365 lines
15 KiB
JSON
365 lines
15 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--59ad9e2d-f574-4d6f-94ac-45e102de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-06T14:19:17.000Z",
|
||
|
"modified": "2017-09-06T14:19:17.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "grouping",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "grouping--59ad9e2d-f574-4d6f-94ac-45e102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-06T14:19:17.000Z",
|
||
|
"modified": "2017-09-06T14:19:17.000Z",
|
||
|
"name": "OSINT - Cobian RAT \u2013 A backdoored RAT",
|
||
|
"context": "suspicious-activity",
|
||
|
"object_refs": [
|
||
|
"observed-data--59ad9e86-6050-40f3-b339-81f602de0b81",
|
||
|
"url--59ad9e86-6050-40f3-b339-81f602de0b81",
|
||
|
"x-misp-attribute--59ad9e9e-58d8-425d-978a-261f02de0b81",
|
||
|
"indicator--59ad9eee-b230-4355-9883-4eef02de0b81",
|
||
|
"indicator--59ad9eee-9c8c-4013-92b2-426002de0b81",
|
||
|
"indicator--59ad9eee-8ebc-45bc-a052-4dac02de0b81",
|
||
|
"indicator--59ad9eff-507c-4da9-9daa-467c02de0b81",
|
||
|
"indicator--59ad9f44-33bc-4df3-a06f-498002de0b81",
|
||
|
"indicator--59ad9f76-95b4-4e02-8e1b-46da02de0b81",
|
||
|
"indicator--59ad9f76-71c8-476c-a411-465502de0b81",
|
||
|
"observed-data--59ad9f76-02dc-4241-bee7-415402de0b81",
|
||
|
"url--59ad9f76-02dc-4241-bee7-415402de0b81",
|
||
|
"indicator--59ad9f76-537c-48ec-8e7a-4f1c02de0b81",
|
||
|
"indicator--59ad9f76-2a18-4606-a98f-48f002de0b81",
|
||
|
"observed-data--59ad9f76-da08-44f3-a3fa-44a002de0b81",
|
||
|
"url--59ad9f76-da08-44f3-a3fa-44a002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"misp-galaxy:rat=\"Cobian RAT\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59ad9e86-6050-40f3-b339-81f602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"first_observed": "2017-09-04T18:46:14Z",
|
||
|
"last_observed": "2017-09-04T18:46:14Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59ad9e86-6050-40f3-b339-81f602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59ad9e86-6050-40f3-b339-81f602de0b81",
|
||
|
"value": "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59ad9e9e-58d8-425d-978a-261f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family, which we analyzed in this report."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59ad9eee-b230-4355-9883-4eef02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '94911666a61beb59d2988c4fc7003e5a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-04T18:46:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59ad9eee-9c8c-4013-92b2-426002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '7eede7047d3d785db248df0870783637']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-04T18:46:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59ad9eee-8ebc-45bc-a052-4dac02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"pattern": "[url:value = 'belkomsolutions.com/t/guangzhou\\\\%20sonicstar\\\\%20electronics\\\\%20co\\\\%20ltd.zip']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-04T18:46:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59ad9eff-507c-4da9-9daa-467c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"description": "C&C: swez111.ddns[.]net:20000",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '173.254.223.81']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-04T18:46:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59ad9f44-33bc-4df3-a06f-498002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"description": "On port 20000",
|
||
|
"pattern": "[domain-name:value = 'swez111.ddns.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-04T18:46:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59ad9f76-95b4-4e02-8e1b-46da02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"description": "- Xchecked via VT: 7eede7047d3d785db248df0870783637",
|
||
|
"pattern": "[file:hashes.SHA256 = '020a17a3e3e932f4870152379863b0c19a6a07b04bcffcb65670300c69a5cc28']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-04T18:46:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59ad9f76-71c8-476c-a411-465502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"description": "- Xchecked via VT: 7eede7047d3d785db248df0870783637",
|
||
|
"pattern": "[file:hashes.SHA1 = '48e44f342d6a89bf56776c8356ca9a7377fa8d4b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-04T18:46:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59ad9f76-02dc-4241-bee7-415402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"first_observed": "2017-09-04T18:46:14Z",
|
||
|
"last_observed": "2017-09-04T18:46:14Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59ad9f76-02dc-4241-bee7-415402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59ad9f76-02dc-4241-bee7-415402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/020a17a3e3e932f4870152379863b0c19a6a07b04bcffcb65670300c69a5cc28/analysis/1504274179/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59ad9f76-537c-48ec-8e7a-4f1c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"description": "- Xchecked via VT: 94911666a61beb59d2988c4fc7003e5a",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cfc8324c59165b25b78c640ed77ebd7c867e042e09c95c218d84c5cd8e46910e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-04T18:46:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59ad9f76-2a18-4606-a98f-48f002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"description": "- Xchecked via VT: 94911666a61beb59d2988c4fc7003e5a",
|
||
|
"pattern": "[file:hashes.SHA1 = '78174ecc21b4ae638c2064f5c2460d3b06ad397b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-04T18:46:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59ad9f76-da08-44f3-a3fa-44a002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-04T18:46:14.000Z",
|
||
|
"modified": "2017-09-04T18:46:14.000Z",
|
||
|
"first_observed": "2017-09-04T18:46:14Z",
|
||
|
"last_observed": "2017-09-04T18:46:14Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59ad9f76-da08-44f3-a3fa-44a002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59ad9f76-da08-44f3-a3fa-44a002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cfc8324c59165b25b78c640ed77ebd7c867e042e09c95c218d84c5cd8e46910e/analysis/1504274176/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|