2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5cc023e7-9c7c-418e-b908-4d46950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T11:21:10.000Z" ,
"modified" : "2019-04-24T11:21:10.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5cc023e7-9c7c-418e-b908-4d46950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T11:21:10.000Z" ,
"modified" : "2019-04-24T11:21:10.000Z" ,
"name" : "OSINT - DNSpionage brings out the Karkoff" ,
"published" : "2019-04-24T11:21:35Z" ,
"object_refs" : [
"observed-data--5cc023f7-8650-4b3b-b631-4d52950d210f" ,
"url--5cc023f7-8650-4b3b-b631-4d52950d210f" ,
"x-misp-attribute--5cc0240c-fb80-4eb2-99bb-4040950d210f" ,
"indicator--5cc0242b-2ba8-419f-8d14-42e7950d210f" ,
"indicator--5cc0242b-e1cc-4aec-a163-471f950d210f" ,
"indicator--5cc0242b-1ac0-448a-a3c9-45ff950d210f" ,
"indicator--5cc0242b-d758-44d4-9614-4759950d210f" ,
"indicator--5cc02456-7350-4263-bbc9-4205950d210f" ,
"indicator--5cc02456-7a84-49a2-b073-4ea8950d210f" ,
"indicator--5cc02456-b618-4f07-9281-4404950d210f" ,
"observed-data--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9" ,
"network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9" ,
"ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9" ,
"observed-data--5cc024b9-0c94-42a4-820b-1bc4e387cbd9" ,
"network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9" ,
"ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9" ,
"indicator--5cc02a7b-08f8-493b-b253-247f950d210f" ,
"indicator--5cc02ab1-70b0-446f-8b28-2497950d210f" ,
"indicator--3148bbb8-f76e-4556-b973-3dea9cf89820" ,
"x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61" ,
"indicator--6393b267-5ff7-4204-85cf-709530bc110d" ,
"x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e" ,
"indicator--52ca9602-5ef6-4de3-b528-058d33844ea3" ,
"x-misp-object--993871f0-b786-4813-9811-7f60eb385014" ,
"indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a" ,
"x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6" ,
"indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e" ,
"x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3" ,
2023-05-19 09:05:37 +00:00
"relationship--d906ebf0-7a11-40be-a70d-8800358f7260" ,
"relationship--005c6a43-b495-45bc-911b-800af0dfca35" ,
"relationship--bed49b9f-46de-45d5-9398-eb63e0a3c913" ,
"relationship--65763ce1-10ea-46e7-9956-59e0190776b8" ,
"relationship--d4db46e1-a7af-42b6-8511-de9af6c30ef0"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:malpedia=\"DNSpionage\"" ,
"misp-galaxy:threat-actor=\"DNSpionage\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"misp-galaxy:tool=\"Karkoff\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5cc023f7-8650-4b3b-b631-4d52950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T08:53:11.000Z" ,
"modified" : "2019-04-24T08:53:11.000Z" ,
"first_observed" : "2019-04-24T08:53:11Z" ,
"last_observed" : "2019-04-24T08:53:11Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5cc023f7-8650-4b3b-b631-4d52950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5cc023f7-8650-4b3b-b631-4d52950d210f" ,
"value" : "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5cc0240c-fb80-4eb2-99bb-4040950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T08:53:32.000Z" ,
"modified" : "2019-04-24T08:53:32.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "In November 2018, Cisco Talos discovered an attack campaign, called DNSpionage, in which threat actors created a new remote administrative tool that supports HTTP and DNS communication with the attackers' command and control(C2). Since then, there have been several other public reports of additional DNSpionage attacks, and in January, the U.S. Department of Homeland Security issued an alert warning users about this threat activity.\r\n\r\nIn addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February, we discovered some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, we also discovered the actors using a new malware, which we are calling \"Karkoff.\"\r\n\r\nThis post will cover the aforementioned DNSpionage updates, the discovery of the Karkoff malware and an analysis of the recent Oilrig malware toolset leak \u00e2\u20ac\u201d and how it could be connected to these two attacks."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc0242b-2ba8-419f-8d14-42e7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T08:54:03.000Z" ,
"modified" : "2019-04-24T08:54:03.000Z" ,
"description" : "Karkoff sample" ,
"pattern" : "[file:hashes.SHA256 = '5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T08:54:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc0242b-e1cc-4aec-a163-471f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T08:54:03.000Z" ,
"modified" : "2019-04-24T08:54:03.000Z" ,
"description" : "Karkoff sample" ,
"pattern" : "[file:hashes.SHA256 = '6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T08:54:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc0242b-1ac0-448a-a3c9-45ff950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T08:54:03.000Z" ,
"modified" : "2019-04-24T08:54:03.000Z" ,
"description" : "Karkoff sample" ,
"pattern" : "[file:hashes.SHA256 = 'b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T08:54:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc0242b-d758-44d4-9614-4759950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T08:54:03.000Z" ,
