misp-circl-feed/feeds/circl/stix-2.1/5a54ad87-3328-4dde-aa9f-4a7e950d210f.json

1146 lines
49 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5a54ad87-3328-4dde-aa9f-4a7e950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-12T03:00:24.000Z",
"modified": "2018-01-12T03:00:24.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5a54ad87-3328-4dde-aa9f-4a7e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-12T03:00:24.000Z",
"modified": "2018-01-12T03:00:24.000Z",
"name": "OSINT - MICROCIN MALWARE",
"published": "2018-02-16T08:46:21Z",
"object_refs": [
"observed-data--5a54adfd-02a8-4e79-96fa-4b61950d210f",
"url--5a54adfd-02a8-4e79-96fa-4b61950d210f",
"observed-data--5a54adfd-28c4-4050-9631-435a950d210f",
"url--5a54adfd-28c4-4050-9631-435a950d210f",
"indicator--5a571d5a-4528-4ebb-a311-099a950d210f",
"indicator--5a571d5a-b69c-4bc7-bbf3-099a950d210f",
"indicator--5a571d5a-dc2c-4cba-bb59-099a950d210f",
"indicator--5a571d5a-a0b8-4492-a896-099a950d210f",
"indicator--5a571d5a-3368-4bfd-85fa-099a950d210f",
"indicator--5a571d5a-e770-443e-8d1f-099a950d210f",
"indicator--5a571d5a-bea0-4630-807a-099a950d210f",
"indicator--5a571dad-c290-481e-8188-4a23950d210f",
"indicator--5a571dae-3804-47b1-91da-47a3950d210f",
"indicator--5a571dae-f3f8-4ca1-8b83-4ed4950d210f",
"indicator--5a571dae-a8a4-4182-8080-4027950d210f",
"indicator--5a571dae-1cdc-4b24-9c68-4592950d210f",
"indicator--5a571dae-a4c0-45e4-a33c-4d5c950d210f",
"indicator--5a571dae-ea7c-447f-b125-44de950d210f",
"indicator--5a571dae-8030-4e44-81b5-4c26950d210f",
"indicator--5a571dae-b950-4557-b466-4823950d210f",
"indicator--5a571dae-9e10-47b9-a693-438a950d210f",
"indicator--5a571dae-3e74-4e95-97eb-4cff950d210f",
"indicator--5a571dae-ded8-40c0-b51d-4ef1950d210f",
"indicator--5a571dae-1d70-440c-b888-4466950d210f",
"x-misp-attribute--5a571dce-ed9c-439a-bb6f-0ee0950d210f",
"indicator--5a571880-d098-4276-b23e-439a950d210f",
"indicator--0dae0b43-76e3-49a2-b984-c7cbd3ca6e02",
"x-misp-object--200574ab-5db2-4aef-a3a9-db2d4870285b",
"indicator--872eb001-bd68-4082-a707-f69e00ab1cfe",
"x-misp-object--f06f8919-d425-414c-94d9-6461c49c81b1",
"indicator--2c34de1e-5ccd-4750-b921-dbc1e57b4cb3",
"x-misp-object--c688bc3b-d1af-443c-8363-d44c27a98060",
"indicator--7613cc8b-ce21-4638-9ef6-3497d9415329",
"x-misp-object--67d648f6-ac84-40ae-9edf-90144cd3b7d3",
"indicator--9c677e93-f664-4a47-a479-c7807c12d2aa",
"x-misp-object--f12656a4-afc0-4caf-b4d0-00701f6754bc",
"indicator--f669bde1-8c02-4eca-953c-eba3dffcaf5a",
"x-misp-object--1ffb93b4-6850-494f-82bd-0b0b9a00c94d",
"x-misp-object--816abaaf-b4ea-468d-927d-b81c1ebe62b7",
"relationship--7a34710c-d8ac-4bcf-acc6-2af8d150642f",
"relationship--1e3a4a3a-bcb1-4d55-bad6-ce4f65c609a3",
"relationship--ec77b272-7eac-402e-9cf7-6d0611f79944",
"relationship--0b96a399-a2ed-47c2-9daf-462f7427fac3",
"relationship--3cf28762-0a32-41d4-b997-70a329e9a524",
"relationship--c4dedfaf-2665-494c-8259-d96cb6283d0f",
"relationship--6919f4e0-f30f-463b-85ad-6354fc8cc09c"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:incident-classification=\"malware\"",
"osint:source-type=\"blog-post\"",
"osint:source-type=\"technical-report\"",
"misp-galaxy:threat-actor=\"Microcin\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a54adfd-02a8-4e79-96fa-4b61950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T13:30:38.000Z",
"modified": "2018-01-11T13:30:38.000Z",
"first_observed": "2018-01-11T13:30:38Z",
"last_observed": "2018-01-11T13:30:38Z",
"number_observed": 1,
"object_refs": [
"url--5a54adfd-02a8-4e79-96fa-4b61950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"technical-report\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a54adfd-02a8-4e79-96fa-4b61950d210f",
"value": "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a54adfd-28c4-4050-9631-435a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T13:30:38.000Z",
"modified": "2018-01-11T13:30:38.000Z",
"first_observed": "2018-01-11T13:30:38Z",
"last_observed": "2018-01-11T13:30:38Z",
"number_observed": 1,
"object_refs": [
"url--5a54adfd-28c4-4050-9631-435a950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a54adfd-28c4-4050-9631-435a950d210f",
