2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--042a4478-fe19-4ed0-a309-b96da3542a95" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T13:21:32.000Z" ,
"modified" : "2023-01-13T13:21:32.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--042a4478-fe19-4ed0-a309-b96da3542a95" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T13:21:32.000Z" ,
"modified" : "2023-01-13T13:21:32.000Z" ,
"name" : "Analysis of FG-IR-22-398 \u2013 FortiOS - heap-based buffer overflow in SSLVPNd" ,
"published" : "2023-01-13T13:21:41Z" ,
"object_refs" : [
"indicator--23b95adf-c8dd-4835-b1e9-e23183d6bbba" ,
"indicator--f15ce3fd-c07f-456f-b07f-4e4a3f822d6c" ,
"indicator--2eb35a69-dbfb-42a6-8d8a-3e3e400de928" ,
"indicator--0d3771cb-5259-49e0-af8f-e106621d23d7" ,
"indicator--35236d47-2d7c-4789-a1b0-84f524b1ab52" ,
"indicator--fcd50948-9e1b-4672-b01e-1fab338ae212" ,
"indicator--015d8a1c-fea6-46ac-a049-7ead9345cc3f" ,
"indicator--19dd0c3e-652f-464d-ad26-2ddf1e59ec73" ,
"indicator--8a77b238-13e4-4489-9e4c-f95328677c03" ,
"indicator--18016fa2-0115-47ed-a944-02a80bb4322b" ,
"indicator--740c6d33-5ed3-439e-9c85-42b8ad063c4c" ,
"indicator--b24d7229-5422-4645-a761-cc9b1ee33dd7" ,
"indicator--a12c722c-ed6e-4b7e-8bf6-d38f93715333" ,
"indicator--a475e912-4841-400c-b468-7f07e1503d29" ,
"indicator--83616717-5013-4ec0-a241-08e1d5f0f1fa" ,
"indicator--ca47bd29-6c27-4060-9710-e094d20676f5" ,
"indicator--109e3980-b70e-4fc2-9692-0937386098e4" ,
"indicator--964fd5be-2ff8-4178-bc8d-8f9bec690395" ,
"indicator--c9c5d50e-35c9-4602-8984-80a794dcee5d" ,
"indicator--89a2bddc-dc5d-45c0-aac4-1e97fb5f9cee" ,
"indicator--a525d45e-d512-4490-869f-a5a85dd75224" ,
"indicator--f4452141-acfb-44a6-bec8-ad5093fc5eb3" ,
"indicator--77971734-97ba-409b-a2e6-191837911cc1" ,
"indicator--66b4b3d7-8f5f-4aa0-9d97-ff627526a059" ,
"indicator--89c2666b-6fb6-402d-8856-9b8b8ddb213d" ,
"indicator--c435d49f-a81b-430a-a50a-b7ed0433ca2e" ,
"indicator--8e787e2c-9fd7-473d-a4a9-cd17976d950c" ,
"indicator--d1584713-f07c-4901-b6d9-895c11ba496c" ,
"indicator--c53e5c82-971b-459c-8ffd-df3b33fc902a" ,
"x-misp-attribute--145f47e5-9a3e-4fd0-ae3a-8d2e1ee052fe" ,
"x-misp-object--e382ee4d-ca77-46bd-9029-7e0339bf620c" ,
"vulnerability--48f4d58c-85aa-4048-ac46-852d2ce4a23f" ,
"vulnerability--0dc13dec-e5ab-4c09-8811-41e9a45dbb9e" ,
"x-misp-object--d7cc6b5e-f357-4962-8c46-d19ceb040746" ,
"x-misp-object--4b7f16b4-5f75-4dfb-845b-3d859bcdf633" ,
"x-misp-object--50105082-3cf7-400c-bf75-c2aabcff8a87" ,
"indicator--622b381c-f334-4a45-bbef-aca8ca6ee335" ,
"x-misp-object--ad14186f-2ff5-4cc7-aafe-309529f30500" ,
"x-misp-object--e74e0eb4-85d1-431b-902c-5fce491462bc" ,
"indicator--c84b8cb1-2f0a-451c-8e85-59f68705e719" ,
"x-misp-object--3da68ddc-8324-43fa-bbe8-f7720dc32a2b" ,
"indicator--9b6a958e-9b18-407c-9aac-9f1f5dfb8f5b" ,
"indicator--9ec6fbe0-8d11-447a-a038-f6b0a86b9814" ,
"indicator--3e84fef6-6655-46a8-9a74-2e05e651c3d2" ,
"indicator--32d28275-7f48-4b1e-90cc-285cbeee0a0c" ,
"indicator--4919dc52-6dd4-4e94-839a-a1f0a955c307" ,
"x-misp-object--961a77bc-6824-49ae-815c-efb178e8e1b4" ,
"indicator--3547fe3b-4672-41f8-8b87-dd3754d7aeeb" ,
"x-misp-object--060f92b1-3a95-49fd-b14f-e33adbd2115b" ,
"x-misp-object--2f9cb5df-616d-4aa3-b759-2312259e013a" ,
"x-misp-object--a8529e6e-6cfa-4786-a272-086dc1106dd2" ,
"x-misp-object--c10402d1-6766-4ab4-8509-f157c123b61c" ,
"x-misp-object--b3922ef0-5926-4bcf-b1c5-622a6742dcec" ,
"x-misp-object--1d1e1173-a0cf-4808-a2ee-51234b20e355" ,
"x-misp-object--2c07d192-0cfc-44d7-a50d-ba5e19f39d8a" ,
"x-misp-object--3b93ed78-8588-44e1-9900-13cfd51d57e8" ,
"x-misp-object--47345dc1-759f-4d34-997a-79c8a0ff8600" ,
2023-05-19 09:05:37 +00:00
"note--54ae3ae3-3b28-48d2-8aa3-b65955287a9d" ,
"relationship--233b39a5-24b7-4e0b-9e31-9b69b098c99c" ,
"relationship--a7fc54a0-013f-4510-928b-9591f311bc39"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:sector=\"Government, Administration\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"tlp:clear" ,
"misp-galaxy:country=\"russia\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--23b95adf-c8dd-4835-b1e9-e23183d6bbba" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:59:28.000Z" ,
"modified" : "2023-01-13T08:59:28.000Z" ,
"description" : "Hashes of post-exploitation implants" ,
"pattern" : "[file:hashes.MD5 = 'f68c3f72270800ea675889e82bb02fb8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T08:59:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--f15ce3fd-c07f-456f-b07f-4e4a3f822d6c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:59:28.000Z" ,
"modified" : "2023-01-13T08:59:28.000Z" ,
"description" : "Hashes of post-exploitation implants" ,
"pattern" : "[file:hashes.MD5 = 'e3f640d8785c0c864739529889b1863a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T08:59:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--2eb35a69-dbfb-42a6-8d8a-3e3e400de928" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:59:28.000Z" ,
"modified" : "2023-01-13T08:59:28.000Z" ,
"description" : "Hashes of post-exploitation implants" ,
"pattern" : "[file:hashes.MD5 = '08cbaafb176ce6118f7e4e0b2d2d77cf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T08:59:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--0d3771cb-5259-49e0-af8f-e106621d23d7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:59:28.000Z" ,
"modified" : "2023-01-13T08:59:28.000Z" ,
"description" : "Hashes of post-exploitation implants" ,
"pattern" : "[file:hashes.MD5 = 'bdc2d2f5d5246f8956711bcce9f456b6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T08:59:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--35236d47-2d7c-4789-a1b0-84f524b1ab52" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:59:28.000Z" ,
"modified" : "2023-01-13T08:59:28.000Z" ,
"description" : "Hashes of post-exploitation implants" ,
"pattern" : "[file:hashes.MD5 = '4548fa6625cb154ab320833186117393']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T08:59:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--fcd50948-9e1b-4672-b01e-1fab338ae212" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:59:28.000Z" ,
"modified" : "2023-01-13T08:59:28.000Z" ,
"description" : "Hashes of post-exploitation implants" ,
"pattern" : "[file:hashes.MD5 = 'e5d989b651b3eb351e10e408d5a062b3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T08:59:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--015d8a1c-fea6-46ac-a049-7ead9345cc3f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:59:28.000Z" ,
"modified" : "2023-01-13T08:59:28.000Z" ,
"description" : "Hashes of post-exploitation implants" ,
"pattern" : "[file:hashes.MD5 = '3191cb2e06e9a30792309813793f78b6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T08:59:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--19dd0c3e-652f-464d-ad26-2ddf1e59ec73" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:59:28.000Z" ,
"modified" : "2023-01-13T08:59:28.000Z" ,
"description" : "Hashes of post-exploitation implants" ,
"pattern" : "[file:hashes.MD5 = '12e28c14bb7f7b9513a02e5857592ad7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T08:59:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--8a77b238-13e4-4489-9e4c-f95328677c03" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:59:28.000Z" ,
"modified" : "2023-01-13T08:59:28.000Z" ,
"description" : "Hashes of post-exploitation implants" ,
