542 lines
24 KiB
JSON
542 lines
24 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--571a302c-e5c4-4014-8131-4e9c950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:47.000Z",
|
||
|
"modified": "2016-04-22T14:13:47.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--571a302c-e5c4-4014-8131-4e9c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:47.000Z",
|
||
|
"modified": "2016-04-22T14:13:47.000Z",
|
||
|
"name": "OSINT - Teaching an old RAT new tricks",
|
||
|
"published": "2016-04-22T14:14:57Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--571a303a-3c3c-4030-885f-400b950d210f",
|
||
|
"url--571a303a-3c3c-4030-885f-400b950d210f",
|
||
|
"x-misp-attribute--571a3056-7f64-4ee4-99d6-425b950d210f",
|
||
|
"indicator--571a307d-d2a8-48f3-a7fa-4c68950d210f",
|
||
|
"indicator--571a30f3-44ec-4b50-a024-40d702de0b81",
|
||
|
"indicator--571a30f4-dd90-4bbc-8f25-4cfd02de0b81",
|
||
|
"observed-data--571a30f4-5ec4-4d2a-86ed-40c602de0b81",
|
||
|
"url--571a30f4-5ec4-4d2a-86ed-40c602de0b81",
|
||
|
"indicator--571a312c-ada4-409a-9d75-437e950d210f",
|
||
|
"indicator--571a3163-6690-403b-9d75-43e6950d210f",
|
||
|
"indicator--571a317a-55bc-42d0-a5b2-4164950d210f",
|
||
|
"indicator--571a3185-2014-41d4-8f7f-45dc02de0b81",
|
||
|
"indicator--571a3186-1514-4141-a640-482702de0b81",
|
||
|
"observed-data--571a3186-bcbc-4ce1-a073-439e02de0b81",
|
||
|
"url--571a3186-bcbc-4ce1-a073-439e02de0b81",
|
||
|
"indicator--571a3186-6a4c-409f-948d-4df502de0b81",
|
||
|
"indicator--571a3187-e8b0-4cb8-9896-49c802de0b81",
|
||
|
"observed-data--571a3187-a00c-45ee-b49b-49ec02de0b81",
|
||
|
"url--571a3187-a00c-45ee-b49b-49ec02de0b81",
|
||
|
"indicator--571a3188-39b4-474d-adbd-414502de0b81",
|
||
|
"indicator--571a3188-fb1c-4924-8bcb-4d7f02de0b81",
|
||
|
"observed-data--571a3188-e618-4f9d-8024-420b02de0b81",
|
||
|
"url--571a3188-e618-4f9d-8024-420b02de0b81",
|
||
|
"indicator--571a319a-7aa4-48bc-bc4b-4ffb950d210f",
|
||
|
"indicator--571a319b-f570-4379-b681-476c950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--571a303a-3c3c-4030-885f-400b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:07:54.000Z",
|
||
|
"modified": "2016-04-22T14:07:54.000Z",
|
||
|
"first_observed": "2016-04-22T14:07:54Z",
|
||
|
"last_observed": "2016-04-22T14:07:54Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--571a303a-3c3c-4030-885f-400b950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--571a303a-3c3c-4030-885f-400b950d210f",
|
||
|
"value": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--571a3056-7f64-4ee4-99d6-425b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:08:22.000Z",
|
||
|
"modified": "2016-04-22T14:08:22.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Attackers have been successfully deploying RATs for years to remotely control users systems - giving them full access to the victim\u00e2\u20ac\u2122s files or resources such as cameras, recording key strokes, or downloading further malware. Traditionally RATs have been deployed when a user opens an email attachment, or downloads a file from a website or peer-to-peer network. In both cases, these vectors involve use of files to deliver the payload - which are easier to detect.\r\n\r\nRecently we detected a more sophisticated technique that a handful of countries across Asia are actively using to infect systems with RATs. This new technique ensures that the payload/file remains in memory through its execution, never touching the disk in a de-encrypted state. In doing so, the attacker can remain out of view from antivirus technologies, and even \u00e2\u20ac\u02dcnext-generation\u00e2\u20ac\u2122 technologies that only focus on file-based threat vectors. Also, the samples analyzed have the ability detect the presence of a virtual machine to ensure it\u00e2\u20ac\u2122s not being analyzed in a network sandbox.\r\n\r\nAnd finally it\u00e2\u20ac\u2122s important to highlight that the RAT itself is not new. In fact this technique can be used to deliver any \u00e2\u20ac\u0153known\u00e2\u20ac\u009d RAT to a victim\u00e2\u20ac\u2122s system. We analyzed this sample against our SentinelOne EPP to confirm is does not evade our behavior-based detection mechanisms. This is due to the fact that we\u00e2\u20ac\u2122re monitoring all processes at the user-space/kernel-space interface - and because all communication between the application and the kernel must be unencrypted, we detect the sample at both process-injection points."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a307d-d2a8-48f3-a7fa-4c68950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:09:01.000Z",