"value": "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571d5a-4528-4ebb-a311-099a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:16:26.000Z",
"modified": "2018-01-11T08:16:26.000Z",
"description": "malicious documents",
"pattern": "[file:hashes.MD5 = '371bae0fc70563c7fa1ec0e3a0f037f4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:16:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571d5a-b69c-4bc7-bbf3-099a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:16:26.000Z",
"modified": "2018-01-11T08:16:26.000Z",
"description": "malicious documents",
"pattern": "[file:hashes.MD5 = 'f4deeb3db67bae6cc224802fbad1f3f6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:16:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571d5a-dc2c-4cba-bb59-099a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:16:26.000Z",
"modified": "2018-01-11T08:16:26.000Z",
"description": "malicious documents",
"pattern": "[file:hashes.MD5 = '3f288e450a375a26bd9c4de7f2bcfd66']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:16:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571d5a-a0b8-4492-a896-099a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:16:26.000Z",
"modified": "2018-01-11T08:16:26.000Z",
"description": "malicious documents",
"pattern": "[file:hashes.MD5 = '7bcf447a93fd37d068ec27dd04c301cb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:16:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571d5a-3368-4bfd-85fa-099a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:16:26.000Z",
"modified": "2018-01-11T08:16:26.000Z",
"description": "malicious documents",
"pattern": "[file:hashes.MD5 = '873105f03ae425101ea206dcd6bc539f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:16:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571d5a-e770-443e-8d1f-099a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:16:26.000Z",
"modified": "2018-01-11T08:16:26.000Z",
"description": "malicious documents",
"pattern": "[file:hashes.MD5 = 'ab6544e1eba3af3f5236d99b755c701c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:16:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571d5a-bea0-4630-807a-099a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:16:26.000Z",
"modified": "2018-01-11T08:16:26.000Z",
"description": "malicious documents",
"pattern": "[file:hashes.MD5 = '6e006124678ffc18458d1322de6232a7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:16:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dad-c290-481e-8188-4a23950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:49.000Z",
"modified": "2018-01-11T08:17:49.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = '056f811ef41c213b037008300b0daf0d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-3804-47b1-91da-47a3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = '3ebcacb207b33bd5376d00b24cb3386c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-f3f8-4ca1-8b83-4ed4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = '4644ce606ab4b62622e4a9e6a80d792d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-a8a4-4182-8080-4027950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = '4ba4346984a380e22afaccff78688a54']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-1cdc-4b24-9c68-4592950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = '60cb9e553884085700e359e5367d5fb4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-a4c0-45e4-a33c-4d5c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = '7771e1738fc2e4de210ac06a5e62c534']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-ea7c-447f-b125-44de950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = '7a290a29ea0d84e4475e021fa87ec466']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-8030-4e44-81b5-4c26950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = '7d8ee0e91cd88bb36d84d52d1d796dea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-b950-4557-b466-4823950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = 'a54966098b2281e4b75b747dbb52f431']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-9e10-47b9-a693-438a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = 'a5c7b7a26fa0f15cbf7bdd3db597fbe6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-3e74-4e95-97eb-4cff950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = 'dc6c8bae242c43dad76970329270155e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-ded8-40c0-b51d-4ef1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = '335cb36cc21c47b849d370a892d759b8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571dae-1d70-440c-b888-4466950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T08:17:50.000Z",
