dc9d7a78d99e687a12d7ad' AND file:hashes.SHA1 = 'e49666f7882f299c2845c7e31e3d842a387ef10d' AND file:hashes.SHA256 = '4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:07:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--2c492ff9-0eaf-47ec-882b-28395b2447c9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:07:08.000Z",
"modified": "2019-10-03T12:07:08.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-05-19 16:41:15",
"category": "Other",
"uuid": "6f1c02b3-7e03-4457-b0d2-bb57f4594085"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1/analysis/1558284075/",
"category": "Payload delivery",
"uuid": "3b60de42-cdef-418e-97ce-93717a2412ce"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "26/68",
"category": "Payload delivery",
"uuid": "334ec304-ebb4-4527-badb-85b9d0ada237"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e5cb-de84-4411-9e52-4c52950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:12:59.000Z",
"modified": "2019-10-03T12:12:59.000Z",
"pattern": "[x509-certificate:hashes.SHA1 = '119b2be9c17d8c7c5ab0fa1a17aaf69082bab21d' AND x509-certificate:issuer = 'ie-paypal' AND x509-certificate:validity_not_after = '20311117T000000-0800']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:12:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"x509\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e621-1790-4a3f-8d53-4a22950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:14:25.000Z",
"modified": "2019-10-03T12:14:25.000Z",
"pattern": "[x509-certificate:hashes.SHA1 = '546f7a565920aeb0021a1d05525ff0b3df51d020' AND x509-certificate:issuer = 'GeoTrust Rsa CA' AND x509-certificate:validity_not_after = '20311117T000000-0800']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:14:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"x509\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e659-fdbc-41db-8e88-4990950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:15:21.000Z",
"modified": "2019-10-03T12:15:21.000Z",
"pattern": "[x509-certificate:hashes.SHA1 = '959eb6c7f45b7c5c761d5b758e65d9ef7ea20cf3' AND x509-certificate:issuer = 'GeoTrust Rsa CA' AND x509-certificate:validity_not_after = '20311117T000000-0800']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:15:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"x509\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d95e68b-16c0-47d1-bd8a-4269950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:16:11.000Z",
"modified": "2019-10-03T12:16:11.000Z",
"pattern": "[x509-certificate:hashes.SHA1 = '992bace0bc815e43626d59d790cef50907c6ea9b' AND x509-certificate:issuer = 'VeriSign, Inc.' AND x509-certificate:validity_not_after = '20311117T000000-0800']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-03T12:16:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"x509\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T13:01:33.000Z",
"modified": "2019-10-03T13:01:33.000Z",
"labels": [
"misp:name=\"command\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "All C2 communications are handled in a standalone malware thread. Reductor sends HTTP POST queries to the /query.php scripts on the C2s listed in its configuration. The POST query contains the target\u2019s unique hardware ID encrypted with AES 128. The C2 returns one of the following encrypted commands.",
"category": "Other",
"uuid": "5d95ee8f-dac0-4724-94ca-47b1950d210f"
},
{
"type": "text",
"object_relation": "trigger",
"value": "Network",
"category": "Other",
"uuid": "5d95ee8f-16dc-43b1-855c-40e7950d210f"
},
{
"type": "text",
"object_relation": "location",
"value": "Bundled",
"category": "Other",
"uuid": "5d95ee8f-5850-4ebf-a819-4720950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95eeae-1724-4536-b98c-49b2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:50:54.000Z",
"modified": "2019-10-03T12:50:54.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Get the host name",
"category": "Other",
"uuid": "5d95eeaf-7354-452c-9798-43b6950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "hostinfo",
"category": "Other",
"uuid": "5d95eeaf-1290-4305-be37-498a950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95eec7-48f8-4b2a-9558-46c5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:51:19.000Z",
"modified": "2019-10-03T12:51:19.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Get the timeout value from the corresponding registry value",
"category": "Other",
"uuid": "5d95eec7-cf64-4268-8a63-434a950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "gettimeout",
"category": "Other",
"uuid": "5d95eec7-15a8-4238-adfd-4542950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95eeee-23fc-4693-becb-4b7b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:51:58.000Z",
"modified": "2019-10-03T12:51:58.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Parse strings and set corresponding values in the system registries. So far only one option is supported \u2013 timeout",
"category": "Other",
"uuid": "5d95eeef-4b14-435e-9364-4fb2950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "options",
"category": "Other",
"uuid": "5d95eeef-1d38-409c-8396-4060950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95ef16-1204-47ba-8bc9-41dd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:52:38.000Z",
"modified": "2019-10-03T12:52:38.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Transmit the current C2 domains used by target",
"category": "Other",
"uuid": "5d95ef16-0388-41d5-a2f7-4569950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "domainlist",
"category": "Other",
"uuid": "5d95ef16-9d5c-4b14-9227-4fbb950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95ef38-f244-4c43-a544-41c5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:53:12.000Z",
"modified": "2019-10-03T12:53:12.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Download the file of interest",
"category": "Other",
"uuid": "5d95ef38-d59c-419e-89e3-42d6950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "downfile",
"category": "Other",
"uuid": "5d95ef38-86b4-44d0-891a-4d3e950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95ef5c-eb2c-48f9-a95f-42ea950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:53:48.000Z",
"modified": "2019-10-03T12:53:48.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Upload the file of interest",
"category": "Other",
"uuid": "5d95ef5c-86f4-4135-836e-41bf950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "upfile",
"category": "Other",
