misp-circl-feed/feeds/circl/stix-2.1/5bb3b566-b054-436e-aabf-4bd902de0b81.json

832 lines
517 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5bb3b566-b054-436e-aabf-4bd902de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-03T11:23:20.000Z",
"modified": "2018-10-03T11:23:20.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5bb3b566-b054-436e-aabf-4bd902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-03T11:23:20.000Z",
"modified": "2018-10-03T11:23:20.000Z",
"name": "OSINT - CIG Circular 66 \u00e2\u20ac\u201c FASTCash ATM Cash Out Campaign",
"published": "2018-10-03T11:25:40Z",
"object_refs": [
"x-misp-attribute--5bb3b5f4-4388-4cd9-b681-4aa602de0b81",
"observed-data--5bb3b617-5ba0-4774-9507-43fd02de0b81",
"file--5bb3b617-5ba0-4774-9507-43fd02de0b81",
"artifact--5bb3b617-5ba0-4774-9507-43fd02de0b81",
"indicator--5bb3b786-b320-4be2-974a-4a7a02de0b81",
"indicator--5bb3b949-b1f4-415d-b4d3-4c1402de0b81",
"indicator--5bb3b949-a6bc-4572-9e21-486302de0b81",
"indicator--5bb3b94a-2574-4243-bf26-40f902de0b81",
"indicator--5bb3b67c-f634-4e0b-9364-48a202de0b81",
"indicator--5bb3b6b7-914c-4958-9c8b-4a0502de0b81",
"indicator--5bb3b727-276c-4fd5-a23f-436d02de0b81",
"indicator--5bb3b771-2540-4c8f-b659-4cfe02de0b81",
"indicator--5bb3b845-fac4-4dbf-8471-4a5e02de0b81",
"indicator--5bb3b879-d6e4-4962-a53c-457e02de0b81",
"indicator--5bb3b8a8-4274-400b-8c6b-4fb502de0b81",
"indicator--5bb3b8da-0df8-4186-aeaa-497602de0b81",
"indicator--5bb3b904-7f40-4c7d-bc43-494f02de0b81",
"indicator--5bb3b92b-6c04-4ccd-ae7e-48e502de0b81",
"indicator--dc4223ad-358d-4e78-adc2-5a96853cc541",
"x-misp-object--dee7180d-629e-45d4-a5ac-7662d0324e21",
"indicator--96b33272-dac7-42f2-8ea4-4c699d8361a3",
"x-misp-object--98df9145-7b26-40e6-b7d7-f0352dd331e5",
"indicator--ce96db4c-7e5a-4b24-afec-83f8428772a5",
"x-misp-object--ad0d0fc0-5058-4ba7-9138-5128409e0e0d",
"indicator--10851b56-6ec9-4eef-825e-543c2bdc30c8",
"x-misp-object--e756ef0d-4237-40bf-912d-765fdde949c2",
"indicator--413d8d43-fceb-4e3a-b94c-711ae4a2baaf",
"x-misp-object--d31ed776-eddf-4bfa-93c3-3fe3531239ef",
"relationship--8474a569-72d2-4219-9c12-f961d8dab17b",
"relationship--c0b08d1c-66b1-4167-9705-7494a7a30212",
"relationship--dfbe6a9b-e3d5-4c31-a41f-d01d1ae7e466",
"relationship--cacca2bb-434c-4127-a570-c675a063dd71",
"relationship--e612db8d-9f95-414b-abaf-d563e2b80568",
"relationship--c7d6114b-1aa9-4022-b254-1ec7f159baf1",
"relationship--a38ef681-611e-456a-b0ac-3ed751da64fb"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:topic=\"finance\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5bb3b5f4-4388-4cd9-b681-4aa602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:16:20.000Z",
"modified": "2018-10-02T18:16:20.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs to steal cash equivalent to tens of millions of dollars"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5bb3b617-5ba0-4774-9507-43fd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:16:55.000Z",
"modified": "2018-10-02T18:16:55.000Z",
"first_observed": "2018-10-02T18:16:55Z",
"last_observed": "2018-10-02T18:16:55Z",
"number_observed": 1,
"object_refs": [
"file--5bb3b617-5ba0-4774-9507-43fd02de0b81",
"artifact--5bb3b617-5ba0-4774-9507-43fd02de0b81"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5bb3b617-5ba0-4774-9507-43fd02de0b81",
"name": "CIG Circular 66 - FASTCash Campaign.pdf",