"modified": "2018-01-11T08:17:50.000Z",
"description": "backdoors",
"pattern": "[file:hashes.MD5 = '948fecf6a044b79de79dc69e09d9979b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T08:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a571dce-ed9c-439a-bb6f-0ee0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T13:30:38.000Z",
"modified": "2018-01-11T13:30:38.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "We\u00e2\u20ac\u2122re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago \u00e2\u20ac\u201c we named it \u00e2\u20ac\u02dcMicrocin\u00e2\u20ac\u2122 after microini, one of the malicious components used in it.\r\n\r\nWe detected a suspicious RTF file. The document contained an exploit to the previously known and patched vulnerability CVE-2015-1641; however, its code had been modified considerably. Remarkably, the malicious document was delivered via websites that targeted a very narrow audience, so we suspected early on that we were dealing with a targeted attack. The threat actors took aim at users visiting forums with discussions on the state-subsidized housing that Russian military personnel and their families are entitled to."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a571880-d098-4276-b23e-439a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T07:55:47.000Z",
"modified": "2018-01-11T07:55:47.000Z",
"pattern": "[file:hashes.MD5 = 'a50b6ec77276cf235eaf2d14665bdb5c' AND file:name = '\u00d0\u0161\u00d0\u00b0\u00d0\u00ba\u00d0\u0178\u00d1\u20ac\u00d0\u00b8\u00d0\u00bd\u00d0\u00b8\u00d0\u00bc\u00d0\u00b0\u00d1\u201a\u00d1\u0152\u00d0\u0161\u00d0\u00b2\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b8\u00d1\u20ac\u00d1\u0192-1.rtf' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T07:55:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0dae0b43-76e3-49a2-b984-c7cbd3ca6e02",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:49.000Z",
"modified": "2018-01-11T11:30:49.000Z",
"pattern": "[file:hashes.MD5 = '873105f03ae425101ea206dcd6bc539f' AND file:hashes.SHA1 = 'bd10265d0be8839ed7dc0fb576fb8901c347729b' AND file:hashes.SHA256 = 'c950c3fa513a487acfe2f1809e8e25e39d407fdf51553f272af81d2368cbeb0c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T11:30:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--200574ab-5db2-4aef-a3a9-db2d4870285b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:46.000Z",
"modified": "2018-01-11T11:30:46.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/c950c3fa513a487acfe2f1809e8e25e39d407fdf51553f272af81d2368cbeb0c/analysis/1513681658/",
"category": "External analysis",
"comment": "malicious documents",
"uuid": "5a574ae6-cde4-4bb3-9721-4f2602de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "30/60",
"category": "Other",
"comment": "malicious documents",
"uuid": "5a574ae6-aea0-4b56-ab17-407602de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-12-19T11:07:38",
"category": "Other",
"comment": "malicious documents",
"uuid": "5a574ae6-b690-4d21-b83f-43b202de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--872eb001-bd68-4082-a707-f69e00ab1cfe",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:49.000Z",
"modified": "2018-01-11T11:30:49.000Z",
"pattern": "[file:hashes.MD5 = '335cb36cc21c47b849d370a892d759b8' AND file:hashes.SHA1 = '150b8350ec483781d8d7a0643e6462c7a6e4d2a0' AND file:hashes.SHA256 = 'cbd43e70dc55e94140099722d7b91b07a3997722d4a539ecc4015f37ea14a26e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T11:30:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f06f8919-d425-414c-94d9-6461c49c81b1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:46.000Z",