"pattern" : "[file:hashes.MD5 = 'ae0839351721db5a9c269fd75dcb57ce']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T08:59:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--18016fa2-0115-47ed-a944-02a80bb4322b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:59:28.000Z" ,
"modified" : "2023-01-13T08:59:28.000Z" ,
"description" : "Hashes of post-exploitation implants" ,
"pattern" : "[file:hashes.MD5 = '856341349dd954d82b112ba9165c4563']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T08:59:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--740c6d33-5ed3-439e-9c85-42b8ad063c4c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:12:45.000Z" ,
"modified" : "2023-01-13T09:12:45.000Z" ,
"description" : "Older Actor IP" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '156.251.162.76']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:12:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b24d7229-5422-4645-a761-cc9b1ee33dd7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:12:53.000Z" ,
"modified" : "2023-01-13T09:12:53.000Z" ,
"description" : "Older Actor IP" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '156.251.163.19']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:12:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a12c722c-ed6e-4b7e-8bf6-d38f93715333" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:12:22.000Z" ,
"modified" : "2023-01-13T09:12:22.000Z" ,
"description" : "Older Actor IP" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '156.251.163.122']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:12:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a475e912-4841-400c-b468-7f07e1503d29" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:12:34.000Z" ,
"modified" : "2023-01-13T09:12:34.000Z" ,
"description" : "Older Actor IP" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '156.251.162.111']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:12:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--83616717-5013-4ec0-a241-08e1d5f0f1fa" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.180.184.197']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--ca47bd29-6c27-4060-9710-e094d20676f5" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '66.42.91.32']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--109e3980-b70e-4fc2-9692-0937386098e4" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '158.247.221.101']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--964fd5be-2ff8-4178-bc8d-8f9bec690395" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.148.27.117']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--c9c5d50e-35c9-4602-8984-80a794dcee5d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.180.128.142']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--89a2bddc-dc5d-45c0-aac4-1e97fb5f9cee" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '155.138.224.122']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a525d45e-d512-4490-869f-a5a85dd75224" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.174.136.20']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--f4452141-acfb-44a6-bec8-ad5093fc5eb3" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.86.229.220']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--77971734-97ba-409b-a2e6-191837911cc1" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.86.231.71']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--66b4b3d7-8f5f-4aa0-9d97-ff627526a059" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.99.35.116']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--89c2666b-6fb6-402d-8856-9b8b8ddb213d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.99.37.119']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--c435d49f-a81b-430a-a50a-b7ed0433ca2e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.62.42.105']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--8e787e2c-9fd7-473d-a4a9-cd17976d950c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.250.149.32']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d1584713-f07c-4901-b6d9-895c11ba496c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '137.175.30.138']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--c53e5c82-971b-459c-8ffd-df3b33fc902a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:15:53.000Z" ,
"modified" : "2023-01-13T09:15:53.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '146.70.157.133']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:15:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--145f47e5-9a3e-4fd0-ae3a-8d2e1ee052fe" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:28:37.000Z" ,
"modified" : "2023-01-13T09:28:37.000Z" ,
"labels" : [
"misp:type=\"pattern-in-traffic\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_category" : "Network activity" ,
"x_misp_comment" : "By emulating the malware's execution, we found a unique string of bytes in its\u00a0communication with its command & control server\u00a0that can be used for an IPS signature.\u00a0 This string detects the TLS traffic by the TLS request header.\u00a0 The buffer \u201c\\x00\\x0C\\x08http/1.1\\x02h2\\x00\\x00\\x00\\x14\\x00\\x12\\x00\\x00\\x0Fwww.example.com\u201d (unescaped) should appear inside the \u201cClient Hello\u201d packet." ,
"x_misp_type" : "pattern-in-traffic" ,
"x_misp_value" : "\\x00\\x0C\\x08http/1.1\\x02h2\\x00\\x00\\x00\\x14\\x00\\x12\\x00\\x00\\x0Fwww.example.com"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--e382ee4d-ca77-46bd-9029-7e0339bf620c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:54:09.000Z" ,
"modified" : "2023-01-13T08:54:09.000Z" ,
"labels" : [
"misp:name=\"report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "link" ,
"value" : "https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd" ,
"category" : "External analysis" ,
"uuid" : "c3e0cd2c-3772-4695-bb62-54d0af792a89"
} ,
{
"type" : "text" ,
"object_relation" : "summary" ,
"value" : "Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis." ,
"category" : "Other" ,
"uuid" : "0c1a8b12-ac58-406a-9dd2-154fa18de957"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Blog" ,
"category" : "Other" ,
"uuid" : "113aa6d6-bbbb-4fc5-adb5-5d7795772079"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "report"
} ,
{
"type" : "vulnerability" ,
"spec_version" : "2.1" ,
"id" : "vulnerability--48f4d58c-85aa-4048-ac46-852d2ce4a23f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:57:50.000Z" ,
"modified" : "2023-01-13T08:57:50.000Z" ,
"name" : "CVE-2022-42475" ,
"labels" : [
"misp:name=\"vulnerability\"" ,
"misp:meta-category=\"vulnerability\"" ,
"misp:to_ids=\"False\""
] ,
"external_references" : [
{
"source_name" : "cve" ,
"external_id" : "CVE-2022-42475"
} ,
{
"source_name" : "url" ,
"url" : "https://www.fortiguard.com/psirt/FG-IR-22-398"
} ,
{
"source_name" : "url" ,
"url" : "https://cvepremium.circl.lu/cve/CVE-2022-42475"
}
] ,
"x_misp_state" : "Published"
} ,
{
"type" : "vulnerability" ,
"spec_version" : "2.1" ,
"id" : "vulnerability--0dc13dec-e5ab-4c09-8811-41e9a45dbb9e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:58:01.000Z" ,
"modified" : "2023-01-13T08:58:01.000Z" ,
"name" : "CVE-2022-42475" ,
"description" : "A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests." ,
"labels" : [
"misp:name=\"vulnerability\"" ,
"misp:meta-category=\"vulnerability\"" ,
"misp:to_ids=\"False\""
] ,
"external_references" : [
{
"source_name" : "cve" ,
"external_id" : "CVE-2022-42475"
} ,
{
"source_name" : "url" ,
"url" : "https://fortiguard.com/psirt/FG-IR-22-398"