"uuid": "5d95ef5c-4734-4a1c-9d21-4c56950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95ef87-54fc-49aa-a417-4740950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:54:31.000Z",
"modified": "2019-10-03T12:54:31.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Create the process that executes mentioned file",
"category": "Other",
"uuid": "5d95ef87-53d8-449a-9c86-47a1950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "execfile",
"category": "Other",
"uuid": "5d95ef87-deb8-47dc-8bdd-45bb950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95ef9f-972c-4b95-b577-41ef950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:54:55.000Z",
"modified": "2019-10-03T12:54:55.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Do nothing. Possibly used to check the connection with the host",
"category": "Other",
"uuid": "5d95ef9f-3878-4f8f-b286-4bdd950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "nop",
"category": "Other",
"uuid": "5d95ef9f-880c-471d-9849-49a3950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95efbc-3038-48e6-b25c-48a8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:55:24.000Z",
"modified": "2019-10-03T12:55:24.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Delete installed digital certificates, files, cookies and system registry values including those related to COM CLSID or LSA notification package persistence",
"category": "Other",
"uuid": "5d95efbc-e7c8-4d86-9b0d-4c79950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "kill",
"category": "Other",
"uuid": "5d95efbc-18f4-421c-bc70-4f6d950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95efd6-61e4-458e-8445-42c4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:55:50.000Z",
"modified": "2019-10-03T12:55:50.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Delete file at a specified path",
"category": "Other",
"uuid": "5d95efd7-d120-4621-a7e8-43b4950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "deletefile",
"category": "Other",
"uuid": "5d95efd7-74e0-498c-b936-404e950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d95effb-e4a0-41af-b5a8-48b4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-10-03T12:56:27.000Z",
"modified": "2019-10-03T12:56:27.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Renew the digital certificates installed on target",
"category": "Other",
"uuid": "5d95effc-6a30-4f50-833b-4fef950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "certlist",
"category": "Other",
"uuid": "5d95effc-2bd8-4075-b30e-4892950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--98032714-2a30-4f3e-be64-8d46893cd56d",
"created": "2019-10-03T12:07:08.000Z",
"modified": "2019-10-03T12:07:08.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--9499eb17-e165-4ddd-96ff-6a04056a5197",
"target_ref": "x-misp-object--2c492ff9-0eaf-47ec-882b-28395b2447c9"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a53e6c7b-4332-47d5-8f27-16c1ee292d91",
"created": "2019-10-03T12:57:03.000Z",
"modified": "2019-10-03T12:57:03.000Z",
"relationship_type": "includes",
"source_ref": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"target_ref": "x-misp-object--5d95ef87-54fc-49aa-a417-4740950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2326aa58-b616-4327-b322-fa598c7fae88",
"created": "2019-10-03T12:57:36.000Z",
"modified": "2019-10-03T12:57:36.000Z",
"relationship_type": "includes",
"source_ref": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"target_ref": "x-misp-object--5d95eeae-1724-4536-b98c-49b2950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--05a36987-15ec-40bf-89aa-1f8fb79df9cc",
"created": "2019-10-03T12:58:22.000Z",
"modified": "2019-10-03T12:58:22.000Z",
"relationship_type": "includes",
"source_ref": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"target_ref": "x-misp-object--5d95eec7-48f8-4b2a-9558-46c5950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9b2552c7-aecc-42ff-94cd-6b162b6374c0",
"created": "2019-10-03T12:58:48.000Z",
"modified": "2019-10-03T12:58:48.000Z",
"relationship_type": "includes",
"source_ref": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"target_ref": "x-misp-object--5d95ef16-1204-47ba-8bc9-41dd950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--904a3f69-5ab0-45da-8da4-17a8b011e0d5",
"created": "2019-10-03T12:59:08.000Z",
"modified": "2019-10-03T12:59:08.000Z",
"relationship_type": "includes",
"source_ref": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"target_ref": "x-misp-object--5d95ef9f-972c-4b95-b577-41ef950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--439a6a6f-8e85-4a9d-a8bb-e18f0f0dbbff",
"created": "2019-10-03T12:59:32.000Z",
"modified": "2019-10-03T12:59:32.000Z",
"relationship_type": "includes",
"source_ref": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"target_ref": "x-misp-object--5d95efbc-3038-48e6-b25c-48a8950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ea037375-e82f-4bea-bd9a-1241ed8511fc",
"created": "2019-10-03T13:00:11.000Z",
"modified": "2019-10-03T13:00:11.000Z",
"relationship_type": "includes",
"source_ref": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"target_ref": "x-misp-object--5d95effb-e4a0-41af-b5a8-48b4950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4cb42458-0728-4bcc-9893-6f7969838cbf",
"created": "2019-10-03T13:00:31.000Z",
"modified": "2019-10-03T13:00:31.000Z",
"relationship_type": "includes",
"source_ref": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"target_ref": "x-misp-object--5d95efd6-61e4-458e-8445-42c4950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--901242f1-2224-4766-886f-6377b5c4669f",
"created": "2019-10-03T13:00:49.000Z",
"modified": "2019-10-03T13:00:49.000Z",
"relationship_type": "includes",
"source_ref": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"target_ref": "x-misp-object--5d95ef38-f244-4c43-a544-41c5950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--521b49a2-12bc-472e-bfff-e2fb4782a202",
"created": "2019-10-03T13:01:12.000Z",
"modified": "2019-10-03T13:01:12.000Z",
"relationship_type": "includes",
"source_ref": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"target_ref": "x-misp-object--5d95eeee-23fc-4693-becb-4b7b950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3c8a59b7-35b9-4d39-9fc7-9153f5dcfff9",
"created": "2019-10-03T13:01:33.000Z",
"modified": "2019-10-03T13:01:33.000Z",
"relationship_type": "includes",
"source_ref": "x-misp-object--5d95ee8f-feec-4106-a189-41c7950d210f",
"target_ref": "x-misp-object--5d95ef5c-eb2c-48f9-a95f-42ea950d210f"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}