2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5b9162c3-90b4-423b-bd69-28330acd0835" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2021-05-24T09:51:05.000Z" ,
"modified" : "2021-05-24T09:51:05.000Z" ,
"name" : "Synovus Financial" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5b9162c3-90b4-423b-bd69-28330acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2021-05-24T09:51:05.000Z" ,
"modified" : "2021-05-24T09:51:05.000Z" ,
"name" : "powerpool-malware-exploits-zero-day-vulnerability" ,
"published" : "2020-05-11T07:53:26Z" ,
"object_refs" : [
"observed-data--5b9162d7-70bc-4802-a3e8-2efb0acd0835" ,
"url--5b9162d7-70bc-4802-a3e8-2efb0acd0835" ,
"indicator--5b916597-a96c-43dc-bcc0-2f0b0acd0835" ,
"indicator--5b916597-7bc0-45f8-a810-2f0b0acd0835" ,
"indicator--5b916597-dc78-43cb-b1df-2f0b0acd0835" ,
"indicator--5b916597-7ba8-4aaa-98b5-2f0b0acd0835" ,
"indicator--5b916597-ec48-4d1f-b15f-2f0b0acd0835" ,
"indicator--5b91638b-01d0-4303-9938-28310acd0835" ,
"indicator--5b916430-9e3c-4911-b3e9-ca520acd0835" ,
"indicator--5b91647e-fb8c-475d-a647-2eff0acd0835" ,
"indicator--5b916507-21cc-4a2f-aa8c-28280acd0835" ,
"indicator--5b91655c-3648-48a0-82e3-2f140acd0835"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"osint:source-type=\"blog-post\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b9162d7-70bc-4802-a3e8-2efb0acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2018-09-06T17:28:38.000Z" ,
"modified" : "2018-09-06T17:28:38.000Z" ,
"first_observed" : "2018-09-06T17:28:38Z" ,
"last_observed" : "2018-09-06T17:28:38Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b9162d7-70bc-4802-a3e8-2efb0acd0835"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b9162d7-70bc-4802-a3e8-2efb0acd0835" ,
"value" : "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b916597-a96c-43dc-bcc0-2f0b0acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2018-09-06T17:36:34.000Z" ,
"modified" : "2018-09-06T17:36:34.000Z" ,
"description" : "C2" ,
"pattern" : "[domain-name:value = 'newsrental.net']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T17:36:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\"" ,
"veris:action:malware:variety=\"C2\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b916597-7bc0-45f8-a810-2f0b0acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2018-09-06T17:36:34.000Z" ,
"modified" : "2018-09-06T17:36:34.000Z" ,
"description" : "C2" ,
"pattern" : "[domain-name:value = 'rosbusiness.eu']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T17:36:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\"" ,
"veris:action:malware:variety=\"C2\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b916597-dc78-43cb-b1df-2f0b0acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2018-09-06T17:36:34.000Z" ,
"modified" : "2018-09-06T17:36:34.000Z" ,
"description" : "C2" ,
"pattern" : "[domain-name:value = 'afishaonline.eu']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T17:36:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\"" ,
"veris:action:malware:variety=\"C2\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b916597-7ba8-4aaa-98b5-2f0b0acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2018-09-06T17:36:34.000Z" ,
"modified" : "2018-09-06T17:36:34.000Z" ,
"description" : "C2" ,
"pattern" : "[domain-name:value = 'sports-collectors.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T17:36:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\"" ,
"veris:action:malware:variety=\"C2\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b916597-ec48-4d1f-b15f-2f0b0acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2018-09-06T17:49:05.000Z" ,
"modified" : "2018-09-06T17:49:05.000Z" ,
"description" : "C2\r\nCountry: Korea, Republic Of\r\nRegion: Gyeonggi-do\r\nCity: Yongin\r\nISP: Daou Technology" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.102.106.149']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T17:49:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\"" ,
"veris:action:malware:variety=\"C2\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b91638b-01d0-4303-9938-28310acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2018-09-06T17:28:25.000Z" ,