}
] ,
"x_misp_cvss_score" : "9.8" ,
"x_misp_cvss_string" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" ,
"x_misp_modified" : "2023-01-09T17:30:00+00:00" ,
"x_misp_published" : "2023-01-02T09:15:00+00:00" ,
"x_misp_state" : "Published" ,
"x_misp_vulnerable_configuration" : [
"cpe:2.3:o:fortinet:fortios:5.6.0:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.1:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.2:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.3:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.4:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.5:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.6:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.7:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.8:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.9:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.10:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.11:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.12:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.13:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.6.14:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.0:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.1:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.2:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.3:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.4:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.5:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.6:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.7:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.8:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.9:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.10:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.11:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.12:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.4.13:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.0:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.1:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.2:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.3:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.4:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.5:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.6:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.7:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.8:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.9:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.10:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.11:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.12:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.13:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.14:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.2.15:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.0:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.1:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.2:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.3:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.4:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.5:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.6:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.7:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.8:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.9:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.10:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.11:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.12:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.13:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:5.0.14:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.0:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.1:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.2:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.3:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.4:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.5:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.6:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.7:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.8:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.9:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.10:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.2.11:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.0:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.1:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.2:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.3:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.4:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.5:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.6:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.7:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.8:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.9:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.10:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.11:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.12:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.13:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.0.14:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.4.0:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.4.1:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.4.2:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.4.3:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.4.4:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.4.5:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.4.6:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.4.7:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.4.8:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.4.9:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:6.4.10:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:7.2.0:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:7.2.1:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:7.2.2:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:7.0.0:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:7.0.1:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:7.0.2:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:7.0.3:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:7.0.4:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:7.0.5:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:7.0.6:*:*:*:*:*:*:*" ,