"modified" : "2019-04-24T08:54:03.000Z" ,
"description" : "Karkoff sample" ,
"pattern" : "[file:hashes.SHA256 = 'cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T08:54:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc02456-7350-4263-bbc9-4205950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T08:54:46.000Z" ,
"modified" : "2019-04-24T08:54:46.000Z" ,
"description" : "C2 server" ,
"pattern" : "[domain-name:value = 'coldfart.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T08:54:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc02456-7a84-49a2-b073-4ea8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T08:54:46.000Z" ,
"modified" : "2019-04-24T08:54:46.000Z" ,
"description" : "C2 server" ,
"pattern" : "[domain-name:value = 'rimrun.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T08:54:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc02456-b618-4f07-9281-4404950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T08:54:46.000Z" ,
"modified" : "2019-04-24T08:54:46.000Z" ,
"description" : "C2 server" ,
"pattern" : "[domain-name:value = 'kuternull.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T08:54:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T08:56:10.000Z" ,
"modified" : "2019-04-24T08:56:10.000Z" ,
"first_observed" : "2019-04-24T08:56:10Z" ,
"last_observed" : "2019-04-24T08:56:10Z" ,
"number_observed" : 1 ,
"object_refs" : [
"network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9" ,
"ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9"
] ,
"labels" : [
"misp:type=\"ip-src\"" ,
"misp:category=\"Network activity\""
]
} ,
{
"type" : "network-traffic" ,
"spec_version" : "2.1" ,
"id" : "network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9" ,
"src_ref" : "ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9" ,
"protocols" : [
"tcp"
]
} ,
{
"type" : "ipv4-addr" ,
"spec_version" : "2.1" ,
"id" : "ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9" ,
"value" : "108.62.141.247"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5cc024b9-0c94-42a4-820b-1bc4e387cbd9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T08:56:25.000Z" ,
"modified" : "2019-04-24T08:56:25.000Z" ,
"first_observed" : "2019-04-24T08:56:25Z" ,
"last_observed" : "2019-04-24T08:56:25Z" ,
"number_observed" : 1 ,
"object_refs" : [
"network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9" ,
"ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9"
] ,
"labels" : [
"misp:type=\"ip-src\"" ,
"misp:category=\"Network activity\""
]
} ,
{
"type" : "network-traffic" ,
"spec_version" : "2.1" ,
"id" : "network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9" ,
"src_ref" : "ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9" ,
"protocols" : [
"tcp"
]
} ,
{
"type" : "ipv4-addr" ,
"spec_version" : "2.1" ,
"id" : "ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9" ,
"value" : "74.118.138.192"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc02a7b-08f8-493b-b253-247f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:20:59.000Z" ,
"modified" : "2019-04-24T09:20:59.000Z" ,
"description" : "DNSpionage XLS document" ,
"pattern" : "[file:hashes.SHA256 = '2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T09:20:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc02ab1-70b0-446f-8b28-2497950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:21:53.000Z" ,
"modified" : "2019-04-24T09:21:53.000Z" ,
"description" : "DNSpionage" ,
"pattern" : "[file:hashes.SHA256 = 'e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T09:21:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--3148bbb8-f76e-4556-b973-3dea9cf89820" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:22:50.000Z" ,
"modified" : "2019-04-24T09:22:50.000Z" ,
"pattern" : "[file:hashes.MD5 = 'a583430c9c504fb216c9f976401ecd13' AND file:hashes.SHA1 = 'cd3b6c517227ad356264ff076cf0ea106b67fc13' AND file:hashes.SHA256 = 'cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T09:22:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:22:51.000Z" ,
"modified" : "2019-04-24T09:22:51.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-24T08:58:49" ,
"category" : "Other" ,
"comment" : "Karkoff sample" ,
"uuid" : "cb98656d-453e-40aa-b337-e83a5c473a20"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5/analysis/1556096329/" ,
"category" : "Payload delivery" ,
"comment" : "Karkoff sample" ,
"uuid" : "28a8b196-6a06-44d6-962b-6efc4d4f3945"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "38/71" ,
"category" : "Payload delivery" ,
"comment" : "Karkoff sample" ,
"uuid" : "b29d31d3-c624-4c4c-99cd-626101e0d47b"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--6393b267-5ff7-4204-85cf-709530bc110d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:22:51.000Z" ,
"modified" : "2019-04-24T09:22:51.000Z" ,
"pattern" : "[file:hashes.MD5 = '530606b66bcd5a776f2cdecb34ee0fd1' AND file:hashes.SHA1 = '72ada4db1c70214e19eece2021669d95b94c0d4f' AND file:hashes.SHA256 = 'e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T09:22:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:22:51.000Z" ,
"modified" : "2019-04-24T09:22:51.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-24T09:05:37" ,
"category" : "Other" ,
"comment" : "DNSpionage" ,
