misp-circl-feed/feeds/circl/stix-2.1/59722019-3260-4062-bec5-4eea950d210f.json

325 lines
14 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--59722019-3260-4062-bec5-4eea950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59722019-3260-4062-bec5-4eea950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"name": "OSINT - Linux.Bew: un backdoor para el minado de Bitcoin",
"published": "2017-07-21T15:45:08Z",
"object_refs": [
"observed-data--59722024-b7ec-415d-a9d6-4032950d210f",
"url--59722024-b7ec-415d-a9d6-4032950d210f",
"x-misp-attribute--59722036-ecec-4b53-a575-40ce950d210f",
"indicator--5972204b-2690-47f3-b113-4dc3950d210f",
"indicator--59722068-7e70-418e-b27b-cf65950d210f",
"indicator--5972207d-12d4-4674-8603-49fe950d210f",
"indicator--5972207d-b374-4e26-b02b-4100950d210f",
"indicator--59722091-daf0-4356-ac59-46a7950d210f",
"indicator--597220a8-2828-4a80-8910-4076950d210f",
"x-misp-attribute--597220ce-d71c-4ec0-b402-41d0950d210f",
"indicator--597220eb-0b04-447b-9d6a-471002de0b81",
"indicator--597220eb-f6a0-4b53-8948-400802de0b81",
"observed-data--597220eb-8224-4341-9cf0-495d02de0b81",
"url--597220eb-8224-4341-9cf0-495d02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59722024-b7ec-415d-a9d6-4032950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"first_observed": "2017-07-21T15:42:35Z",
"last_observed": "2017-07-21T15:42:35Z",
"number_observed": 1,
"object_refs": [
"url--59722024-b7ec-415d-a9d6-4032950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59722024-b7ec-415d-a9d6-4032950d210f",
"value": "https://www.securityartwork.es/2017/07/21/linux-bew-backdoor-minado-bitcoin/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59722036-ecec-4b53-a575-40ce950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "En el siguiente art\u00c3\u00adculo vamos a analizar una muestra del binario catalogado por varias firmas antivirus como Linux.Bew. (Virustotal), malware de tipo ELF del cual hemos detectado actividad durante este \u00c3\u00baltimo mes."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5972204b-2690-47f3-b113-4dc3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"pattern": "[file:hashes.SHA256 = '80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-21T15:42:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59722068-7e70-418e-b27b-cf65950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"pattern": "[file:name = '/root/.config/kdeinit4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-21T15:42:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5972207d-12d4-4674-8603-49fe950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"pattern": "[domain-name:value = 'hfir.u230.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-21T15:42:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5972207d-b374-4e26-b02b-4100950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.211.49.214']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-21T15:42:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59722091-daf0-4356-ac59-46a7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"description": "tcp/443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.58.49.98']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-21T15:42:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--597220a8-2828-4a80-8910-4076950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"pattern": "[rule LinuxBew: MALW\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Linux.Bew Backdoor\"\r\n\t\tauthor = \"Joan Soriano / @w0lfvan\"\r\n\t\tdate = \"2017-07-10\"\r\n\t\tversion = \"1.0\"\r\n\t\tMD5 = \"27d857e12b9be5d43f935b8cc86eaabf\"\r\n\t\tSHA256 = \"80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06\"\r\n\tstrings:\r\n\t\t$a = \"src/secp256k1.c\"\r\n\t\t$b = \"hfir.u230.org\"\r\n\t\t$c = \u00e2\u20ac\u0153tempfile-x11session\u00e2\u20ac\u009d\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2017-07-21T15:42:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--597220ce-d71c-4ec0-b402-41d0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "Linux.Bew"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--597220eb-0b04-447b-9d6a-471002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"description": "- Xchecked via VT: 80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06",
"pattern": "[file:hashes.SHA1 = '4c614317fd1686f8c865c0a8d367c8e22b94087f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-21T15:42:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--597220eb-f6a0-4b53-8948-400802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"description": "- Xchecked via VT: 80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06",
"pattern": "[file:hashes.MD5 = 'f42c73e5291392c4c39852670addd7f9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-21T15:42:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--597220eb-8224-4341-9cf0-495d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-21T15:42:35.000Z",
"modified": "2017-07-21T15:42:35.000Z",
"first_observed": "2017-07-21T15:42:35Z",
"last_observed": "2017-07-21T15:42:35Z",
"number_observed": 1,
"object_refs": [
"url--597220eb-8224-4341-9cf0-495d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--597220eb-8224-4341-9cf0-495d02de0b81",
"value": "https://www.virustotal.com/file/80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06/analysis/1499436533/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}