"cpe:2.3:o:fortinet:fortios:7.0.7:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.0.0:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.0.1:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.0.2:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.0.3:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.0.4:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.0.5:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.0.6:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.0.7:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.1.0:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.1.1:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.1.2:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.1.3:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.1.4:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.1.5:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.1.6:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.0:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.1:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.2:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.3:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.4:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.5:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.6:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.7:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.8:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.9:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.10:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.11:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.12:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:1.2.13:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:7.2.0:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:7.0.0:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:7.0.1:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:7.0.2:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:7.0.3:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:7.0.4:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:7.0.5:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:7.0.6:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:7.0.7:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:2.0.0:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:2.0.1:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:2.0.2:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:2.0.3:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:2.0.4:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:2.0.5:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:2.0.6:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:2.0.7:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:2.0.8:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:2.0.9:*:*:*:*:*:*:*" ,
"cpe:2.3:a:fortinet:fortiproxy:2.0.10:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fim-7901e:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fim-7904e:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fim-7910e:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fim-7920e:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fim-7921f:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fim-7941f:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-6300f:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-6300f-dc:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-6500f:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-6500f-dc:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-6501f:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-6501f-dc:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-6601f:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-6601f-dc:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-7030e:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-7040e:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-7060e:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fortigate-7121f:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fpm-7620e:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fpm-7620f:-:*:*:*:*:*:*:*" ,
"cpe:2.3:h:fortinet:fpm-7630e:-:*:*:*:*:*:*:*"
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--d7cc6b5e-f357-4962-8c46-d19ceb040746" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T08:58:03.000Z" ,
"modified" : "2023-01-13T08:58:03.000Z" ,
"labels" : [
"misp:name=\"weakness\"" ,
"misp:meta-category=\"vulnerability\""
] ,
"x_misp_attributes" : [
{
"type" : "weakness" ,
"object_relation" : "id" ,
"value" : "CWE-787" ,
"category" : "External analysis" ,
"uuid" : "ce73a5c3-f26c-4be4-bd9c-ba22f2ec6270"
} ,
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : "Out-of-bounds Write" ,
"category" : "Other" ,
"uuid" : "51becf41-07bd-4e91-85d1-abbd324c6c4d"
} ,
{
"type" : "text" ,
"object_relation" : "status" ,
"value" : "Draft" ,
"category" : "Other" ,
"uuid" : "23898f79-54d5-4df9-978f-63979a4394aa"
} ,
{
"type" : "text" ,
"object_relation" : "weakness-abs" ,
"value" : "Base" ,
"category" : "Other" ,
"uuid" : "7d3aa669-4f64-44d5-9997-eb00ad00ea53"
}
] ,
"x_misp_comment" : "CVE-2022-42475: Enriched via the cve_advanced module" ,
"x_misp_meta_category" : "vulnerability" ,
"x_misp_name" : "weakness"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--4b7f16b4-5f75-4dfb-845b-3d859bcdf633" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:03:16.000Z" ,
"modified" : "2023-01-13T09:03:16.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/gui/file/0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb" ,
"category" : "External analysis" ,
"uuid" : "0d1b4e81-b0c3-4f01-afcb-7a44502b206a"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "20/63" ,
"category" : "External analysis" ,
"uuid" : "f4403481-b830-4610-80f8-600e3efc7740"
}
] ,
"x_misp_comment" : "3191cb2e06e9a30792309813793f78b6: enriched via the virustotal module." ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--50105082-3cf7-400c-bf75-c2aabcff8a87" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:03:01.000Z" ,
"modified" : "2023-01-13T09:03:01.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/gui/ip_address/155.138.224.122" ,
"category" : "External analysis" ,
"uuid" : "b38daa57-d585-48cc-bc1d-d33c3b731e59"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "9/88" ,
"category" : "External analysis" ,
"uuid" : "5ed5cff5-18d0-4380-b05c-a5bf38c12680"
}
] ,
"x_misp_comment" : "3191cb2e06e9a30792309813793f78b6: enriched via the virustotal module." ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--622b381c-f334-4a45-bbef-aca8ca6ee335" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:02:47.000Z" ,
"modified" : "2023-01-13T09:02:47.000Z" ,
"description" : "3191cb2e06e9a30792309813793f78b6: enriched via the virustotal module." ,
"pattern" : "[domain-name:resolves_to_refs[*].value = '155.138.224.122']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:02:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--ad14186f-2ff5-4cc7-aafe-309529f30500" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:02:34.000Z" ,
"modified" : "2023-01-13T09:02:34.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/gui/file/23f2536aec6a4977a504312ff5863468ba2900fece735acd775d0ae455b4cd4d" ,
"category" : "External analysis" ,
"uuid" : "420f124a-51a6-47ea-b337-49001dee28cc"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "21/63" ,
"category" : "External analysis" ,
"uuid" : "990bc7ad-4c4b-48d7-bebc-10a56a43544a"
}
] ,
"x_misp_comment" : "856341349dd954d82b112ba9165c4563: enriched via the virustotal module." ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--e74e0eb4-85d1-431b-902c-5fce491462bc" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:02:20.000Z" ,
"modified" : "2023-01-13T09:02:20.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/gui/ip_address/107.148.27.117" ,
"category" : "External analysis" ,
"uuid" : "819e7750-7fa2-49dc-b68a-fee2b2de07ca"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "10/88" ,
"category" : "External analysis" ,
"uuid" : "066a1449-5f70-4317-bbf0-289c64bf65aa"
}
] ,
"x_misp_comment" : "856341349dd954d82b112ba9165c4563: enriched via the virustotal module." ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--c84b8cb1-2f0a-451c-8e85-59f68705e719" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:01:59.000Z" ,
"modified" : "2023-01-13T09:01:59.000Z" ,
