770 lines
36 KiB
JSON
770 lines
36 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--551e7a4b-3774-4565-b850-7455950d210b",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2017-02-22T10:05:19.000Z",
|
||
|
"modified": "2017-02-22T10:05:19.000Z",
|
||
|
"name": "CthulhuSPRL.be",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--551e7a4b-3774-4565-b850-7455950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2017-02-22T10:05:19.000Z",
|
||
|
"modified": "2017-02-22T10:05:19.000Z",
|
||
|
"name": "OSINT APT Volatile Cedar APT yara rules by Florian Roth",
|
||
|
"published": "2017-02-22T10:06:19Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--551e7a72-f7c0-4731-babf-9144950d210b",
|
||
|
"url--551e7a72-f7c0-4731-babf-9144950d210b",
|
||
|
"observed-data--551e7a72-3f9c-41d1-9f3d-9144950d210b",
|
||
|
"url--551e7a72-3f9c-41d1-9f3d-9144950d210b",
|
||
|
"x-misp-attribute--551e7a7a-fb58-4d36-aa95-8c54950d210b",
|
||
|
"indicator--551e7a8d-cb64-4bfb-9324-0d4d950d210b",
|
||
|
"indicator--551e7ab0-6058-4c27-a3d3-1888950d210b",
|
||
|
"indicator--551e7ab0-563c-423f-a38e-1888950d210b",
|
||
|
"indicator--551e7ac5-33e8-4f73-b75a-1879950d210b",
|
||
|
"indicator--551e7ade-a6ac-4ece-8c6f-9144950d210b",
|
||
|
"indicator--551e7ade-52cc-4ddc-988c-9144950d210b",
|
||
|
"indicator--551e7af6-4868-4fc9-a9c0-0d4d950d210b",
|
||
|
"indicator--551e7b27-4b2c-4218-a89d-13b6950d210b",
|
||
|
"indicator--551e7b27-c880-4330-8ba6-13b6950d210b",
|
||
|
"indicator--551e7b27-868c-4295-b668-13b6950d210b",
|
||
|
"indicator--551e7b27-dde8-44ac-b0e8-13b6950d210b",
|
||
|
"indicator--551e7b27-e69c-40e8-9655-13b6950d210b",
|
||
|
"indicator--551e7b3f-3ad0-4087-a566-1888950d210b",
|
||
|
"indicator--551e7b52-cdc8-45b3-a4d0-1879950d210b",
|
||
|
"indicator--551e7b65-6df0-45de-b935-9144950d210b",
|
||
|
"indicator--56c65903-68f0-43e4-b3a7-4fa6950d210f",
|
||
|
"indicator--56c65904-4070-4328-9210-4eb8950d210f",
|
||
|
"indicator--56c65906-89ac-4e77-af74-4a78950d210f",
|
||
|
"indicator--56c65908-f42c-4e3b-8b06-599c950d210f",
|
||
|
"indicator--56c65909-337c-4c17-ba93-4cfc950d210f",
|
||
|
"indicator--56c6590b-9788-4c39-a6f6-5ca1950d210f",
|
||
|
"indicator--56c6590d-7160-446b-8b5b-59a3950d210f",
|
||
|
"indicator--56c65907-2484-4306-ba55-59a2950d210f",
|
||
|
"indicator--56c65908-cee8-448f-ac42-599e950d210f",
|
||
|
"indicator--56c6590a-0664-45ce-8ed6-44fe950d210f",
|
||
|
"indicator--56c6590c-9720-4fb2-961e-c650950d210f",
|
||
|
"indicator--56c6590e-36f8-459f-a230-c652950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--551e7a72-f7c0-4731-babf-9144950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:33:06.000Z",
|
||
|
"modified": "2015-04-03T11:33:06.000Z",
|
||
|
"first_observed": "2015-04-03T11:33:06Z",
|
||
|
"last_observed": "2015-04-03T11:33:06Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--551e7a72-f7c0-4731-babf-9144950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--551e7a72-f7c0-4731-babf-9144950d210b",
|
||
|
"value": "https://github.com/Neo23x0/Loki/blob/master/signatures/apt_volatile_cedar.yar"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--551e7a72-3f9c-41d1-9f3d-9144950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:33:06.000Z",
|
||
|
"modified": "2015-04-03T11:33:06.000Z",
|
||
|
"first_observed": "2015-04-03T11:33:06Z",
|
||
|
"last_observed": "2015-04-03T11:33:06Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--551e7a72-3f9c-41d1-9f3d-9144950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--551e7a72-3f9c-41d1-9f3d-9144950d210b",
|
||
|
"value": "https://github.com/Neo23x0/Loki/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--551e7a7a-fb58-4d36-aa95-8c54950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:33:14.000Z",
|
||
|
"modified": "2015-04-03T11:33:14.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Volatile Cedar"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7a8d-cb64-4bfb-9324-0d4d950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:33:33.000Z",
|
||
|
"modified": "2015-04-03T11:33:33.000Z",
|
||
|