"uuid" : "6e2a7b92-867b-4c11-8b30-b925221ce51a"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8/analysis/1556096737/" ,
"category" : "Payload delivery" ,
"comment" : "DNSpionage" ,
"uuid" : "9eda0fba-ebc8-494e-81a2-3c45135c591e"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "48/69" ,
"category" : "Payload delivery" ,
"comment" : "DNSpionage" ,
"uuid" : "ee3f4732-30c5-49fc-9b1d-a6a732cb4f42"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--52ca9602-5ef6-4de3-b528-058d33844ea3" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:22:51.000Z" ,
"modified" : "2019-04-24T09:22:51.000Z" ,
"pattern" : "[file:hashes.MD5 = 'a37703a0d08996a5fc04db52b71b9bcd' AND file:hashes.SHA1 = '7c7e1179eb3cd9effa92f303dd5e45ba881db15d' AND file:hashes.SHA256 = '6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T09:22:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--993871f0-b786-4813-9811-7f60eb385014" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:22:51.000Z" ,
"modified" : "2019-04-24T09:22:51.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-24T07:39:13" ,
"category" : "Other" ,
"comment" : "Karkoff sample" ,
"uuid" : "a0e51f81-2cc5-438d-96d0-de19d5e93442"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11/analysis/1556091553/" ,
"category" : "Payload delivery" ,
"comment" : "Karkoff sample" ,
"uuid" : "ccb7b733-4e20-4840-9ee4-be4b8451f1e1"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "39/66" ,
"category" : "Payload delivery" ,
"comment" : "Karkoff sample" ,
"uuid" : "c6600e9e-5bf0-402c-8666-df0823154fe9"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:22:51.000Z" ,
"modified" : "2019-04-24T09:22:51.000Z" ,
"pattern" : "[file:hashes.MD5 = '5733afe71bd0a32328d6ed9978260fa4' AND file:hashes.SHA1 = '5dbaaf4b338471ad58065fcdf335673977b2b261' AND file:hashes.SHA256 = '5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T09:22:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:22:51.000Z" ,
"modified" : "2019-04-24T09:22:51.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-24T07:39:16" ,
"category" : "Other" ,
"comment" : "Karkoff sample" ,
"uuid" : "287255d9-5d0f-49f7-afd9-256da7290db1"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c/analysis/1556091556/" ,
"category" : "Payload delivery" ,
"comment" : "Karkoff sample" ,
"uuid" : "d2ae94de-8869-48a0-bff0-acf3465c6a74"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "42/71" ,
"category" : "Payload delivery" ,
"comment" : "Karkoff sample" ,
"uuid" : "7c4854e3-0c44-4143-b133-8273c30bf122"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:22:51.000Z" ,
"modified" : "2019-04-24T09:22:51.000Z" ,
"pattern" : "[file:hashes.MD5 = '85a3a5f55fcbe63d2181cfa753f35fe1' AND file:hashes.SHA1 = 'd9844a1845446367822944464ba65965b1b70c4f' AND file:hashes.SHA256 = 'b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-24T09:22:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-24T09:22:51.000Z" ,
"modified" : "2019-04-24T09:22:51.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-24T07:39:18" ,
"category" : "Other" ,
"comment" : "Karkoff sample" ,
"uuid" : "4ab8fa22-de5b-4d45-b328-a28f6ca4bc4f"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04/analysis/1556091558/" ,
"category" : "Payload delivery" ,
"comment" : "Karkoff sample" ,
"uuid" : "2490a445-4913-49ad-9366-9cecf26b7505"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "41/65" ,
"category" : "Payload delivery" ,
"comment" : "Karkoff sample" ,
"uuid" : "3d31e031-8726-4941-a004-143375bd7aa0"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-05-19 09:05:37 +00:00
"id" : "relationship--d906ebf0-7a11-40be-a70d-8800358f7260" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-24T09:22:51.000Z" ,
"modified" : "2019-04-24T09:22:51.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--3148bbb8-f76e-4556-b973-3dea9cf89820" ,
"target_ref" : "x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-05-19 09:05:37 +00:00
"id" : "relationship--005c6a43-b495-45bc-911b-800af0dfca35" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-24T09:22:52.000Z" ,
"modified" : "2019-04-24T09:22:52.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--6393b267-5ff7-4204-85cf-709530bc110d" ,
"target_ref" : "x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-05-19 09:05:37 +00:00
"id" : "relationship--bed49b9f-46de-45d5-9398-eb63e0a3c913" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-24T09:22:52.000Z" ,
"modified" : "2019-04-24T09:22:52.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--52ca9602-5ef6-4de3-b528-058d33844ea3" ,
"target_ref" : "x-misp-object--993871f0-b786-4813-9811-7f60eb385014"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-05-19 09:05:37 +00:00
"id" : "relationship--65763ce1-10ea-46e7-9956-59e0190776b8" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-24T09:22:52.000Z" ,
"modified" : "2019-04-24T09:22:52.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a" ,
"target_ref" : "x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-05-19 09:05:37 +00:00
"id" : "relationship--d4db46e1-a7af-42b6-8511-de9af6c30ef0" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-24T09:22:52.000Z" ,
"modified" : "2019-04-24T09:22:52.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e" ,
"target_ref" : "x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}