"description" : "856341349dd954d82b112ba9165c4563: enriched via the virustotal module." ,
"pattern" : "[domain-name:resolves_to_refs[*].value = '107.148.27.117']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:01:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--3da68ddc-8324-43fa-bbe8-f7720dc32a2b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:03:50.000Z" ,
"modified" : "2023-01-13T09:03:50.000Z" ,
"labels" : [
"misp:name=\"ja3\"" ,
"misp:meta-category=\"network\""
] ,
"x_misp_attributes" : [
{
"type" : "ja3-fingerprint-md5" ,
"object_relation" : "ja3-fingerprint-md5" ,
"value" : "bf2b95ac267823f6588b2436bc537b26" ,
"category" : "Network activity" ,
"to_ids" : true ,
"uuid" : "d3a8c1fb-b989-457b-806b-e48892c77942"
}
] ,
"x_misp_comment" : "The JA3 for the malware SSL/TLS client connection appears to be unique to the malware and can be used to detect an attack." ,
"x_misp_meta_category" : "network" ,
"x_misp_name" : "ja3"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9b6a958e-9b18-407c-9aac-9f1f5dfb8f5b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:05:16.000Z" ,
"modified" : "2023-01-13T09:05:16.000Z" ,
"pattern" : " [ f i l e : h a s h e s . M D 5 = ' 54 b b e a 35 b 0 95 d d f e 9740 d f 97 b 693627 b ' A N D f i l e : h a s h e s . S H A 1 = ' 0 8760 c b 1 d 322269 d b e 62 d 9 a 642697 a c 71306 f b e 3 ' A N D f i l e : h a s h e s . S H A 256 = ' 61 a a e 0e18 c 41 e c 4 f 610676680 d 26 f 6 c 6e1 d 4 d 5 a a 4e5092 e 40915 f e 806 b 679 c d 4 ' A N D f i l e : h a s h e s . S H A 512 = ' c 0 c 33975 f c 3338 b e 2 d 18 d a e f 0 9 f 8 a 156 f 3 b f 2038 a f 0 5 b 28980 b d c b c 855 b d 8875869 a d 904584 c f 822 f 6 e b d 58 f d c b c 39 c 0 7 f 5 a b 6 f d d 1e13 f 3 c a b 641 f a f 76e2 c 0 e a ' A N D f i l e : h a s h e s . S S D E E P = ' 3072 : M z T / 0 / E N k l K Q L r A u y a x S H C 5 i n A + L z f L X D v b n T / r 3 j P 7 H z L / 3 z X v b n T / r y 5 : 2 m K Q L r A u P x K 1 A + L z f L X D v b n T / r 3 j P 7 H Q ' A N D f i l e : n a m e = ' 61 a a e 0e18 c 41 e c 4 f 610676680 d 26 f 6 c 6e1 d 4 d 5 a a 4e5092 e 40915 f e 806 b 679 c d 4 ' A N D f i l e : s i z e = ' 99328 ' A N D ( f i l e : c o n t e n t _ r e f . p a y l o a d _ b i n = ' U E s D B B Q A C Q A I A K h I L V Z e 4 F M K t c Q A A A C E A Q A g A B w A N T R i Y m V h M z V i M D k 1 Z G R m Z T k 3 N D B k Z j k 3 Y j Y 5 M z Y y N 2 J V V A k A A 8 w e w W P M H s F j d X g L A A E E I Q A A A A Q h A A A A b l o u T w l L k T D B f u 7 k f 8 U O b T + R V q t M v 8 Y k N g E + n 1 l v M X O 8 P y d P e J E Z i 1 A 7 + D 0 x + 50 k T 8 k O 4 u w 1 b 8 t I i / G Q 0 v h x c b U U u N H 4 / V A 2 V L 15 X t M Y 0 852 b 6 C g 9 j 66 z W 5 x 0 b 86 s o L E 6 A P / F U i k Q F o c h z v p N w D 5 w g O v x H J n + e 6 B w 4 g M K x k m I E w j J 9 v K t r + Q 7 i D k p y y 56 Q m Z x M e z W P v Z C T 3 / 2 h b f l 5 O i X h q r 814 v 0 q 63 l F D r r K f z d n + / l U D Z v r Q V v I V a a p q 5 m 1 u R 30 w U 4 D l l Y J S 3 W b G 1 K y n c w 4 d y 6 x w P B 4 L B K S H F 2 S M S g s X F l K 0 8181 f X e e t S r 3 q s D K s e v + p H d T J D a P i n 2 n 7 / z r L v 5 p I y d E m t G E B A g R 9 z Y D Q Z i f U 59 Z k G N t L 6 g 2 i e Y / 9 P r m U W v X k w U A h + J W 5 m 4 S l R Q K x J 0 4 P p g p 4 p L a b U H h v 0 B Q p A u M l G K 3 L X c x A q 2 C O c D m P E x 5 p D z C 3 W i Y 1 e j b N o H o n R T 63 s 26 o P G F 7 y h O z S U I z z m 0 g t f R v x u I j Y B o O J S f 3 + d s F H e + 7 Z M 9 X 5 v t h v P S 6 p X m 7 q k x 4 L b 2 s F e 1 T z R m R S P K E g g J 1 q U m a y 6 R J b Y O q V H K z l 3 d g O r 5 G 65 w J b e N t S n //bWgrcizO+zFSXSRMQQfKMYVrj6t/6Xkb76AWAlbp2XZOeqd4cU7EhTx6uZxiLmDPaFET6gbWzm/KD0Sv7B6hijl4h8GkUrGn01jzTG0Y2VBPZSQVTqPOJcWPNwVM2Dj9nI85w4IXzDfD4jsUBWixOnECMqOoLvRoajmutYmvCPmLlXImG/iMcMZXfGMfTFzzpInqa2qK+22VMjryyDJKyOezI8F59D2kadSpzW6eEL+z6zkj+SJhJd99fywNTi1JiUpBNgOUUkdU+ehpPZtvHmHx3tg7pGAVXzk+c7D+XzvknVgjv8LydVUUZuA19AAOKnnuXYng+qF6g8HLkBkF1H1FFIPEok4mEgz/CJJO6Idsadf/n6cy/IJLrO5cvW39kmZ0vjfWnnyPPUgY5HF1JYXdBLPI9vcNCMmoI8lN4YZtJbm4LP17Ds5Z90YWC+i61po/6I/YE7SX5iJ0utJeXnk9s7cfhR4zR95s/qHg8xfYwqC171RK827cTBb6JVajcvLqVFKghIE0KcZs+exAe4+zDfMdOT+sq07UAkam7kGf429v4IYoZmqHEhVhBtrIY8ssJ/I+6m88j4AOgaIATOcU4d7i0DGhvsrzOc7Rayylg/5VYEticiqAghOn4TK4gmNA3Mq5oxkIQX6DUBcgu5yJ2TjasOBbxOidWs7XmgFCFqGLq5NkKPhDVa7X/nSyxTXHO3LVN+Im3gf+DT+Y1L7nbGGL2cN7MQlfS1KM5VmvDGtaNDg0hxiC7dRlGVrCSijEhYIHI/YNAZ8DnC5xHLfro1NQDb2Iz+7IBpnIJbRdJ3vODO5NQQsfZvx7aee18yxTZ06nA49qxj4XFK/cSIPHiYOAk4V2txxy/V7cUmCmMZPY7gyULYz0kTFC7QJAl6shoUh7D2VaePM3KgXUdPtzyFVTUGtmeyyu0VAn2Sq3kWr0xDozPHxLy7h6nr88OQdEC254n1mz0Pl5Nsw5fCwOtukAm7rczOnzkMLzWWA0wwOlWU7fh41uIuUVZbD9e1bIa78xVHCAuh3v8Ei8DoIVn0Q0RowyvoybM+LaiTFGByRpTBOOMDFVHPXwpD99Rs6aaN9AZwmfgGtkp4+zaiwB1H5BMqzVA4QtGytPrq4Ec/Iez6rmuehl6Os4HCuSEvBdLbpSTnf2KkKlRFg7ZTHCAB/3dm0W9Dif0v5KBempnvBOxXGznCY/z5k+7jM55cycxuN4MNjgr3KK/gLSvSymHuk26xhiaDH2uVgi+CZZ7VQYM5uwkrouGdRbghysSMSaiFTarUmCcOch53B6mGetpVLsByfKjzPNANVV+iCsFAv6iM1Nc1/awvDZcSMBSCnoiogo3xwFt6gpVZOXBuEnj28NpvMoEUZXWcKM+f4kGz+eUmHI94ERR3ZjXlq6WXLo8O3uZPUOwEBHr/2kWysHmb4fn/CUngGHk11C1X4j99en9hIGa2/+qszsQXDramG6mXVZUFbgRrYqat4ZkM7gw/5Nw6IJHTtCvuOu/QlVLavazaoS0a3VvjkZXdRJUp4il3A/hhVl5FxB03xqvGUY9vmjqgrSc89QK5+PZULCvvTsw/02T9CurkbRESTCkmyIX91+fjxlzQ9sopM+0RUj13j5n0DnbZLRu3ei7N/M0JZ5olS/bWeJgS/TJfBQvF1svXtS/Xn/frMwIllh0IRBQMYM0IuRVGyQdp8EWSbc/mGhmAfnbkmJ2cCdyMVkCJ7L8nB4oEk4g5j574UggCJS8SIG48/lXWvQure9kC0r1fBccAl78f/rhjaqrrog6FNmFRYrkN2DuYdlvE1QSmEao7vVRXjRB1zBkD16BASj5daDtpI4ef0/ukQ/x3cCyolwbOVHmxTMAn5N324ovn/sN0B52qJ3aZTfNiLUlAEL7OFvsL9gvvWEwp12YwHKyV7O7HYY0fn0Viai/2Y+Or9Yu0XlvGcITn4LP1Cd272qqPj6yPnovQFMAedkvJUQfPmuGrAcRD52a8DUaM3YJekN4W2DfVdTT5xCEWEfCKAH3t3Dc4jH3pIQ0Ao3olNuN6PEBTtUWR9p5eGKpL6Wk643P6AO5liTu9EcJO9il/7OaRR6O5gUisDxVGDxH2aJzPAMlSd8hRdp8u+mv1M8Oeni+Dn52NvUp4+xCWACT/M+7ee0+CWuM5PBxbvPv8yp1rN5xTHEfNQ9suApe7I20t2VXCf4sE4jzU9n4rKcOjSDkYD3AsCRs/oxMek7Gn7v+SgIynRS8Aydegzqoz7c/yV/vl7sWPHgYwBnxLxa/DRIkN/BbLefoM+fVYcMptXVsa4DvxAUVX0RoBFewkF9DgDgYOgA+J4+QK+Af/R2L/kddmg2ScSm7gmagEhLdRlEvfNiNFhYbxU6eyxHciKGAron25QFaSIjArcYRxSaia7KWWuX9/HqdQotMlIe6DrDIXRVj3yAkfJmsv4w6XedK+/0QlyXvZG2AXQaBPgDxf4UbFBQigdtG9Xpu5sTQT9+eFAdECRMAUVQXKTX4h30HhnDBagpE2MR90LBktYl0ne6I6MTAhiu7/ZXpdAo72N23lFDu5NRZpmk7eHUxHpUFJP1rPdEiMLgXsGdUYGk3Thalv+Umh+wq+R+tWYQYbsCxuaB+qifDAjHEDAskYe93ULo3qlGO4J0VmS6scGVm5yOKhutkreW8+umQkAlUvHGYBXUywVhJ/fVAQhExu8TxVP9bcFJIrbAjxMehrw
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:05:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9ec6fbe0-8d11-447a-a038-f6b0a86b9814" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:18:36.000Z" ,
"modified" : "2023-01-13T09:18:36.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.247.168.153') AND network-traffic:dst_port = '8033']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:18:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--3e84fef6-6655-46a8-9a74-2e05e651c3d2" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:20:17.000Z" ,
"modified" : "2023-01-13T09:20:17.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.36.119.61') AND network-traffic:dst_port = '8443' AND network-traffic:dst_port = '444']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:20:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--32d28275-7f48-4b1e-90cc-285cbeee0a0c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:21:34.000Z" ,
