2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5d78a50e-ba3c-40b3-a5c1-4fb1950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T09:15:00.000Z" ,
"modified" : "2019-09-11T09:15:00.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5d78a50e-ba3c-40b3-a5c1-4fb1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T09:15:00.000Z" ,
"modified" : "2019-09-11T09:15:00.000Z" ,
"name" : "OSINT - ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group" ,
"published" : "2019-09-11T12:17:21Z" ,
"object_refs" : [
"observed-data--5d78a9c4-1108-4eb4-aca8-e76e950d210f" ,
"url--5d78a9c4-1108-4eb4-aca8-e76e950d210f" ,
"x-misp-attribute--5d78a9db-1b4c-4f0b-8e96-8aaa950d210f" ,
"indicator--5d78acb4-ae5c-468f-8570-e7f0950d210f" ,
"indicator--5d78acb4-8a10-4a25-9981-e7f0950d210f" ,
"indicator--5d78acb4-91d4-4a43-b367-e7f0950d210f" ,
"indicator--5d78acb4-fed4-4e1a-9239-e7f0950d210f" ,
"indicator--5d78acb4-1f6c-43db-9dc0-e7f0950d210f" ,
"indicator--5d78acde-9514-4e9d-968b-c52e950d210f" ,
"indicator--5d78acde-80f8-4127-81c8-c52e950d210f" ,
"indicator--5d78acde-69bc-4b16-935d-c52e950d210f" ,
"indicator--5d78acde-d94c-48a4-9770-c52e950d210f" ,
"x-misp-attribute--5d78ba7f-97f0-4ba7-8062-95e4950d210f" ,
"observed-data--5d78bb45-783c-456e-a632-4105e387cbd9" ,
"network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9" ,
"ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9" ,
"observed-data--5d78bb45-5550-4792-81df-43b1e387cbd9" ,
"network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9" ,
"ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9" ,
"observed-data--5d78bb46-8dbc-41cf-971d-431de387cbd9" ,
"network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9" ,
"ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9" ,
"x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f" ,
"x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f" ,
"x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f" ,
"x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f" ,
"x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f" ,
"x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f" ,
"x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f" ,
"observed-data--5d78aee4-c290-488a-a73c-e7f0950d210f" ,
"user-account--5d78aee4-c290-488a-a73c-e7f0950d210f" ,
"x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f" ,
2024-04-05 12:15:17 +00:00
"relationship--11ea2db5-e9f5-4406-8732-2bfb17341b31" ,
"relationship--1a71e8f9-1444-4ccb-87ec-e92b27c765bd" ,
"relationship--60500b73-cbbb-4523-9f37-eb0b7f39f3cf" ,
"relationship--78cbbd04-c35a-41bd-be20-f5fdd0cea567" ,
"relationship--60c76dee-f327-49e3-b0e7-6f767333df72" ,
"relationship--bc2f613a-a8ba-4d76-8347-cf176dea4e83" ,
"relationship--e0239be2-027f-4747-9420-4b1970e49225"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon\"" ,
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon - G0038\"" ,
"misp-galaxy:mitre-intrusion-set=\"Stealth Falcon\"" ,
"misp-galaxy:mitre-intrusion-set=\"Stealth Falcon - G0038\"" ,
"misp-galaxy:threat-actor=\"Stealth Falcon\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"misp-galaxy:mitre-attack-pattern=\"BITS Jobs - T1197\"" ,
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"BITS Jobs - T1197\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5d78a9c4-1108-4eb4-aca8-e76e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:01:08.000Z" ,
"modified" : "2019-09-11T08:01:08.000Z" ,
"first_observed" : "2019-09-11T08:01:08Z" ,
"last_observed" : "2019-09-11T08:01:08Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5d78a9c4-1108-4eb4-aca8-e76e950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5d78a9c4-1108-4eb4-aca8-e76e950d210f" ,
"value" : "https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5d78a9db-1b4c-4f0b-8e96-8aaa950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:01:31.000Z" ,
"modified" : "2019-09-11T08:01:31.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. It has been tracked by the Citizen Lab, a non-profit organization focusing on security and human rights, which published an analysis of a particular cyberattack in 2016. In January of 2019, Reuters published an investigative report into Project Raven, an initiative allegedly employing former NSA operatives and aiming at the same types of targets as Stealth Falcon."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d78acb4-ae5c-468f-8570-e7f0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:13:40.000Z" ,
"modified" : "2019-09-11T08:13:40.000Z" ,
"description" : "C&C" ,
"pattern" : "[domain-name:value = 'footballtimes.info']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-09-11T08:13:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d78acb4-8a10-4a25-9981-e7f0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:13:40.000Z" ,
