391 lines
16 KiB
JSON
391 lines
16 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--57dfe878-f93c-4eaa-baa9-085f0a950b0c",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2020-12-09T14:13:59.000Z",
|
||
|
"modified": "2020-12-09T14:13:59.000Z",
|
||
|
"name": "NCSC-NL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--57dfe878-f93c-4eaa-baa9-085f0a950b0c",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2020-12-09T14:13:59.000Z",
|
||
|
"modified": "2020-12-09T14:13:59.000Z",
|
||
|
"name": "Dridex IoC's",
|
||
|
"published": "2016-10-11T07:31:37Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--57dfe8df-ff08-4dee-9b60-08610a950b0c",
|
||
|
"url--57dfe8df-ff08-4dee-9b60-08610a950b0c",
|
||
|
"x-misp-attribute--57dfeae1-fee4-4995-aec4-085d0a950b0c",
|
||
|
"indicator--57dfe898-0424-402e-ad39-5a120a950b0c",
|
||
|
"indicator--57dfe899-0148-4aaa-b16d-5a120a950b0c",
|
||
|
"indicator--57dfe899-aad4-43d7-aae6-5a120a950b0c",
|
||
|
"indicator--57dfe89a-976c-4691-9742-5a120a950b0c",
|
||
|
"indicator--57dfee80-ba88-42ec-9a44-4a53950d210f",
|
||
|
"indicator--57dfee83-fc38-40b2-a013-4b74950d210f",
|
||
|
"indicator--57dfee85-fe9c-4fe0-9c2d-449e950d210f",
|
||
|
"indicator--57dfee86-6b0c-46ea-bc1e-415b950d210f",
|
||
|
"indicator--57dfee88-4cf8-4a0d-9f8f-442b950d210f",
|
||
|
"indicator--57dfee89-31c4-4f4a-98c6-45eb950d210f",
|
||
|
"indicator--57dfee8a-69e0-4f72-982d-4b01950d210f",
|
||
|
"indicator--57dfee8b-7278-4824-a5a5-4059950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"Dridex",
|
||
|
"circl:incident-classification=\"malware\"",
|
||
|
"ms-caro-malware:malware-platform=\"Win32\"",
|
||
|
"ncsc-nl-ndn:feed=\"selected\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57dfe8df-ff08-4dee-9b60-08610a950b0c",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:35:24.000Z",
|
||
|
"modified": "2016-09-19T13:35:24.000Z",
|
||
|
"first_observed": "2016-09-19T13:35:24Z",
|
||
|
"last_observed": "2016-09-19T13:35:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57dfe8df-ff08-4dee-9b60-08610a950b0c"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57dfe8df-ff08-4dee-9b60-08610a950b0c",
|
||
|
"value": "https://securityintelligence.com/hey-dridex-tu-runa-latviski/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57dfeae1-fee4-4995-aec4-085d0a950b0c",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:40:49.000Z",
|
||
|
"modified": "2016-09-19T13:40:49.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"Other\""
|
||
|
],
|
||
|
"x_misp_category": "Other",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "According to IBM X-Force Research, Dridex configurations from the past two months are replete with a hefty count of targets in some more common countries, such as the U.S., U.K., Canada and Australia. However, the Trojan is targeting some less charted territories as well, such as Lithuania, Latvia, Estonia, Lebanon and Ukraine, to name a few. This is quite uncommon for any banking Trojan.\r\n\r\nPer its configuration files, Dridex currently targets over 20 Latvian banks, three banks in Estonia, three in Lithuania and one in Ukraine, among its other uncommon choices of late."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfe898-0424-402e-ad39-5a120a950b0c",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:31:04.000Z",
|
||
|
"modified": "2016-09-19T13:31:04.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[file:hashes.MD5 = 'fa6781ced155213d7a7535bbe109cf04']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:31:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfe899-0148-4aaa-b16d-5a120a950b0c",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:31:05.000Z",
|
||
|
"modified": "2016-09-19T13:31:05.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[file:hashes.MD5 = 'f5fe906f801d99fafa8a9e0584a37008']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:31:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfe899-aad4-43d7-aae6-5a120a950b0c",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:31:05.000Z",
|
||
|