"modified" : "2023-01-13T09:21:34.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.131.189.143') AND network-traffic:dst_port = '30080' AND network-traffic:dst_port = '30081' AND network-traffic:dst_port = '30443' AND network-traffic:dst_port = '20443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:21:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--4919dc52-6dd4-4e94-839a-a1f0a955c307" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:22:14.000Z" ,
"modified" : "2023-01-13T09:22:14.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.34.130.40') AND network-traffic:dst_port = '444']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:22:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--961a77bc-6824-49ae-815c-efb178e8e1b4" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:25:25.000Z" ,
"modified" : "2023-01-13T09:25:25.000Z" ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "state" ,
"value" : "Malicious" ,
"category" : "Other" ,
"uuid" : "a746a583-7902-4cfb-8ea4-179104290eec"
} ,
{
"type" : "text" ,
"object_relation" : "fullpath" ,
"value" : "/data/lib/libips.bak" ,
"category" : "Other" ,
"uuid" : "96d1f70a-aa11-44fe-9bae-b715d4927109"
} ,
{
"type" : "text" ,
"object_relation" : "fullpath" ,
"value" : "/data/lib/libgif.so" ,
"category" : "Other" ,
"uuid" : "e6436492-3dc5-4bd6-815b-caa60dcad202"
} ,
{
"type" : "text" ,
"object_relation" : "fullpath" ,
"value" : "/data/lib/libiptcp.so" ,
"category" : "Other" ,
"uuid" : "0cab46d9-5e32-4525-b21d-04f54b46cbff"
} ,
{
"type" : "text" ,
"object_relation" : "fullpath" ,
"value" : "/data/lib/libipudp.so" ,
"category" : "Other" ,
"uuid" : "d7932f54-07a2-41bb-b81e-4608cc75d39a"
} ,
{
"type" : "text" ,
"object_relation" : "fullpath" ,
"value" : "/data/lib/libjepg.so" ,
"category" : "Other" ,
"uuid" : "f66e9dde-c15a-45cd-bf6f-784c0457ab7b"
} ,
{
"type" : "text" ,
"object_relation" : "fullpath" ,
"value" : "/var/.sslvpnconfigbk" ,
"category" : "Other" ,
"uuid" : "11efedea-9665-4347-88a6-b3d540aa2e8a"
} ,
{
"type" : "text" ,
"object_relation" : "fullpath" ,
"value" : "/data/etc/wxd.conf" ,
"category" : "Other" ,
"uuid" : "622c1a0f-3d5f-49c7-8e6e-6a78248276d6"
} ,
{
"type" : "text" ,
"object_relation" : "fullpath" ,
"value" : "/flash" ,
"category" : "Other" ,
"uuid" : "0c217051-2182-4c9f-a704-14b250a8b9f5"
}
] ,
"x_misp_comment" : "Presence of the following artifacts in the filesystem:" ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "file"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--3547fe3b-4672-41f8-8b87-dd3754d7aeeb" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:05:16.000Z" ,
"modified" : "2023-01-13T09:05:16.000Z" ,
"pattern" : "[file:extensions.'windows-pebinary-ext'.number_of_sections = '9' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.optional_header.address_of_entry_point = '4199600' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2021-08-26T07:13:04+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = 'AC file name' AND file:extensions.'windows-pebinary-ext'.x_misp_file_description = 'AC Description' AND file:extensions.'windows-pebinary-ext'.x_misp_file_version = '1.0' AND file:extensions.'windows-pebinary-ext'.x_misp_lang_id = '080904E4' AND file:extensions.'windows-pebinary-ext'.x_misp_product_name = 'AC' AND file:extensions.'windows-pebinary-ext'.x_misp_product_version = '1.0' AND file:extensions.'windows-pebinary-ext'.x_misp_company_name = 'AC Company' AND file:extensions.'windows-pebinary-ext'.x_misp_legal_copyright = 'AC copyright']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-01-13T09:05:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"pe\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--060f92b1-3a95-49fd-b14f-e33adbd2115b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:05:15.000Z" ,
"modified" : "2023-01-13T09:05:15.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".text" ,
"category" : "Other" ,
"uuid" : "e7bb1fd2-36d5-4863-b17f-42d75904e58e"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "80896" ,
"category" : "Other" ,
"uuid" : "0e9f763e-140d-4d66-a757-4ac6c5df334c"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "6.1933439370956" ,
"category" : "Other" ,
"uuid" : "a112ff46-43d1-46fb-98cf-7d1b252f53a2"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "4b5de9374a615b76e607c1dc4d17ac72" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "727306a3-783a-45b8-ae8e-48dc9139cadd"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "92a4ea254751b960250b21d8f8e947eb769ef01a" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "34c210a9-8b14-4068-8aa7-2a056825a360"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "5f826a78d3d88061f3f7e3281ffc41b37a8071a217cd15b584e4f6edd909b23c" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "8d7dbb00-c7ce-4bf9-ae08-82f90440ae70"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "b208b7a03e8036c27f09f43fc1f46fa7343c3a62efe0aa554908ac6426df1783d694638e135ef71b85cb8544e4da37d6a03cb6e923848a492016d688f1ddf5a2" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "d02b29e1-aaa0-49c9-8df8-82f6fe67bcbe"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "1536:MzT7zQBr/zINrQlKQLvTYZuyjOzNSHCCiin0F7KLzfLXDvbnT/r3jP7HzL/3zXvW:MzT/0/ENklKQLrAuyaxSHC5inA+LzfL6" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "04c733f2-a876-4fc5-a5ce-5dbb1bdf9728"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--2f9cb5df-616d-4aa3-b759-2312259e013a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:05:15.000Z" ,
"modified" : "2023-01-13T09:05:15.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".data" ,
"category" : "Other" ,
"uuid" : "3d0c000e-3d10-41ac-98d0-edfed05c7848"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "2560" ,
"category" : "Other" ,
"uuid" : "e9661fd2-6e1e-4e68-9851-4ea518ec3d89"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "0.6540748833811" ,
"category" : "Other" ,
"uuid" : "9dbc8653-6947-4fd8-981c-99ed03427aa6"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "7ea63e83e1c0f8b6dc4ef536699484dd" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "0ba25daf-1ff1-4b72-8972-446c93b893f7"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "3326c3c5793f7f3510ef415f14b3db4b62e27bd2" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "4bb3fd53-5738-45a3-a935-0f7944bb9c1b"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "89ec50c88cda5557005116ac06d514df68f12d2c0bf29773b20589814ab9723f" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "c0c6126e-0ddf-47ed-92bf-fee96c54251a"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "09403f1bf4e83bb72db252de42b2c8bddd29ba99557115466f02ac668b6d6074a0883f597f6c0e7613bf00900af6163a1ee0a204a09bcb1e497c2a8eb29664d5" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "6f53837d-928a-4b54-84fa-99a6b11e538c"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "6:Xmt/eLtlMQQ/wm+RxlXOfUKjyipKR9jHUAj/k1Aj/k1qa6Ul:XmtGplsF+Rj7xfkAA1AA19" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "cc8db82e-412d-418e-bb6e-9d8f95b5d023"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--a8529e6e-6cfa-4786-a272-086dc1106dd2" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:05:15.000Z" ,
"modified" : "2023-01-13T09:05:15.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".rdata" ,
"category" : "Other" ,
"uuid" : "b8384a3d-3278-4c86-9614-6b1dd8ebd607"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "5120" ,
"category" : "Other" ,
"uuid" : "282e9121-898f-461b-89fe-ee74a686dca6"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "5.4635139902349" ,
