2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-06-14 17:31:25 +00:00
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--5cc92e5a-c624-4343-8352-40fd02de0b81",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "identity",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2019-05-01T07:01:15.000Z",
|
|
|
|
"modified": "2019-05-01T07:01:15.000Z",
|
|
|
|
"name": "CIRCL",
|
|
|
|
"identity_class": "organization"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "report",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "report--5cc92e5a-c624-4343-8352-40fd02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2019-05-01T07:01:15.000Z",
|
|
|
|
"modified": "2019-05-01T07:01:15.000Z",
|
|
|
|
"name": "OSINT - Kernel Mode Malicious Loader",
|
|
|
|
"published": "2019-05-01T07:01:24Z",
|
|
|
|
"object_refs": [
|
|
|
|
"indicator--5cc92e69-74a8-4690-90f4-482d02de0b81",
|
|
|
|
"indicator--5cc92e8a-6df8-4361-ab1b-4d4002de0b81",
|
|
|
|
"indicator--5cc92e8a-a568-4e06-8c35-42c102de0b81",
|
|
|
|
"observed-data--5cc92fa3-f1cc-46c7-9084-48c902de0b81",
|
|
|
|
"url--5cc92fa3-f1cc-46c7-9084-48c902de0b81",
|
|
|
|
"indicator--5cc9443b-9b54-4abf-a421-1ba002de0b81",
|
|
|
|
"indicator--5cc92fee-df1c-4c88-837f-4d7a02de0b81",
|
|
|
|
"indicator--837ee41b-cf9d-4b16-8de6-383694cf6f5c",
|
|
|
|
"x-misp-object--cd55b14c-14bc-4c8c-86e5-170d7444012a",
|
|
|
|
"relationship--6feb7797-7e1e-4658-af86-e8e0d5698a5f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"Threat-Report",
|
|
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
|
|
"type:OSINT",
|
|
|
|
"osint:lifetime=\"perpetual\"",
|
|
|
|
"osint:certainty=\"50\""
|
|
|
|
],
|
|
|
|
"object_marking_refs": [
|
|
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5cc92e69-74a8-4690-90f4-482d02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2019-05-01T05:28:09.000Z",
|
|
|
|
"modified": "2019-05-01T05:28:09.000Z",
|
|
|
|
"pattern": "[url:value = 'http://45.227.252.54']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-01T05:28:09Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5cc92e8a-6df8-4361-ab1b-4d4002de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2019-05-01T05:28:42.000Z",
|
|
|
|
"modified": "2019-05-01T05:28:42.000Z",
|
|
|
|
"description": "first stage",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '9cfced68abe4f2c0dc5c42f47652592077c26fd6']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-01T05:28:42Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5cc92e8a-a568-4e06-8c35-42c102de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2019-05-01T05:28:42.000Z",
|
|
|
|
"modified": "2019-05-01T05:28:42.000Z",
|
|
|
|
"description": "unpacked stage",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'e1111022deeeed0389ff01ebb02489c45fa2f71a']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-01T05:28:42Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5cc92fa3-f1cc-46c7-9084-48c902de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2019-05-01T05:33:23.000Z",
|
|
|
|
"modified": "2019-05-01T05:33:23.000Z",
|
|
|
|
"first_observed": "2019-05-01T05:33:23Z",
|
|
|
|
"last_observed": "2019-05-01T05:33:23Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5cc92fa3-f1cc-46c7-9084-48c902de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5cc92fa3-f1cc-46c7-9084-48c902de0b81",
|
|
|
|
"value": "https://twitter.com/PRODAFT/status/1123241137710555136"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5cc9443b-9b54-4abf-a421-1ba002de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2019-05-01T07:01:15.000Z",
|
|
|
|
"modified": "2019-05-01T07:01:15.000Z",
|
|
|
|
"description": "C2",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.227.252.54']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-01T07:01:15Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5cc92fee-df1c-4c88-837f-4d7a02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2019-05-01T05:34:38.000Z",
|
|
|
|
"modified": "2019-05-01T05:34:38.000Z",
|
|
|
|
"description": "Malicious kernel mode loader",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '73f346da7642fae92677a71b01bfcd460f8604bc' AND file:x_misp_state = 'Malicious']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-01T05:34:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "file"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"file\"",
|
|
|
|
"misp:meta-category=\"file\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--837ee41b-cf9d-4b16-8de6-383694cf6f5c",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2019-05-01T05:42:46.000Z",
|
|
|
|
"modified": "2019-05-01T05:42:46.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = '3ae249513649876a34c60e04f385e156' AND file:hashes.SHA1 = '9cfced68abe4f2c0dc5c42f47652592077c26fd6' AND file:hashes.SHA256 = '1284962d30eabb8e47261414350c01ec04555800a3866f4e6cf1e20816e25a2e']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2019-05-01T05:42:46Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "file"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"file\"",
|
|
|
|
"misp:meta-category=\"file\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-object",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-object--cd55b14c-14bc-4c8c-86e5-170d7444012a",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2019-05-01T05:42:47.000Z",
|
|
|
|
"modified": "2019-05-01T05:42:47.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"virustotal-report\"",
|
|
|
|
"misp:meta-category=\"misc\""
|
|
|
|
],
|
|
|
|
"x_misp_attributes": [
|
|
|
|
{
|
|
|
|
"type": "datetime",
|
|
|
|
"object_relation": "last-submission",
|
|
|
|
"value": "2019-02-23T10:47:04",
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "first stage",
|
|
|
|
"uuid": "09a8c2c4-491f-4dab-b9ba-2d669878f830"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "link",
|
|
|
|
"object_relation": "permalink",
|
|
|
|
"value": "https://www.virustotal.com/file/1284962d30eabb8e47261414350c01ec04555800a3866f4e6cf1e20816e25a2e/analysis/1550918824/",
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "first stage",
|
|
|
|
"uuid": "d63e7483-709b-4a33-9799-1109f24b823d"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "text",
|
|
|
|
"object_relation": "detection-ratio",
|
|
|
|
"value": "33/66",
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "first stage",
|
|
|
|
"uuid": "0f752f01-5f37-4c8a-8ad8-56622bfe8a6a"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"x_misp_meta_category": "misc",
|
|
|
|
"x_misp_name": "virustotal-report"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "relationship",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "relationship--6feb7797-7e1e-4658-af86-e8e0d5698a5f",
|
|
|
|
"created": "2019-05-01T05:42:47.000Z",
|
|
|
|
"modified": "2019-05-01T05:42:47.000Z",
|
2023-04-21 13:25:09 +00:00
|
|
|
"relationship_type": "analysed-with",
|
2023-06-14 17:31:25 +00:00
|
|
|
"source_ref": "indicator--837ee41b-cf9d-4b16-8de6-383694cf6f5c",
|
|
|
|
"target_ref": "x-misp-object--cd55b14c-14bc-4c8c-86e5-170d7444012a"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "marking-definition",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
|
|
"definition_type": "tlp",
|
|
|
|
"name": "TLP:WHITE",
|
|
|
|
"definition": {
|
|
|
|
"tlp": "white"
|
|
|
|
}
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
|
|
|
}
|