|
||
|
"modified": "2016-04-22T14:09:01.000Z",
|
||
|
"description": "Win32 PE .NET 2.0 - Samples Analyzed",
|
||
|
"pattern": "[file:hashes.SHA256 = 'b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:09:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a30f3-44ec-4b50-a024-40d702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:10:59.000Z",
|
||
|
"modified": "2016-04-22T14:10:59.000Z",
|
||
|
"description": "Win32 PE .NET 2.0 - Samples Analyzed - Xchecked via VT: b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8",
|
||
|
"pattern": "[file:hashes.SHA1 = '3b1ac573509281cdc0b6141f8ea6ed3af393b554']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:10:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a30f4-dd90-4bbc-8f25-4cfd02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:11:00.000Z",
|
||
|
"modified": "2016-04-22T14:11:00.000Z",
|
||
|
"description": "Win32 PE .NET 2.0 - Samples Analyzed - Xchecked via VT: b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8",
|
||
|
"pattern": "[file:hashes.MD5 = '65752e742d643d121ee7e826ab65dc9b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:11:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--571a30f4-5ec4-4d2a-86ed-40c602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:11:00.000Z",
|
||
|
"modified": "2016-04-22T14:11:00.000Z",
|
||
|
"first_observed": "2016-04-22T14:11:00Z",
|
||
|
"last_observed": "2016-04-22T14:11:00Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--571a30f4-5ec4-4d2a-86ed-40c602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--571a30f4-5ec4-4d2a-86ed-40c602de0b81",
|
||
|
"value": "https://www.virustotal.com/file/b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8/analysis/1461260966/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a312c-ada4-409a-9d75-437e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:11:56.000Z",
|
||
|
"modified": "2016-04-22T14:11:56.000Z",
|
||
|
"description": "Packed \"Benchmark\" DLL",
|
||
|
"pattern": "[file:hashes.MD5 = 'e5c71180f117270538487cd9b9b1b6d8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:11:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a3163-6690-403b-9d75-43e6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:12:51.000Z",
|
||
|
"modified": "2016-04-22T14:12:51.000Z",
|
||
|
"description": "Monitor (PerfWatson.exe)",
|
||
|
"pattern": "[file:hashes.MD5 = '9e05fb115bd4e85cfc0e32c72aa721be']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:12:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a317a-55bc-42d0-a5b2-4164950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:14.000Z",
|
||
|
"modified": "2016-04-22T14:13:14.000Z",
|
||
|
"description": "NanoCore RAT dumped from memory",
|
||
|
"pattern": "[file:hashes.MD5 = 'd740ed3f33ca4cef3a6aa717f94bf52a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:13:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a3185-2014-41d4-8f7f-45dc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:25.000Z",
|
||
|
"modified": "2016-04-22T14:13:25.000Z",
|
||
|
"description": "NanoCore RAT dumped from memory - Xchecked via VT: d740ed3f33ca4cef3a6aa717f94bf52a",
|
||
|
"pattern": "[file:hashes.SHA256 = '755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:13:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a3186-1514-4141-a640-482702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:26.000Z",
|
||
|
"modified": "2016-04-22T14:13:26.000Z",
|
||
|
"description": "NanoCore RAT dumped from memory - Xchecked via VT: d740ed3f33ca4cef3a6aa717f94bf52a",
|
||
|