"category" : "Other" ,
"uuid" : "2f687329-70e3-4cb4-994c-f2ae46f0145a"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "e4c9d495339c4a934cc1b935660e0e38" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "01b4507e-7822-4c32-bbef-f38583f11150"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "037f98546890d032d441763d9e3bc1de54ffbbc0" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "805c0a79-84ce-4578-8e1b-3efbadf1e1ce"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "336ea8b9b38f4d53ad336eec0b0e1e03b59955194a5f37a15b0ae1fc80b4f061" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "6bef110b-bb2c-40db-ac48-e28e7d72720c"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "3bf3cac0891b015a26d18090219d445c48bbdc89eeac878cfcffb393b8b33296317aa7bc5f12d6f1498429807424f8c3e3ab249b273b270607bbffe83b5f9a75" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "8c0a496f-5a62-4c16-99c7-8843cd2f87e0"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "48:X65hlRWXMFfHP7BEP+sx4OQQuQv2qjr5vh8MMy9D/DtyGbBbBbBbBbBbBbBbBbBP:qLrmMF/SP+GuQv2qHLd9DhX" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "960db690-e673-43f1-bbda-24285d0d0b99"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--c10402d1-6766-4ab4-8509-f157c123b61c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:05:15.000Z" ,
"modified" : "2023-01-13T09:05:15.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".bss" ,
"category" : "Other" ,
"uuid" : "7c2df5c6-4b3f-4d1c-a5f7-823cfe281da7"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "0" ,
"category" : "Other" ,
"uuid" : "15dfb76d-f355-49f3-97dc-bc3c45d830df"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--b3922ef0-5926-4bcf-b1c5-622a6742dcec" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:05:15.000Z" ,
"modified" : "2023-01-13T09:05:15.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".idata" ,
"category" : "Other" ,
"uuid" : "98de02a5-8133-4375-b702-f606b6efcd48"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "4096" ,
"category" : "Other" ,
"uuid" : "f1e21f9f-3e57-49c0-8bd2-02694064057e"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "5.2099581938208" ,
"category" : "Other" ,
"uuid" : "4edf59fd-77c7-4da0-9654-140008f38358"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "4f2bf103dfcc95692a488edab688bbc7" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "1ad115ba-9135-48b2-aa20-803f6cc64c5c"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "b2d25fd8efd7b824c2912a9f80c918fe1f11952d" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "dc32eb3c-6165-443e-89cf-20fab39e55be"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "f60d590bc286bc3357f693500e25f8d13699f93402c384ea3354ee694ad6abb2" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "96713c7e-9b9d-4d42-8be7-0e9ce32d592d"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "b9a44e91d89c9586694f575a54eb41db7e2dc7f1097a1470470e6df077747c024dae28ae828b572e400d35e0b0957b31f3e54fd8f2a9f5fc64e6f1729fbe423d" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "f7625501-88f3-47b8-9622-94aed9790d12"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "48:VYTBshkXzByshkXzByr3mPWXEDll6GraRBTuyK1uA9GFDkcMUuRVxGp:yy4W+s/zuBTfK1uA9SDkcMUuRVq" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "78dfc026-71fe-49b7-9474-b5face8bf6c0"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--1d1e1173-a0cf-4808-a2ee-51234b20e355" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:05:15.000Z" ,
"modified" : "2023-01-13T09:05:15.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".CRT" ,
"category" : "Other" ,
"uuid" : "f06bd361-ad6e-4779-8862-a9fd1abee749"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "512" ,
"category" : "Other" ,
"uuid" : "50f064df-82de-4a32-818c-1a71f6092f29"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "1.6185253040527" ,
"category" : "Other" ,
"uuid" : "3ea9ab4b-e55d-42d5-9939-f1e5defefeeb"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "3312975753899c136a2cba9b13c60ad0" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "4bbcbe4d-06d5-4b3f-80b7-7c5e21d0a4dd"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "6bb845d70432ae6f16002393f1ed36d3f5ff826e" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "2db1b968-e3a6-47d0-bd2f-56f7edcc1ba1"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "fc607709d7ac5011094efd7565647ad4dfd793c9f57a0e949f25bf2d241fcbad" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "f08350ee-0eb2-4811-84a0-628cf2cbd6a8"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "16ce5aeea206f79e4b26341705b451df52c492bbd7ca0d7bab47e9d3230f881a36d5ab27311f56d4dc4f580951eda3759e978b1db2240283762e44f13509da7c" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "155f634e-fa59-47d6-b9cf-a620f7f498f0"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "3:+/tdFllXl6ltl/ll:N" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "9b3ab4e9-16f3-4e3e-8628-ddadc03dd9f9"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--2c07d192-0cfc-44d7-a50d-ba5e19f39d8a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:06:37.000Z" ,
"modified" : "2023-01-13T09:06:37.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".tls" ,
"category" : "Other" ,
"uuid" : "e6a28091-a0f1-4178-9cc8-523ade686c07"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "512" ,
"category" : "Other" ,
"uuid" : "eccebb87-6d3e-4670-9d2d-72516cdf095f"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "7dea362b3fac8e00956a4952a3d4f474" ,
"category" : "Payload delivery" ,
"uuid" : "f9496589-7caf-4f02-ad9d-6d6efd4507f6"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "05fe405753166f125559e7c9ac558654f107c7e9" ,
"category" : "Payload delivery" ,
"uuid" : "4dab0373-5c41-49f9-8c6c-fb9eac072c8b"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc" ,
"category" : "Payload delivery" ,
"uuid" : "33ffc6c1-6f6c-48ae-b896-329f05ad4e04"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b" ,
"category" : "Payload delivery" ,
"uuid" : "8583b84e-ed12-4cb1-8b74-4424a17fbe2f"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "3::" ,
"category" : "Payload delivery" ,
"uuid" : "caa672a1-4b89-4110-b2de-2a070e98de05"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--3b93ed78-8588-44e1-9900-13cfd51d57e8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:05:15.000Z" ,
"modified" : "2023-01-13T09:05:15.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".rsrc" ,
"category" : "Other" ,
"uuid" : "225b9a26-fcd0-4ec1-bb00-7dd968a65f4d"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "2048" ,
"category" : "Other" ,
"uuid" : "16d1c894-557a-4a9f-870f-0329d9c8b812"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "4.6724534459793" ,
"category" : "Other" ,
"uuid" : "aa3f4d55-21af-40b0-bce3-96f4a4a3d2e0"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "e3e643d996d7a5984b5ac6bea5f8ad4b" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "5f0c4135-154a-4043-b185-84f4f4b73312"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "d6d79694a79924624fcc1f89853e45cc0024d1e4" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "e829e0d5-917c-470f-8d25-bf519aa053a8"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "10fa569b3cf75ff21ea3b433416d16d9ff53bb127bcb8dfe24b4aea6bea0b684" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "a7080397-14dc-418f-8f61-de80d7827b5b"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "20085231c5480a9c6617d05b3d028f492a8f48f1b18bf6be5826ffa01774e696c283df4fbbc77a7f978d7f49c7155065419db2e2613a833d5c3b5b98842157ca" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "c3383d8c-346f-441b-a23b-ed97f7e90608"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "24:b9pGZeFVJprKNZ1bh3lCPNWredtn3tcuf3hwcK:Bp/FVnrcLbRlOBh3tThi" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "2f2b6635-98d9-488a-997a-9a0d7aebdb25"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--47345dc1-759f-4d34-997a-79c8a0ff8600" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:05:16.000Z" ,