"pattern": "[rule Explosion_Sample_1 {\r\n\tmeta:\r\n\t\tdescription = \"Explosion/Explosive Malware - Volatile Cedar APT - file b74bd5660baf67038353136978ed16dbc7d105c60c121cf64c61d8f3d31de32c\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"http://goo.gl/5vYaNb\"\r\n\t\tdate = \"2015/04/03\"\r\n\t\tscore = 70\r\n\t\thash = \"c97693ecb36247bdb44ab3f12dfeae8be4d299bb\"\r\n\tstrings:\r\n\t\t$s5 = \"REG ADD \\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" ascii\r\n\t\t$s9 = \"WinAutologon From Winlogon Reg\" fullword ascii\r\n\t\t$s10 = \"82BD0E67-9FEA-4748-8672-D5EFE5B779B0\" fullword ascii\r\n\t\t$s11 = \"IE:Password-Protected sites\" fullword ascii\r\n\t\t$s12 = \"\\\\his.sys\" fullword ascii\r\n\t\t$s13 = \"HTTP Password\" fullword ascii\r\n\t\t$s14 = \"\\\\data.sys\" fullword ascii\r\n\t\t$s15 = \"EL$_RasDefaultCredentials#0\" fullword wide\r\n\t\t$s17 = \"Office Outlook HTTP\" fullword ascii\r\n\t\t$s20 = \"Hist :<b> %ws</b> :%s </br></br>\" fullword ascii\r\n\tcondition:\r\n\t\tall of them and\r\n uint16(0) == 0x5A4D\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2015-04-03T11:33:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7ab0-6058-4c27-a3d3-1888950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:34:08.000Z",
|
||
|
"modified": "2015-04-03T11:34:08.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'b74bd5660baf67038353136978ed16dbc7d105c60c121cf64c61d8f3d31de32c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-04-03T11:34:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7ab0-563c-423f-a38e-1888950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:34:08.000Z",
|
||
|
"modified": "2015-04-03T11:34:08.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c97693ecb36247bdb44ab3f12dfeae8be4d299bb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-04-03T11:34:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7ac5-33e8-4f73-b75a-1879950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:34:29.000Z",
|
||
|
"modified": "2015-04-03T11:34:29.000Z",
|
||
|
"pattern": "[rule Explosion_Sample_2 {\r\n\tmeta:\r\n\t\tdescription = \"Explosion/Explosive Malware - Volatile Cedar APT - file bfc63b30624332f4fc2e510f95b69d18dd0241eb0d2fcd33ed2e81b7275ab488\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"http://goo.gl/5vYaNb\"\r\n\t\tdate = \"2015/04/03\"\r\n\t\tscore = 70\r\n\t\thash = \"62fe6e9e395f70dd632c70d5d154a16ff38dcd29\"\r\n\tstrings:\r\n\t\t$s0 = \"serverhelp.dll\" fullword wide\r\n\t\t$s1 = \"Windows Help DLL\" fullword wide\r\n\t\t$s5 = \"SetWinHoK\" fullword ascii\r\n\tcondition:\r\n\t\tall of them and\r\n uint16(0) == 0x5A4D\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2015-04-03T11:34:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7ade-a6ac-4ece-8c6f-9144950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:34:54.000Z",
|
||
|
"modified": "2015-04-03T11:34:54.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'bfc63b30624332f4fc2e510f95b69d18dd0241eb0d2fcd33ed2e81b7275ab488']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-04-03T11:34:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7ade-52cc-4ddc-988c-9144950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:34:54.000Z",
|
||
|
"modified": "2015-04-03T11:34:54.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = '62fe6e9e395f70dd632c70d5d154a16ff38dcd29']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-04-03T11:34:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7af6-4868-4fc9-a9c0-0d4d950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:35:18.000Z",
|
||
|
"modified": "2015-04-03T11:35:18.000Z",
|
||
|
"pattern": "[rule Explosion_Generic_1 {\r\n\tmeta:\r\n\t\tdescription = \"Generic Rule for Explosion/Explosive Malware - Volatile Cedar APT\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"not set\"\r\n\t\tdate = \"2015/04/03\"\r\n\t\tscore = 70\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"d0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821\"\r\n\t\thash1 = \"1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908\"\r\n\t\thash2 = \"d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726\"\r\n\t\thash3 = \"e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747\"\r\n\t\thash4 = \"03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0\"\r\n\tstrings:\r\n\t\t$s0 = \"autorun.exe\" fullword\r\n\t\t$s1 = \"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 5.1; .NET CL\"\r\n\t\t$s2 = \"%drp.exe\" fullword\r\n\t\t$s3 = \"%s_%s%d.exe\" fullword\r\n\t\t$s4 = \"open=autorun.exe\" fullword\r\n\t\t$s5 = \"http://www.microsoft.com/en-us/default.aspx\" fullword\r\n\t\t$s10 = \"error.renamefile\" fullword\r\n\t\t$s12 = \"insufficient lookahead\" fullword\r\n\t\t$s13 = \"%s %s|\" fullword\r\n\t\t$s16 = \":\\\\autorun.exe\" fullword\r\n\tcondition:\r\n\t\t7 of them and\r\n uint16(0) == 0x5A4D\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2015-04-03T11:35:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7b27-4b2c-4218-a89d-13b6950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:36:07.000Z",