"content_ref": "artifact--5bb3b617-5ba0-4774-9507-43fd02de0b81"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5bb3b617-5ba0-4774-9507-43fd02de0b81",
"payload_bin": "JVBERi0xLjUNJeLjz9MNCjUzNSAwIG9iag08PC9MaW5lYXJpemVkIDEvTCAzNjA0ODkvTyA1MzcvRSAxNzYyNjYvTiAxMS9UIDM2MDAzNC9IIFsgNTI3IDM3NF0+Pg1lbmRvYmoNICAgICAgICAgICAgDQo1NTkgMCBvYmoNPDwvRGVjb2RlUGFybXM8PC9Db2x1bW5zIDUvUHJlZGljdG9yIDEyPj4vRmlsdGVyL0ZsYXRlRGVjb2RlL0lEWzxENjYxMDdBNzczQjVEMTQ0ODIyNkUyMDMyOUEwNTkzND48NTk0OEIzRTdEMTk3RDc0NTg5RTEyNzVCNDE3RjE2RTM+XS9JbmRleFs1MzUgNDddL0luZm8gNTM0IDAgUi9MZW5ndGggMTE2L1ByZXYgMzYwMDM1L1Jvb3QgNTM2IDAgUi9TaXplIDU4Mi9UeXBlL1hSZWYvV1sxIDMgMV0+PnN0cmVhbQ0KaN5iYmRgEGBgYmBgLgWRjDPA5BwQybERRDLJg2UrQCRLHJj8Cya1wCp1wWxWMPkUrF4GzL4NJjNAJCvYBEZlEMkVBSIZQkEk/2sQmdoAJBmrtoDZJ4Dk/5wFDEyMDEzLwCoZGAeA/M/A8PUNQIABAEwmEnENCmVuZHN0cmVhbQ1lbmRvYmoNc3RhcnR4cmVmDQowDQolJUVPRg0KICAgICAgICAgDQo1ODEgMCBvYmoNPDwvQyAzMDkvRmlsdGVyL0ZsYXRlRGVjb2RlL0kgMzMzL0xlbmd0aCAyODUvUyAyMjc+PnN0cmVhbQ0KaN5iYGBgAqLlDKwMDMKMDEIMCCDEwAIUZWHgWODG0KDAwbQsmsHna/Yd1nrG50BZfgNGPWZ9h78fZDhO15y8eb0Bpq2jwno+x6lEgTs/fZTk9MqdjOY2KT56VfzUOgDIfel3UOBj8c4PPcsT5jiXKGu2PJITeX7IaC6T4s5PM1xsLD/NYGCO6OjoYGCQ6OhoYAYyWFzBXDYwydHRwMBoAWYCpRkYNEBMkCAQ43QekCfLwMrCC6TFgFgS7MpQBkGGxY3XGSwdlAwUPPgWsK9iuMF4g+EJg8UDiwSFGfwajHO4gEHCvLSnNX3qZ+05uS29lxh3MinCvKnAwBr4EUgD1Uh/ZQAFIusBByCtzsBamwmkGYH4F0CAAQDaG1ztDQplbmRzdHJlYW0NZW5kb2JqDTUzNiAwIG9iag08PC9MYW5nKP7/AEUATgAtAFUAUykvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDM3IDAgUi9QYWdlTGF5b3V0L09uZUNvbHVtbi9QYWdlcyA1MzEgMCBSL1N0cnVjdFRyZWVSb290IDc1IDAgUi9UeXBlL0NhdGFsb2c+Pg1lbmRvYmoNNTM3IDAgb2JqDTw8L0Fubm90cyA1NjAgMCBSL0NvbnRlbnRzWzU0MSAwIFIgNTQyIDAgUiA1NDMgMCBSIDU0NSAwIFIgNTQ2IDAgUiA1NDggMCBSIDU0OSAwIFIgNTUwIDAgUl0vQ3JvcEJveFswLjAgMC4wIDYxMi4wIDc5Mi4wXS9NZWRpYUJveFswLjAgMC4wIDYxMi4wIDc5Mi4wXS9QYXJlbnQgNTMyIDAgUi9SZXNvdXJjZXM8PC9Db2xvclNwYWNlPDwvQ1MwIDU2MiAwIFIvQ1MxIDU2MyAwIFI+Pi9FeHRHU3RhdGU8PC9HUzAgNTY0IDAgUj4+L0ZvbnQ8PC9DMl8wIDU2OSAwIFIvVFQwIDU3MSAwIFIvVFQxIDU3MyAwIFIvVFQyIDU3NSAwIFIvVFQzIDU3NyAwIFIvVFQ0IDU3OSAwIFI+Pi9YT2JqZWN0PDwvSW0wIDU1OCAwIFI+Pj4+L1JvdGF0ZSAwL1N0cnVjdFBhcmVudHMgMC9UYWJzL1MvVHlwZS9QYWdlPj4NZW5kb2JqDTUzOCAwIG9iag08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvRmlyc3QgMTc0L0xlbmd0aCAxODcwL04gMjEvVHlwZS9PYmpTdG0+PnN0cmVhbQ0KaN7EWG1PGzkQ/iv+WFTB+t27pypSEkobqRRK4Lg7xIeFbGHVkKBke5R/fzPjl+yGBFqku1M0sdcez4w945ln11jOODNWsAL+JRPaQKuYsBpazUSuoDVMOpy3TCkBrWPGIV/OnMTngjkFUhxnOa53ggmegwAHAo3CDkh0Flk0k4W0tF4JA0IdCHUCpxxThcCpnBnusAPTSsBTDtO51OwCDeXs5PLdu6xPw/CQDcbwOIbf6eN9lQ3mi0m1yM4Z7/XCwwXy8cvsYzbKTqrr5gKs21OwK23yPSMEk7nak1wz7cReoYrLbNwsvl83x+WimjVMZOPvVw3K/lTPvnkt/dls3vR6F9loOByUy2rCjPGmdYZksnY0Zl/L6RLsO8w+zxd35TQb9pnY49nRcZg5Oj5EXX0GyqtsfFguvwHrrPIa3/9oPoybsqmy65LWze/9ul4P5B/hPuvZzZvRBEyum8cd2OlNvWwWj2/6k/lVtQObuL+fVne4I05r+str2h7nJhuO9sdVAxYrOtJhef+xqm9uG+Y4z/Yrz7krJc8OpuXNkunsYD5rBoP5DzhcHGdCCEWyLmnqoLyrp49vxo93V/Ppjh+qp5UEFZpU4Mjn8q7KzgeDwdmXt57z8JQm4Pyr5vo2nhQOnXt7NNgzasppfd2f3UwrxsFX1d3vzBl/TMiK9i7q+2a+yP4I2zDc7xkdgyxPtOIBPC5B1Gj2dU4hT+cw2j+dfxjtH5b3WTzZbP8c98nXVNH1wDUxWGAtcqBVcmVbdn4hJL/Qll9eQvzgXQohstU0f/yTEk4Qppd071DR+9n1fAI+T5btfkzKUR/PTudnsxqYKma0P/VkRzcCVNFyuVVy5XLFbXA5jCaf7xpR0BwTUnMS0HH7EBx0tai7fjddv48PhqMvf74NrLuD+XTygu/dFt+DDc86XzvZdf4m1ek0z+tZf7as0/NBvVg2w9tyEU+g7XPnU9CnMrAIKVc+gGtMZrXcoIquG0DbpLldXkiJwbPpJw16W1Kc+B8kx/QfW+m66y24BpOlkQX4kzOd55DtsO+ARJKnpWI5JGWLc5hzlaR6oODQgAoDM1ABCqgPKNGgxHULdQEZHuRqTNXQGq4gt1uQ4MelRts0ZGvs5ZAmiEsFbiAFsaGKgintn1G304YsRimqcJfdgNW8HbC2E7AuBqxuByxcGpxjkOctCegE7Gl9Vy3Z5+qBnczvytnOKkxpBiZo/Hj86gSV8+djVOfdGH2q9yci9GlScrIboNKYDQG6Ho4OavD/SdJwgBoQgByxACfK4RnnRO7nkGgOYErkx1a61ZqXCHmJP8AdJA2psgBY46SEyHJE1AegYIylPhLZkBdpLg99pMiHa7GP83GuAPmxj+NkN9hA+wUohXZRH/iw327Tntu2h77bsO9oY/tMyL7QR5l0Mbm/oEaDPSasDWca+bDmdQT7AWPpAXePK2hHZrU67oSsD5JpIU4U6EpciK7FIzVeFfZlS33HZS0LEFJi5othEMfIZBzTIBt5Az+CTW1UMozGRTgWsyLdctE64UYpLGCjbUoyA21bT8dvt8vHA02u2UCoe9N4DId2WGwlXbx0NdbyrbTbAYLbCBCgCFC+DQBB2pcBgu0ChI9nn87GZ7FK/0tp17pu2l1T+kpUoNdQgeHPogLNn0MFmosVGoDEpLC+chXQAUa3hRZuT24JDfwMSSiHknAkVXCo9zlWcXzjwnQD8WuFaaEGiHGpvBZAfogBNFAOddtCOYUCzIwgVKKVr9o53BAt6V0xL2Bc+DGddCJuwL5GndIQEqEWRhU3+C5GzxIQjATYpI3vu8LzG+lCC9gB73mBd9A/a7DTof2YfPC+F2YLuuJbURcnPINElj6HP5ywrfsgzab7YOGNAucwf/Gn+KO/qMtpC3XQ8+uxRv78y5AoukEftb0OYdhXIQzTTbn/NcU0idCTUi5QTO2iaKVzGDO5ThU6pdew5iVK/Pg9JJJBBArx2YYXCW4gVMByjjUw5PEII/J
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b786-b320-4be2-974a-4a7a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:23:02.000Z",
"modified": "2018-10-02T18:23:02.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '75.99.63.27']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:23:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b949-b1f4-415d-b4d3-4c1402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:30:33.000Z",
"modified": "2018-10-02T18:30:33.000Z",
"description": "In addition to the analysis of the artifacts above, t he below IP addresses may be associated with the FASTCash Camp aign . 3 Mail servers in the compromised network made reverse proxy connections to these IPs but we do not have specific date and time stamps or other information to associate them with malicious activity :",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '167.114.33.205']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:30:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b949-a6bc-4572-9e21-486302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:30:33.000Z",
"modified": "2018-10-02T18:30:33.000Z",
"description": "In addition to the analysis of the artifacts above, t he below IP addresses may be associated with the FASTCash Camp aign . 3 Mail servers in the compromised network made reverse proxy connections to these IPs but we do not have specific date and time stamps or other information to associate them with malicious activity :",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '180.235.133.108']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:30:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b94a-2574-4243-bf26-40f902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:30:34.000Z",
"modified": "2018-10-02T18:30:34.000Z",
"description": "In addition to the analysis of the artifacts above, t he below IP addresses may be associated with the FASTCash Camp aign . 3 Mail servers in the compromised network made reverse proxy connections to these IPs but we do not have specific date and time stamps or other information to associate them with malicious activity :",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '219.255.99.9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:30:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b67c-f634-4e0b-9364-48a202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:21:50.000Z",
"modified": "2018-10-02T18:21:50.000Z",