"modified": "2018-01-11T11:30:46.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/cbd43e70dc55e94140099722d7b91b07a3997722d4a539ecc4015f37ea14a26e/analysis/1510610117/",
"category": "External analysis",
"comment": "backdoors",
"uuid": "5a574ae6-dacc-491e-9acf-4d9002de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "50/68",
"category": "Other",
"comment": "backdoors",
"uuid": "5a574ae6-3560-46cb-8a05-401e02de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-11-13T21:55:17",
"category": "Other",
"comment": "backdoors",
"uuid": "5a574ae6-7a5c-42bf-88e8-481302de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2c34de1e-5ccd-4750-b921-dbc1e57b4cb3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:49.000Z",
"modified": "2018-01-11T11:30:49.000Z",
"pattern": "[file:hashes.MD5 = '7d8ee0e91cd88bb36d84d52d1d796dea' AND file:hashes.SHA1 = 'a0f68ae3f0263b5443b133b07701174947fa6105' AND file:hashes.SHA256 = '8a7d04229722539f2480270851184d75b26c375a77b468d8cbad6dbdb0c99271']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T11:30:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--c688bc3b-d1af-443c-8363-d44c27a98060",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:46.000Z",
"modified": "2018-01-11T11:30:46.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/8a7d04229722539f2480270851184d75b26c375a77b468d8cbad6dbdb0c99271/analysis/1514186505/",
"category": "External analysis",
"comment": "backdoors",
"uuid": "5a574ae6-ec14-4891-8080-4da102de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "46/67",
"category": "Other",
"comment": "backdoors",
"uuid": "5a574ae6-0d04-4491-906c-48d402de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-12-25T07:21:45",
"category": "Other",
"comment": "backdoors",
"uuid": "5a574ae6-831c-4274-8dc7-424702de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7613cc8b-ce21-4638-9ef6-3497d9415329",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:49.000Z",
"modified": "2018-01-11T11:30:49.000Z",
"pattern": "[file:hashes.MD5 = 'a50b6ec77276cf235eaf2d14665bdb5c' AND file:hashes.SHA1 = '938c879b547ca71a332308f6d9c87252b9addc59' AND file:hashes.SHA256 = '66f0cbc0aa7e96bf937d5fb72374be454d1d6a6c85860df9d8ee8a26adc2a75e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T11:30:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--67d648f6-ac84-40ae-9edf-90144cd3b7d3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:47.000Z",
"modified": "2018-01-11T11:30:47.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/66f0cbc0aa7e96bf937d5fb72374be454d1d6a6c85860df9d8ee8a26adc2a75e/analysis/1513683573/",
"category": "External analysis",
"uuid": "5a574ae7-62ec-42c6-8cfe-4d4302de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "30/60",
"category": "Other",
"uuid": "5a574ae7-8120-474c-a223-45b502de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-12-19T11:39:33",
"category": "Other",
"uuid": "5a574ae7-ba08-4b5a-abb8-47ad02de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9c677e93-f664-4a47-a479-c7807c12d2aa",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:50.000Z",
"modified": "2018-01-11T11:30:50.000Z",
"pattern": "[file:hashes.MD5 = '948fecf6a044b79de79dc69e09d9979b' AND file:hashes.SHA1 = 'f7b8ef6431039ae12d4e7b1b997c1cc56e062611' AND file:hashes.SHA256 = '871ab24fd6ae15783dd9df5010d794b6121c4316b11f30a55f23ba37eef4b87a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T11:30:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f12656a4-afc0-4caf-b4d0-00701f6754bc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:47.000Z",
"modified": "2018-01-11T11:30:47.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/871ab24fd6ae15783dd9df5010d794b6121c4316b11f30a55f23ba37eef4b87a/analysis/1510036080/",
"category": "External analysis",
"comment": "backdoors",
"uuid": "5a574ae7-7408-4685-9c0e-472202de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "48/67",
"category": "Other",
"comment": "backdoors",
"uuid": "5a574ae7-5c38-403b-8e2e-477902de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-11-07T06:28:00",
"category": "Other",
"comment": "backdoors",