"modified" : "2018-09-06T17:28:25.000Z" ,
"pattern" : "[file:hashes.MD5 = '32b8d08e67cf509236ae8142fbeb30b3' AND file:hashes.SHA1 = '038f75dcf1e5277565c68d57fa1f4f7b3005f3f3' AND file:hashes.SHA256 = '8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe8274fe4' AND file:hashes.SSDEEP = '3072:y0FPC7QAKohdraoNpLOxx85wzWVTBfGGMZhm05Pb8QOutp:ba7zfragLOxx85JVTBezZXbLOut' AND file:size = '198656' AND file:x_misp_state = 'Malicious' AND file:x_misp_text = 'First stage backdoor']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T17:28:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\"" ,
"veris:action:malware:variety=\"Backdoor\"" ,
"Stage 1"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b916430-9e3c-4911-b3e9-ca520acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2018-09-06T17:30:24.000Z" ,
"modified" : "2018-09-06T17:30:24.000Z" ,
"pattern" : "[file:hashes.MD5 = 'efe3518ee7d62299d01b7882f72ffd0a' AND file:hashes.SHA1 = '247b542af23ad9c63697428c7b77348681aadc9a' AND file:hashes.SHA256 = '035f97af0def906fbd8f7f15fb8107a9e852a69160669e7c0781888180cd46d5' AND file:hashes.SSDEEP = '3072:hMBIQ8vnQQgZKc1WZL0Az3jGSp0TBfmXnZS1m05xI8QOutt:eBIbPDgZK0yL0Az36e0TBeXZStILOut' AND file:size = '195072' AND file:x_misp_text = 'First stage backdoor' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T17:30:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\"" ,
"veris:action:malware:variety=\"Backdoor\"" ,
"Stage 1"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b91647e-fb8c-475d-a647-2eff0acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2018-09-06T17:32:00.000Z" ,
"modified" : "2018-09-06T17:32:00.000Z" ,
"pattern" : "[file:hashes.MD5 = 'e2bd4044fab4214c4aa7dd65d65fca21' AND file:hashes.SHA1 = '0423672fe9201c325e33f296595fb70dcd81bcd9' AND file:hashes.SHA256 = 'af2abf0748013a7084507f8e96f6e7c21a3f962fbbb148dcbb482a98c06940a1' AND file:size = '395776' AND file:x_misp_ssdeep = '6144:Py7VqCkozgC2uNmz/MbVflIaPhlHvuFFNTP9DZ8EX8kE5KRf+L8uvyvcQ0BiF:Py7V6N/wISZvk7TP9F1X8 hcRe8u6wW' AND file:x_misp_state = 'Malicious' AND file:x_misp_text = 'Second stage backdoor']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T17:32:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\"" ,
2023-05-19 09:05:37 +00:00
"Stage 2" ,
"veris:action:malware:variety=\"Backdoor\""
2023-04-21 14:44:17 +00:00
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b916507-21cc-4a2f-aa8c-28280acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2018-09-06T17:33:59.000Z" ,
"modified" : "2018-09-06T17:33:59.000Z" ,
"pattern" : "[file:hashes.MD5 = '80e7a7789286d3fb69f083f1a2dddbe6' AND file:hashes.SHA1 = 'b4ec4837d07ff64e34947296e73732171d1c1586' AND file:hashes.SHA256 = '58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5cd6bd' AND file:size = '396288' AND file:x_misp_text = 'Second stage backdoor' AND file:x_misp_ssdeep = '6144:kSH62LyBiglfDq9wD7aG2HODV9cF7Bt7/hNWhZHhvMKpA7KSgodwIFsA40Bia:kSH6F9DiY9udjNW7BvMKp yKsWI97' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T17:33:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\"" ,
2023-05-19 09:05:37 +00:00
"Stage 2" ,
"veris:action:malware:variety=\"Backdoor\""
2023-04-21 14:44:17 +00:00
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b91655c-3648-48a0-82e3-2f140acd0835" ,
"created_by_ref" : "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a" ,
"created" : "2018-09-06T17:35:24.000Z" ,
"modified" : "2018-09-06T17:35:24.000Z" ,
"pattern" : "[file:hashes.MD5 = '99670267cbece5f5cc3ce92efd5bb04b' AND file:hashes.SHA1 = '9dc173d4d4f74765b5fc1e1c9a2d188d5387beea' AND file:hashes.SHA256 = '97b5b4478d234632df4c65ec251051a6b032ce21e9e68495e31f077bf4074831' AND file:hashes.SSDEEP = '3072:STZt5j+T9LjP4JqIBhNV0St7TZEjOYI1TVmqG7rg:q5j+T9LjPPIBhN2Q7TZAfI1TVwg' AND file:size = '183296' AND file:x_misp_text = 'ALPC LPE exploit' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T17:35:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\"" ,
"veris:action:malware:variety=\"Exploit vuln\""
]
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}