"description": "Themida\r\npacked 32\r\n-\r\nbit Windows executable designed to unpack itself and run a service \r\nproxy module in memory. The proxy module accepts command line parameters and is \r\ndesigned to modify the Windows Firewall on the compromised system to allow \r\nincoming connections an\r\nd function as a backdoor. The malware listens on a specified \r\nport for incoming traffic containing instructions to perform any of the following \r\nfunctions: r\r\netrieve system information; \r\nexecute command\r\ns; execute \r\nand terminate \r\nprocess\r\nes; \r\nsearch for files\r\n; read, write, and delete files\r\n; download and upload files\r\n; and, \r\ncompress and decompress files\r\n. ",
"pattern": "[file:hashes.MD5 = '5cfa1c2cb430bec721063e3e2d144feb' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:21:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b6b7-914c-4958-9c8b-4a0502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:19:35.000Z",
"modified": "2018-10-02T18:19:35.000Z",
"description": "Themida packed 64\r\n-\r\nbit Windows executable with the same functionality as \r\n5cfa1c2cb430bec721063e3e2d144feb\r\n and is signed with a valid X509 certificate issues \r\nto \u00e2\u20ac\u0153A\r\n-Z Hire Ltd\u00e2\u20ac\u009d with serial number:",
"pattern": "[file:hashes.MD5 = '4f67f3e4a7509af1b2b1c6180a03b3e4' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:19:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b727-276c-4fd5-a23f-436d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:21:27.000Z",
"modified": "2018-10-02T18:21:27.000Z",
"pattern": "[x509-certificate:hashes.MD5 = 'ecafe723703614e0a4fb5c2a8f7da018']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:21:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"x509\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b771-2540-4c8f-b659-4cfe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:23:38.000Z",
"modified": "2018-10-02T18:23:38.000Z",
"description": "32\r\n-\r\nbit Windows \r\nexecutable designed to execute as a service named \u00e2\u20ac\u0153helpsvcs\u00e2\u20ac\u009d. The \r\nmalware binds and listens on port 443 for incoming connections, providing remote \r\ncommand and control capabilities through this connection. The malware uses the RC4 \r\nencryption algorithm to en\r\ncrypt and decrypt a portion of its communications and has \r\nthe ability to exfiltrate data, install and run secondary payloads, and provided proxy \r\nservices on the compromised system. This malware can perform the following \r\nfunctions based on specified command\r\ns from a remote operator: retrieve system \r\ninformation\r\n; execute command\r\ns; execute \r\nand terminate process\r\nes; \r\nsearch for files\r\n; \r\nread, write, and delete files\r\n; download and upload files\r\n; compress and decompress \r\nfiles\r\n; and, change the listening port for Remove Desktop via registry modification.",
"pattern": "[file:hashes.MD5 = 'd0a8e0b685c2ea775a74389973fc92ca' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:23:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b845-fac4-4dbf-8471-4a5e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:26:13.000Z",
"modified": "2018-10-02T18:26:13.000Z",
"description": "Malicious 64\r\n-\r\nbit Windows Dynamic Link Library designed to runs as a Windows services \r\nunder \u00e2\u20ac\u0153svchost.exe\u00e2\u20ac\u009d and load an RC4 decrypted payload into memory. ",
"pattern": "[file:hashes.MD5 = '8efaabb7b1700686efedadb7949eba49' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:26:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b879-d6e4-4962-a53c-457e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:27:05.000Z",