"modified": "2016-09-19T13:31:05.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[file:hashes.MD5 = '7752eaeac2c3a37bba3564fbab0233fc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:31:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfe89a-976c-4691-9742-5a120a950b0c",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:31:06.000Z",
|
||
|
"modified": "2016-09-19T13:31:06.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[file:hashes.MD5 = 'f8fd038db826a1e1c28d384cdc61a82d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:31:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfee80-ba88-42ec-9a44-4a53950d210f",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:56:16.000Z",
|
||
|
"modified": "2016-09-19T13:56:16.000Z",
|
||
|
"description": "Automatically added (via fa6781ced155213d7a7535bbe109cf04)",
|
||
|
"pattern": "[file:hashes.SHA1 = '33d75eb5f9cf1ec42a86a110ffa739fade550361']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:56:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfee83-fc38-40b2-a013-4b74950d210f",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:56:19.000Z",
|
||
|
"modified": "2016-09-19T13:56:19.000Z",
|
||
|
"description": "Automatically added (via fa6781ced155213d7a7535bbe109cf04)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ea00c9d89e42c3e5c87577dac8cc4c074523becce6bccf6cfe1fd18fa6db1083']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:56:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfee85-fe9c-4fe0-9c2d-449e950d210f",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:56:21.000Z",
|
||
|
"modified": "2016-09-19T13:56:21.000Z",
|
||
|
"description": "Automatically added (via f5fe906f801d99fafa8a9e0584a37008)",
|
||
|
"pattern": "[file:hashes.SHA1 = 'a80175b91e3f9606e63dd0d9a9271e23bbe10321']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:56:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfee86-6b0c-46ea-bc1e-415b950d210f",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:56:22.000Z",
|
||
|
"modified": "2016-09-19T13:56:22.000Z",
|
||
|
"description": "Automatically added (via f5fe906f801d99fafa8a9e0584a37008)",
|
||
|
"pattern": "[file:hashes.SHA256 = '10b12825603dc3f1946bfd4e7cbebda5885fe4fccaeb0df8b6e862ad3dad720b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:56:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfee88-4cf8-4a0d-9f8f-442b950d210f",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:56:24.000Z",
|
||
|
"modified": "2016-09-19T13:56:24.000Z",
|
||
|
"description": "Automatically added (via 7752eaeac2c3a37bba3564fbab0233fc)",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c20c12991e8f1c7a520229fdd924fa0c6335302f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:56:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfee89-31c4-4f4a-98c6-45eb950d210f",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:56:25.000Z",
|
||
|
"modified": "2016-09-19T13:56:25.000Z",
|
||
|
"description": "Automatically added (via 7752eaeac2c3a37bba3564fbab0233fc)",
|
||
|
"pattern": "[file:hashes.SHA256 = '82b727ce67a96ec3f929a628e0533eaa377734579d02bc7cf76b874083bbc8ab']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:56:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfee8a-69e0-4f72-982d-4b01950d210f",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:56:26.000Z",
|
||
|
"modified": "2016-09-19T13:56:26.000Z",
|
||
|
"description": "Automatically added (via f8fd038db826a1e1c28d384cdc61a82d)",
|
||
|
"pattern": "[file:hashes.SHA1 = '0ecbb4d0fe1ab0a716f80da855c6b75860ad7dd1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:56:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57dfee8b-7278-4824-a5a5-4059950d210f",
|
||
|
"created_by_ref": "identity--5697b0c4-9474-4336-b675-28140a950b0b",
|
||
|
"created": "2016-09-19T13:56:27.000Z",
|
||
|
"modified": "2016-09-19T13:56:27.000Z",
|
||
|
"description": "Automatically added (via f8fd038db826a1e1c28d384cdc61a82d)",
|
||
|
"pattern": "[file:hashes.SHA256 = '49a247166e5af64c9e593d75d751ba8366171c010cc3d57f17ab5657fb6d35a7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-19T13:56:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|