"modified" : "2023-01-13T09:05:16.000Z" ,
"labels" : [
"misp:name=\"pe-section\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "name" ,
"value" : ".reloc" ,
"category" : "Other" ,
"uuid" : "a1fe38da-7f11-444f-8ff2-66b76715dbba"
} ,
{
"type" : "size-in-bytes" ,
"object_relation" : "size-in-bytes" ,
"value" : "2560" ,
"category" : "Other" ,
"uuid" : "ad77b0b6-cc28-48b1-9f59-bffed8093589"
} ,
{
"type" : "float" ,
"object_relation" : "entropy" ,
"value" : "6.5454664509897" ,
"category" : "Other" ,
"uuid" : "5f4c2d8e-ebb8-46a6-80b3-c2fe6d85ed27"
} ,
{
"type" : "md5" ,
"object_relation" : "md5" ,
"value" : "927d3c8f39932c4903ce0ae8dc4d7abb" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "21de482b-a7cf-4762-a839-d28ac606e45c"
} ,
{
"type" : "sha1" ,
"object_relation" : "sha1" ,
"value" : "512ed9db2fe4151324abf949d70deb3fe4566a66" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "850e849c-073d-4850-9af2-169e36f697dc"
} ,
{
"type" : "sha256" ,
"object_relation" : "sha256" ,
"value" : "a9506a3cbf332502d62d7b7fc0849fde3809545a75d911e9cae9268fa143b32c" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "5f4e9726-098a-4733-8d67-0478a381b09a"
} ,
{
"type" : "sha512" ,
"object_relation" : "sha512" ,
"value" : "2263a71d4f9ee005ed301020ae0e0d974003a39d481f4a82b6899a47847888969a6d66b7c585598307c14c83cc97f744b6f2dc0158426e2628ed02114ac5f338" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "ff7530a2-7124-412c-98c8-c409141da557"
} ,
{
"type" : "ssdeep" ,
"object_relation" : "ssdeep" ,
"value" : "48:+BXwIRwsB3qZRyxbFCh3vvvbvXIdruBHnHofSX3X3X:+1wIRwsWGCzvXk8HofSnH" ,
"category" : "Payload delivery" ,
"to_ids" : true ,
"uuid" : "25566b15-5d61-46a8-a2bd-4767edcfd05b"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "pe-section"
} ,
2023-05-19 09:05:37 +00:00
{
"type" : "note" ,
"spec_version" : "2.1" ,
"id" : "note--54ae3ae3-3b28-48d2-8aa3-b65955287a9d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-01-13T09:30:53.000Z" ,
"modified" : "2023-01-13T09:30:53.000Z" ,
"abstract" : "Report from - https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd (1673602179)" ,
"content" : "# PSIRT Blogs\r\n\r\n # Analysis of FG-IR-22-398 \u2013 FortiOS - heap-based buffer overflow in SSLVPNd\r\n By Carl Windsor, Guillaume Lovet, Hongkei Chan, and Alex Kong | January 11, 2023 **Affected Platforms:** FortiOS \r\n \r\n **Impacted Users:** Government &large organizations \r\n **Impact:** Data loss and OS and file corruption \r\n **Severity Level:** High\r\n\r\n Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis.\r\n\r\n ## Executive Summary\r\n\r\n \r\n * Multiple additional IoCs have been uncovered related to the incident FG-IR-22-398 / CVE-2022-42475\r\n * The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.\r\n \r\n ## Incident Analysis\r\n\r\n As mentioned in the advisory, we detected this issue in the wild and were able to collect a sample of the malware along with related network traffic.\r\n\r\n The malware was a variant of a generic Linux implant customized for FortiOS. The following information was gathered during the forensic filesystem and binary analysis of the received appliance.\r\n\r\n **Libips.bak**\r\n\r\n The suspicious binary was located at */data/lib/libips.bak*. This file may be masquerading as a component of Fortinet\u2019s IPS Engine, located at /data/lib/libips.so. The file /data/lib/libips.so was present, but with a zero file size.\r\n\r\n Here is an image of the /data/lib directory:\r\n\r\n **Libgif.so, libips.bak,** and **libiptcp.so** are not part of any FortiOS components or processes.\r\n\r\n **Libips.bak** appears to be a trojanized version of the IPS Engine, typically located at ***/data/lib/libips.so*.** A diff comparing ***libips.bak*** with a clean **libips.so** from the same FortiOS build was performed. Up to about the 0x1900 byte mark, the files differ. After that point, the files are identical. Below is a screenshot of **libips.bak** (top) and the clean **libips.so** (bottom). ***libips.bak*** contains data where **libips.so** does not.\r\n\r\n After the first ~0x1900 bytes, the files are identical.\r\n\r\n **Libips.bak** exports the functions **ips\\_so\\_patch\\_urldb** and **ips\\_so\\_query\\_interface**. These are the same exports in the clean IPS engine binary, libips.so. Both exported functions lead to the same malicious code. If **libps.bak** is named libips.so in the **/data/lib** directory, the malicious code will be executed automatically as components of FortiOS will call these exported functions. The binary does not attempt to return to the clean IPS engine code, so IPS functionality is also compromised. Below is an example export function that immediately calls the malicious code.\r\n\r\n The primary malicious code is shown below.\r\n\r\n The malicious code begins by looping through file descriptors from 3 to 255. If it can duplicate the file descriptors, it will close both the duplicate and original descriptors.\r\n\r\n Next, it will read from **/data/lib/libiptcp.so** and write the data to **/data/lib/libjepg.so. /data/lib/libjepg.so** is renamed as **/data/lib/libips.so. fork()** andis used multiple times initially as an anti-debugging technique.\r\n\r\n It then calls **fork()** once more. The child process reads from **/data/lib/libgif.so** and writes that data to **/data/lib/libjepg.so. /data/lib/libjepg.so** is then renamed as **/data/lib/libips.so.**\r\n\r\n The parent process checks for read access to **/var/.sslvpnconfigbk**. This file is opened, then closed immediately. Finally, **/data/lib/libipudp.so** is executed with the argument **\"/data/lib/libipudp.so\"**.\r\n\r\n The files referenced in this code\u2014**libiptcp.so, libgif.so, .sslvpnconfigbk,** and **libipudp.so\u2014**could not be recovered.\r\n\r\n **Wxd.conf**\r\n\r\n The format of this config file is similar to that of \" F a
"object_refs" : [
"report--042a4478-fe19-4ed0-a309-b96da3542a95"
]
} ,
2023-04-21 14:44:17 +00:00
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-05-19 09:05:37 +00:00
"id" : "relationship--233b39a5-24b7-4e0b-9e31-9b69b098c99c" ,
2023-04-21 14:44:17 +00:00
"created" : "2023-01-13T08:58:03.000Z" ,
"modified" : "2023-01-13T08:58:03.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "vulnerability--0dc13dec-e5ab-4c09-8811-41e9a45dbb9e" ,
"target_ref" : "vulnerability--48f4d58c-85aa-4048-ac46-852d2ce4a23f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-05-19 09:05:37 +00:00
"id" : "relationship--a7fc54a0-013f-4510-928b-9591f311bc39" ,
2023-04-21 14:44:17 +00:00
"created" : "2023-01-13T08:58:03.000Z" ,
"modified" : "2023-01-13T08:58:03.000Z" ,
"relationship_type" : "weakened-by" ,
"source_ref" : "vulnerability--0dc13dec-e5ab-4c09-8811-41e9a45dbb9e" ,
"target_ref" : "x-misp-object--d7cc6b5e-f357-4962-8c46-d19ceb040746"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