"modified": "2018-10-02T18:27:05.000Z",
"description": "AIX\r\nexecutable intended for a proprietary UNIX operating system developed by IBM. \r\nThis\r\n application injects a library into a currently running process. ",
"pattern": "[file:hashes.MD5 = 'b3efec620885e6cf5b60f72e66d908a9' AND file:name = 'Injection_API_executable_e' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:27:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b8a8-4274-400b-8c6b-4fb502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:27:52.000Z",
"modified": "2018-10-02T18:27:52.000Z",
"description": "AIX executable, intended for a proprietary UNIX operating system developed by IBM\r\nand is designed to update a proprietary data structure on a\r\n UNIX system known as \r\n\"PVPA.\"",
"pattern": "[file:hashes.MD5 = '58bb2236e5aee39760d3e4fc6ee94a79' AND file:name = 'inject_api' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b8da-0df8-4186-aeaa-497602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:28:42.000Z",
"modified": "2018-10-02T18:28:42.000Z",
"description": "AIX executable, intended for a proprietary UNIX operating system developed by IBM. \r\nThis file is a library application \r\ndesigned to provide export functions. These functions \r\nallow an application to perform transactions on financial systems using the\r\n ISO\r\n 8583 \r\nstandard.",
"pattern": "[file:hashes.MD5 = 'd790997dd950bb39229dc5bd3c2047ff' AND file:name = 'Lost_File1_so_file' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:28:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b904-7f40-4c7d-bc43-494f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:29:24.000Z",
"modified": "2018-10-02T18:29:24.000Z",
"description": "AIX executable, intended for a proprietary UNIX operating system developed by IBM. \r\nThe application provides several\r\n exported \r\nmethods permitting the interaction with \r\nfinancial systems that utilize the ISO\r\n 8583 standard.",
"pattern": "[file:hashes.MD5 = 'b66be2f7c046205b01453951c161e6cc' AND file:name = '2.so' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:29:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bb3b92b-6c04-4ccd-ae7e-48e502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:30:03.000Z",
"modified": "2018-10-02T18:30:03.000Z",
"description": "COFF executable, a format for executable, object code, and shared libraries used on\r\nUNIX\r\n systems. The executable provides several exported methods that enable \r\ninteractions with financial systems utilizing the ISO \r\n8583 \r\nstandard.",
"pattern": "[file:hashes.MD5 = '46b318bbb72ee68c9d9183d78e79fb5a' AND file:name = 'Lost_File.so' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:30:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dc4223ad-358d-4e78-adc2-5a96853cc541",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:32:05.000Z",
"modified": "2018-10-02T18:32:05.000Z",
"pattern": "[file:hashes.MD5 = 'b66be2f7c046205b01453951c161e6cc' AND file:hashes.SHA1 = 'ec5784548ffb33055d224c184ab2393f47566c7a' AND file:hashes.SHA256 = 'ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:32:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--dee7180d-629e-45d4-a5ac-7662d0324e21",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:32:03.000Z",
"modified": "2018-10-02T18:32:03.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-11-15T12:57:52",