|
||
|
"modified": "2015-04-03T11:36:07.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-04-03T11:36:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7b27-c880-4330-8ba6-13b6950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:36:07.000Z",
|
||
|
"modified": "2015-04-03T11:36:07.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-04-03T11:36:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7b27-868c-4295-b668-13b6950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:36:07.000Z",
|
||
|
"modified": "2015-04-03T11:36:07.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-04-03T11:36:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7b27-dde8-44ac-b0e8-13b6950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:36:07.000Z",
|
||
|
"modified": "2015-04-03T11:36:07.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-04-03T11:36:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7b27-e69c-40e8-9655-13b6950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:36:07.000Z",
|
||
|
"modified": "2015-04-03T11:36:07.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-04-03T11:36:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7b3f-3ad0-4087-a566-1888950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:36:31.000Z",
|
||
|
"modified": "2015-04-03T11:36:31.000Z",
|
||
|
"pattern": "[rule Explosive_UA {\r\n\tmeta:\r\n\t\tdescription = \"Explosive Malware Embedded User Agent - Volatile Cedar APT http://goo.gl/HQRCdw\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"http://goo.gl/HQRCdw\"\r\n\t\tdate = \"2015/04/03\"\r\n\t\tscore = 60\r\n\tstrings:\r\n\t\t$x1 = \"Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)\" fullword\r\n\tcondition:\r\n\t\t$x1 and\r\n uint16(0) == 0x5A4D\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2015-04-03T11:36:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7b52-cdc8-45b3-a4d0-1879950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2017-02-22T10:05:19.000Z",
|
||
|
"modified": "2017-02-22T10:05:19.000Z",
|
||
|
"description": "copy/paste typo?",
|
||
|
"pattern": "[rule Webshell_Caterpillar_ASPX {\r\n\tmeta:\r\n\t\tdescription = \"Volatile Cedar Webshell - from file caterpillar.aspx\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"http://goo.gl/emons5\"\r\n\t\tdate = \"2015/04/03\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"af4c99208fb92dc42bc98c4f96c3536ec8f3fe56\"\r\n\tstrings:\r\n\t\t$s0 = \"Dim objNewRequest As WebRequest = HttpWebRequest.Create(sURL)\" fullword\r\n\t\t$s1 = \"command = \\\"ipconfig /all\\\"\" fullword\r\n\t\t$s3 = \"For Each xfile In mydir.GetFiles()\" fullword\r\n\t\t$s6 = \"Dim oScriptNet = Server.CreateObject(\\\"WSCRIPT.NETWORK\\\")\" fullword\r\n\t\t$s10 = \"recResult = adoConn.Execute(strQuery)\" fullword\r\n\t\t$s12 = \"b = Request.QueryString(\\\"src\\\")\" fullword\r\n\t\t$s13 = \"rw(\\\"<a href='\\\" + link + \\\"' target='\\\" + target + \\\"'>\\\" + title + \\\"</a>\\\")\" fullword\r\n\tcondition:\r\n\t\tall of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-22T10:05:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--551e7b65-6df0-45de-b935-9144950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-04-03T11:37:09.000Z",
|
||
|
"modified": "2015-04-03T11:37:09.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = 'af4c99208fb92dc42bc98c4f96c3536ec8f3fe56']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-04-03T11:37:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c65903-68f0-43e4-b3a7-4fa6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:31.000Z",
|
||
|
"modified": "2016-02-18T23:51:31.000Z",
|
||
|
"description": "Automatically added (via c97693ecb36247bdb44ab3f12dfeae8be4d299bb)",
|
||
|