"pattern": "[file:hashes.SHA1 = '8105e6146d9cacf30ca38920a5a8483b52ddff62']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:13:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--571a3186-bcbc-4ce1-a073-439e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:26.000Z",
|
||
|
"modified": "2016-04-22T14:13:26.000Z",
|
||
|
"first_observed": "2016-04-22T14:13:26Z",
|
||
|
"last_observed": "2016-04-22T14:13:26Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--571a3186-bcbc-4ce1-a073-439e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--571a3186-bcbc-4ce1-a073-439e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050/analysis/1460984076/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a3186-6a4c-409f-948d-4df502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:26.000Z",
|
||
|
"modified": "2016-04-22T14:13:26.000Z",
|
||
|
"description": "Monitor (PerfWatson.exe) - Xchecked via VT: 9e05fb115bd4e85cfc0e32c72aa721be",
|
||
|
"pattern": "[file:hashes.SHA256 = '51142d1fb6c080b3b754a92e8f5826295f5da316ec72b480967cbd68432cede1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:13:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a3187-e8b0-4cb8-9896-49c802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:27.000Z",
|
||
|
"modified": "2016-04-22T14:13:27.000Z",
|
||
|
"description": "Monitor (PerfWatson.exe) - Xchecked via VT: 9e05fb115bd4e85cfc0e32c72aa721be",
|
||
|
"pattern": "[file:hashes.SHA1 = '407abece50b4905197d5132c19f19b5321fa9a55']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:13:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--571a3187-a00c-45ee-b49b-49ec02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:27.000Z",
|
||
|
"modified": "2016-04-22T14:13:27.000Z",
|
||
|
"first_observed": "2016-04-22T14:13:27Z",
|
||
|
"last_observed": "2016-04-22T14:13:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--571a3187-a00c-45ee-b49b-49ec02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--571a3187-a00c-45ee-b49b-49ec02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/51142d1fb6c080b3b754a92e8f5826295f5da316ec72b480967cbd68432cede1/analysis/1455165681/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a3188-39b4-474d-adbd-414502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:28.000Z",
|
||
|
"modified": "2016-04-22T14:13:28.000Z",
|
||
|
"description": "Packed \"Benchmark\" DLL - Xchecked via VT: e5c71180f117270538487cd9b9b1b6d8",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:13:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a3188-fb1c-4924-8bcb-4d7f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:28.000Z",
|
||
|
"modified": "2016-04-22T14:13:28.000Z",
|
||
|
"description": "Packed \"Benchmark\" DLL - Xchecked via VT: e5c71180f117270538487cd9b9b1b6d8",
|
||
|
"pattern": "[file:hashes.SHA1 = '3a35080da4c0e71bdd1445fdae886a87d27a419e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:13:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--571a3188-e618-4f9d-8024-420b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:28.000Z",
|
||
|
"modified": "2016-04-22T14:13:28.000Z",
|
||
|
"first_observed": "2016-04-22T14:13:28Z",
|
||
|
"last_observed": "2016-04-22T14:13:28Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--571a3188-e618-4f9d-8024-420b02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--571a3188-e618-4f9d-8024-420b02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06/analysis/1461269734/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a319a-7aa4-48bc-bc4b-4ffb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:46.000Z",
|
||
|
"modified": "2016-04-22T14:13:46.000Z",
|
||
|
"description": "On port 1617",
|
||
|
"pattern": "[domain-name:value = 'azona2015.chickenkiller.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:13:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--571a319b-f570-4379-b681-476c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-22T14:13:47.000Z",
|
||
|
"modified": "2016-04-22T14:13:47.000Z",
|
||
|
"description": "On port 1617",
|
||
|
"pattern": "[domain-name:value = 'azona.chickenkiller.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-22T14:13:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|