"category": "Other",
"uuid": "97fe9519-6d0d-4b4e-9711-2a1d84060aef"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c/analysis/1510750672/",
"category": "External analysis",
"uuid": "33b603b2-e14e-4f14-975e-5c0cad9d3597"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "0/59",
"category": "Other",
"uuid": "aef16d9b-5ae9-467f-9a8d-2d746fd44b72"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--96b33272-dac7-42f2-8ea4-4c699d8361a3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:32:07.000Z",
"modified": "2018-10-02T18:32:07.000Z",
"pattern": "[file:hashes.MD5 = '46b318bbb72ee68c9d9183d78e79fb5a' AND file:hashes.SHA1 = '5375ad3746ce42a6f262f55c4f1f0d273fb69c54' AND file:hashes.SHA256 = '10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:32:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--98df9145-7b26-40e6-b7d7-f0352dd331e5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:32:06.000Z",
"modified": "2018-10-02T18:32:06.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-10-01T18:10:22",
"category": "Other",
"uuid": "c46d73ba-b8b1-48a2-84cc-5b31bb2ae61f"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba/analysis/1538417422/",
"category": "External analysis",
"uuid": "78d2846f-b7b8-4cb7-883c-eb8c6cbbd6e2"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "0/58",
"category": "Other",
"uuid": "f81acdf2-8862-471a-86ad-96fedc156030"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ce96db4c-7e5a-4b24-afec-83f8428772a5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:32:10.000Z",
"modified": "2018-10-02T18:32:10.000Z",
"pattern": "[file:hashes.MD5 = '8efaabb7b1700686efedadb7949eba49' AND file:hashes.SHA1 = '7b17d63694eee51010bcad143bc72e355e17cb50' AND file:hashes.SHA256 = 'a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:32:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ad0d0fc0-5058-4ba7-9138-5128409e0e0d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:32:08.000Z",
"modified": "2018-10-02T18:32:08.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-09-05T03:11:47",
"category": "Other",
"uuid": "2bf73c7b-221d-4d4d-97b8-6a9a884b33e6"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc/analysis/1536117107/",
"category": "External analysis",
"uuid": "279cf9ad-5611-4cd0-8e89-c8871950c187"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "34/66",
"category": "Other",
"uuid": "5b2ebb6f-dd62-405f-b4d2-b3dfe7303c9f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--10851b56-6ec9-4eef-825e-543c2bdc30c8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:32:12.000Z",
"modified": "2018-10-02T18:32:12.000Z",
"pattern": "[file:hashes.MD5 = '5cfa1c2cb430bec721063e3e2d144feb' AND file:hashes.SHA1 = 'c1a9044f180dc7d0c87e256c4b9356463f2cb7c6' AND file:hashes.SHA256 = '820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:32:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e756ef0d-4237-40bf-912d-765fdde949c2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:32:11.000Z",
"modified": "2018-10-02T18:32:11.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-09-28T04:05:30",
"category": "Other",
"uuid": "8b285a5a-1f7a-4592-9f4c-fe81f31b0138"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6/analysis/1538107530/",
"category": "External analysis",
"uuid": "a5725421-131c-4e35-9a87-6b654c71a416"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "41/69",
"category": "Other",