"pattern": "[file:hashes.MD5 = '08c988d6cebdd55f3b123f2d9d5507a6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c65904-4070-4328-9210-4eb8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:32.000Z",
|
||
|
"modified": "2016-02-18T23:51:32.000Z",
|
||
|
"description": "Automatically added (via 62fe6e9e395f70dd632c70d5d154a16ff38dcd29)",
|
||
|
"pattern": "[file:hashes.MD5 = '981234d969a4c5e6edea50df009efedd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c65906-89ac-4e77-af74-4a78950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:34.000Z",
|
||
|
"modified": "2016-02-18T23:51:34.000Z",
|
||
|
"description": "Automatically added (via d0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821)",
|
||
|
"pattern": "[file:hashes.MD5 = '7dbc46559efafe8ec8446b836129598c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c65908-f42c-4e3b-8b06-599c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:36.000Z",
|
||
|
"modified": "2016-02-18T23:51:36.000Z",
|
||
|
"description": "Automatically added (via 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908)",
|
||
|
"pattern": "[file:hashes.MD5 = '9a5a99def615966ea05e3067057d6b37']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c65909-337c-4c17-ba93-4cfc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:37.000Z",
|
||
|
"modified": "2016-02-18T23:51:37.000Z",
|
||
|
"description": "Automatically added (via d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726)",
|
||
|
"pattern": "[file:hashes.MD5 = '4f8b989bc424a39649805b5b93318295']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c6590b-9788-4c39-a6f6-5ca1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:39.000Z",
|
||
|
"modified": "2016-02-18T23:51:39.000Z",
|
||
|
"description": "Automatically added (via e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747)",
|
||
|
"pattern": "[file:hashes.MD5 = 'eb7042ad32f41c0e577b5b504c7558ea']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c6590d-7160-446b-8b5b-59a3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:41.000Z",
|
||
|
"modified": "2016-02-18T23:51:41.000Z",
|
||
|
"description": "Automatically added (via 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0)",
|
||
|
"pattern": "[file:hashes.MD5 = '2b9106e8df3aa98c3654a4e0733d83e7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c65907-2484-4306-ba55-59a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:35.000Z",
|
||
|
"modified": "2016-02-18T23:51:35.000Z",
|
||
|
"description": "Automatically added (via d0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821)",
|
||
|
"pattern": "[file:hashes.SHA1 = 'a1d364c17007a80b8be11d362969b13ada78747e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c65908-cee8-448f-ac42-599e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:36.000Z",
|
||
|
"modified": "2016-02-18T23:51:36.000Z",
|
||
|
"description": "Automatically added (via 1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908)",
|
||
|
"pattern": "[file:hashes.SHA1 = '441e2ac0f144ea9c6ff25670cae8d463e0422d3f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c6590a-0664-45ce-8ed6-44fe950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:38.000Z",
|
||
|
"modified": "2016-02-18T23:51:38.000Z",
|
||
|
"description": "Automatically added (via d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726)",
|
||
|
"pattern": "[file:hashes.SHA1 = '1d28d97271072d8736b85372637830e7a1f5d2a9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c6590c-9720-4fb2-961e-c650950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:40.000Z",
|
||
|
"modified": "2016-02-18T23:51:40.000Z",
|
||
|
"description": "Automatically added (via e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747)",
|
||
|
"pattern": "[file:hashes.SHA1 = '0da0331e07bb33f6091fc6e1ff0061a00cf88887']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c6590e-36f8-459f-a230-c652950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:51:42.000Z",
|
||
|
"modified": "2016-02-18T23:51:42.000Z",
|
||
|
"description": "Automatically added (via 03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0)",
|
||
|
"pattern": "[file:hashes.SHA1 = 'db5b0f6256a2e68acffd14c4946971e2e9e90bfb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:51:42Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|