325 lines
14 KiB
JSON
325 lines
14 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--59722019-3260-4062-bec5-4eea950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--59722019-3260-4062-bec5-4eea950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"name": "OSINT - Linux.Bew: un backdoor para el minado de Bitcoin",
|
||
|
"published": "2017-07-21T15:45:08Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--59722024-b7ec-415d-a9d6-4032950d210f",
|
||
|
"url--59722024-b7ec-415d-a9d6-4032950d210f",
|
||
|
"x-misp-attribute--59722036-ecec-4b53-a575-40ce950d210f",
|
||
|
"indicator--5972204b-2690-47f3-b113-4dc3950d210f",
|
||
|
"indicator--59722068-7e70-418e-b27b-cf65950d210f",
|
||
|
"indicator--5972207d-12d4-4674-8603-49fe950d210f",
|
||
|
"indicator--5972207d-b374-4e26-b02b-4100950d210f",
|
||
|
"indicator--59722091-daf0-4356-ac59-46a7950d210f",
|
||
|
"indicator--597220a8-2828-4a80-8910-4076950d210f",
|
||
|
"x-misp-attribute--597220ce-d71c-4ec0-b402-41d0950d210f",
|
||
|
"indicator--597220eb-0b04-447b-9d6a-471002de0b81",
|
||
|
"indicator--597220eb-f6a0-4b53-8948-400802de0b81",
|
||
|
"observed-data--597220eb-8224-4341-9cf0-495d02de0b81",
|
||
|
"url--597220eb-8224-4341-9cf0-495d02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59722024-b7ec-415d-a9d6-4032950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"first_observed": "2017-07-21T15:42:35Z",
|
||
|
"last_observed": "2017-07-21T15:42:35Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59722024-b7ec-415d-a9d6-4032950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59722024-b7ec-415d-a9d6-4032950d210f",
|
||
|
"value": "https://www.securityartwork.es/2017/07/21/linux-bew-backdoor-minado-bitcoin/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59722036-ecec-4b53-a575-40ce950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "En el siguiente art\u00c3\u00adculo vamos a analizar una muestra del binario catalogado por varias firmas antivirus como Linux.Bew. (Virustotal), malware de tipo ELF del cual hemos detectado actividad durante este \u00c3\u00baltimo mes."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5972204b-2690-47f3-b113-4dc3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-21T15:42:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59722068-7e70-418e-b27b-cf65950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"pattern": "[file:name = '/root/.config/kdeinit4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-21T15:42:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5972207d-12d4-4674-8603-49fe950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"pattern": "[domain-name:value = 'hfir.u230.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-21T15:42:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5972207d-b374-4e26-b02b-4100950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.211.49.214']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-21T15:42:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59722091-daf0-4356-ac59-46a7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"description": "tcp/443",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.58.49.98']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-21T15:42:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--597220a8-2828-4a80-8910-4076950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"pattern": "[rule LinuxBew: MALW\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Linux.Bew Backdoor\"\r\n\t\tauthor = \"Joan Soriano / @w0lfvan\"\r\n\t\tdate = \"2017-07-10\"\r\n\t\tversion = \"1.0\"\r\n\t\tMD5 = \"27d857e12b9be5d43f935b8cc86eaabf\"\r\n\t\tSHA256 = \"80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06\"\r\n\tstrings:\r\n\t\t$a = \"src/secp256k1.c\"\r\n\t\t$b = \"hfir.u230.org\"\r\n\t\t$c = \u00e2\u20ac\u0153tempfile-x11session\u00e2\u20ac\u009d\r\n\tcondition:\r\n\t\tall of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-07-21T15:42:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--597220ce-d71c-4ec0-b402-41d0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Linux.Bew"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--597220eb-0b04-447b-9d6a-471002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"description": "- Xchecked via VT: 80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06",
|
||
|
"pattern": "[file:hashes.SHA1 = '4c614317fd1686f8c865c0a8d367c8e22b94087f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-21T15:42:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--597220eb-f6a0-4b53-8948-400802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"description": "- Xchecked via VT: 80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06",
|
||
|
"pattern": "[file:hashes.MD5 = 'f42c73e5291392c4c39852670addd7f9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-21T15:42:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--597220eb-8224-4341-9cf0-495d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-21T15:42:35.000Z",
|
||
|
"modified": "2017-07-21T15:42:35.000Z",
|
||
|
"first_observed": "2017-07-21T15:42:35Z",
|
||
|
"last_observed": "2017-07-21T15:42:35Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--597220eb-8224-4341-9cf0-495d02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--597220eb-8224-4341-9cf0-495d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06/analysis/1499436533/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|