"uuid": "5a574ae7-f7b0-4743-a008-42ac02de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f669bde1-8c02-4eca-953c-eba3dffcaf5a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:50.000Z",
"modified": "2018-01-11T11:30:50.000Z",
"pattern": "[file:hashes.MD5 = '3ebcacb207b33bd5376d00b24cb3386c' AND file:hashes.SHA1 = 'c4dfcaac739910a4c1c7171ed9902b2c7bb36b0b' AND file:hashes.SHA256 = '9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-11T11:30:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--1ffb93b4-6850-494f-82bd-0b0b9a00c94d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T11:30:47.000Z",
"modified": "2018-01-11T11:30:47.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c/analysis/1511174150/",
"category": "External analysis",
"comment": "backdoors",
"uuid": "5a574ae7-0008-4f5f-b89f-4b9002de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "37/67",
"category": "Other",
"comment": "backdoors",
"uuid": "5a574ae7-0bc0-4893-8517-4ff402de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-11-20T10:35:50",
"category": "Other",
"comment": "backdoors",
"uuid": "5a574ae7-4020-4d97-abe2-456c02de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--816abaaf-b4ea-468d-927d-b81c1ebe62b7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-11T13:30:38.000Z",
"modified": "2018-01-11T13:30:38.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/66f0cbc0aa7e96bf937d5fb72374be454d1d6a6c85860df9d8ee8a26adc2a75e/analysis/1513683573/",
"category": "External analysis",
"uuid": "5a5766fe-7e0c-4c7c-802d-424102de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "30/60",
"category": "Other",
"uuid": "5a5766fe-e0b8-4fb4-9625-438a02de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-12-19T11:39:33",
"category": "Other",
"uuid": "5a5766fe-2d04-45ff-a0b6-431302de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7a34710c-d8ac-4bcf-acc6-2af8d150642f",
"created": "2018-02-16T08:46:20.000Z",
"modified": "2018-02-16T08:46:20.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--5a571880-d098-4276-b23e-439a950d210f",
"target_ref": "x-misp-object--816abaaf-b4ea-468d-927d-b81c1ebe62b7"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1e3a4a3a-bcb1-4d55-bad6-ce4f65c609a3",
"created": "2018-02-16T08:46:20.000Z",
"modified": "2018-02-16T08:46:20.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--0dae0b43-76e3-49a2-b984-c7cbd3ca6e02",
"target_ref": "x-misp-object--200574ab-5db2-4aef-a3a9-db2d4870285b"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ec77b272-7eac-402e-9cf7-6d0611f79944",
"created": "2018-02-16T08:46:20.000Z",
"modified": "2018-02-16T08:46:20.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--872eb001-bd68-4082-a707-f69e00ab1cfe",
"target_ref": "x-misp-object--f06f8919-d425-414c-94d9-6461c49c81b1"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0b96a399-a2ed-47c2-9daf-462f7427fac3",
"created": "2018-02-16T08:46:21.000Z",
"modified": "2018-02-16T08:46:21.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--2c34de1e-5ccd-4750-b921-dbc1e57b4cb3",
"target_ref": "x-misp-object--c688bc3b-d1af-443c-8363-d44c27a98060"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3cf28762-0a32-41d4-b997-70a329e9a524",
"created": "2018-02-16T08:46:21.000Z",
"modified": "2018-02-16T08:46:21.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--7613cc8b-ce21-4638-9ef6-3497d9415329",
"target_ref": "x-misp-object--67d648f6-ac84-40ae-9edf-90144cd3b7d3"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c4dedfaf-2665-494c-8259-d96cb6283d0f",
"created": "2018-02-16T08:46:21.000Z",
"modified": "2018-02-16T08:46:21.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--9c677e93-f664-4a47-a479-c7807c12d2aa",
"target_ref": "x-misp-object--f12656a4-afc0-4caf-b4d0-00701f6754bc"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6919f4e0-f30f-463b-85ad-6354fc8cc09c",
"created": "2018-02-16T08:46:21.000Z",
"modified": "2018-02-16T08:46:21.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--f669bde1-8c02-4eca-953c-eba3dffcaf5a",
"target_ref": "x-misp-object--1ffb93b4-6850-494f-82bd-0b0b9a00c94d"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}