"uuid": "9d7ecb97-c890-40c8-89e3-00baf51a40b8"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--413d8d43-fceb-4e3a-b94c-711ae4a2baaf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:32:15.000Z",
"modified": "2018-10-02T18:32:15.000Z",
"pattern": "[file:hashes.MD5 = '4f67f3e4a7509af1b2b1c6180a03b3e4' AND file:hashes.SHA1 = '1c9a437ed876a0ce0e5374bd93acdfd9e9023f1f' AND file:hashes.SHA256 = '4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-10-02T18:32:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d31ed776-eddf-4bfa-93c3-3fe3531239ef",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-02T18:32:13.000Z",
"modified": "2018-10-02T18:32:13.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-09-28T04:06:38",
"category": "Other",
"uuid": "538d9de4-f10c-4b3f-b314-091a78c1aef0"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756/analysis/1538107598/",
"category": "External analysis",
"uuid": "a0497fc0-f81d-4369-a48b-eed85e2b8721"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "36/69",
"category": "Other",
"uuid": "ba794a1f-cdc7-43c8-ae9f-56704a3e61b7"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8474a569-72d2-4219-9c12-f961d8dab17b",
"created": "2018-10-02T18:21:46.000Z",
"modified": "2018-10-02T18:21:46.000Z",
"relationship_type": "signed-by",
"source_ref": "indicator--5bb3b67c-f634-4e0b-9364-48a202de0b81",
"target_ref": "indicator--5bb3b727-276c-4fd5-a23f-436d02de0b81"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c0b08d1c-66b1-4167-9705-7494a7a30212",
"created": "2018-10-02T18:23:35.000Z",
"modified": "2018-10-02T18:23:35.000Z",
"relationship_type": "connected-to",
"source_ref": "indicator--5bb3b771-2540-4c8f-b659-4cfe02de0b81",
"target_ref": "indicator--5bb3b786-b320-4be2-974a-4a7a02de0b81"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--dfbe6a9b-e3d5-4c31-a41f-d01d1ae7e466",
"created": "2018-10-02T18:32:14.000Z",
"modified": "2018-10-02T18:32:14.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--dc4223ad-358d-4e78-adc2-5a96853cc541",
"target_ref": "x-misp-object--dee7180d-629e-45d4-a5ac-7662d0324e21"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--cacca2bb-434c-4127-a570-c675a063dd71",
"created": "2018-10-02T18:32:15.000Z",
"modified": "2018-10-02T18:32:15.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--96b33272-dac7-42f2-8ea4-4c699d8361a3",
"target_ref": "x-misp-object--98df9145-7b26-40e6-b7d7-f0352dd331e5"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e612db8d-9f95-414b-abaf-d563e2b80568",
"created": "2018-10-02T18:32:15.000Z",
"modified": "2018-10-02T18:32:15.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--ce96db4c-7e5a-4b24-afec-83f8428772a5",
"target_ref": "x-misp-object--ad0d0fc0-5058-4ba7-9138-5128409e0e0d"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c7d6114b-1aa9-4022-b254-1ec7f159baf1",
"created": "2018-10-02T18:32:15.000Z",
"modified": "2018-10-02T18:32:15.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--10851b56-6ec9-4eef-825e-543c2bdc30c8",
"target_ref": "x-misp-object--e756ef0d-4237-40bf-912d-765fdde949c2"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a38ef681-611e-456a-b0ac-3ed751da64fb",
"created": "2018-10-02T18:32:15.000Z",
"modified": "2018-10-02T18:32:15.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--413d8d43-fceb-4e3a-b94c-711ae4a2baaf",
"target_ref": "x-misp-object--d31ed776-eddf-4bfa-93c3-3fe3531239ef"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}