"modified" : "2019-09-11T08:13:40.000Z" ,
"description" : "C&C" ,
"pattern" : "[domain-name:value = 'vegetableportfolio.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-09-11T08:13:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d78acb4-91d4-4a43-b367-e7f0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:13:40.000Z" ,
"modified" : "2019-09-11T08:13:40.000Z" ,
"description" : "C&C" ,
"pattern" : "[domain-name:value = 'windowsearchcache.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-09-11T08:13:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d78acb4-fed4-4e1a-9239-e7f0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:13:40.000Z" ,
"modified" : "2019-09-11T08:13:40.000Z" ,
"description" : "C&C" ,
"pattern" : "[domain-name:value = 'electricalweb.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-09-11T08:13:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d78acb4-1f6c-43db-9dc0-e7f0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:13:40.000Z" ,
"modified" : "2019-09-11T08:13:40.000Z" ,
"description" : "C&C" ,
"pattern" : "[domain-name:value = 'upnpdiscover.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-09-11T08:13:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d78acde-9514-4e9d-968b-c52e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:14:22.000Z" ,
"modified" : "2019-09-11T08:14:22.000Z" ,
"description" : "malware as detected by ESET" ,
"pattern" : "[file:hashes.SHA1 = '31b54aebdaf5fbc73a66ac41ccb35943cc9b7f72']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-09-11T08:14:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d78acde-80f8-4127-81c8-c52e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:14:22.000Z" ,
"modified" : "2019-09-11T08:14:22.000Z" ,
"description" : "malware as detected by ESET" ,
"pattern" : "[file:hashes.SHA1 = '50973a3fc57d70c7911f7a952356188b9939e56b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-09-11T08:14:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d78acde-69bc-4b16-935d-c52e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:14:22.000Z" ,
"modified" : "2019-09-11T08:14:22.000Z" ,
"description" : "malware as detected by ESET" ,
"pattern" : "[file:hashes.SHA1 = '244eb62b9ac30934098ca4204447440d6fc4e259']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-09-11T08:14:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5d78acde-d94c-48a4-9770-c52e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:14:22.000Z" ,
"modified" : "2019-09-11T08:14:22.000Z" ,
"description" : "malware as detected by ESET" ,
"pattern" : "[file:hashes.SHA1 = '5c8f83cc4ff57e7c67925df4d9daabe5d0cc07e2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-09-11T08:14:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5d78ba7f-97f0-4ba7-8062-95e4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T09:12:31.000Z" ,
"modified" : "2019-09-11T09:12:31.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"Antivirus detection\""
] ,
"x_misp_category" : "Antivirus detection" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Win32/StealthFalcon"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5d78bb45-783c-456e-a632-4105e387cbd9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T09:15:49.000Z" ,
"modified" : "2019-09-11T09:15:49.000Z" ,
"first_observed" : "2019-09-11T09:15:49Z" ,
"last_observed" : "2019-09-11T09:15:49Z" ,
"number_observed" : 1 ,
"object_refs" : [
"network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9" ,
"ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9"
] ,
"labels" : [
"misp:type=\"ip-src\"" ,
"misp:category=\"Network activity\""
]
} ,
{
"type" : "network-traffic" ,
"spec_version" : "2.1" ,
"id" : "network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9" ,
"src_ref" : "ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9" ,
"protocols" : [
"tcp"
]
} ,
{
"type" : "ipv4-addr" ,
"spec_version" : "2.1" ,
"id" : "ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9" ,
"value" : "185.227.82.19"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5d78bb45-5550-4792-81df-43b1e387cbd9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T09:15:49.000Z" ,
"modified" : "2019-09-11T09:15:49.000Z" ,
"first_observed" : "2019-09-11T09:15:49Z" ,
"last_observed" : "2019-09-11T09:15:49Z" ,
"number_observed" : 1 ,
"object_refs" : [
"network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9" ,
"ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9"
] ,
"labels" : [
"misp:type=\"ip-src\"" ,
"misp:category=\"Network activity\""
]
} ,
{
"type" : "network-traffic" ,
"spec_version" : "2.1" ,
"id" : "network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9" ,
"src_ref" : "ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9" ,
"protocols" : [
"tcp"
]
} ,
{
"type" : "ipv4-addr" ,
"spec_version" : "2.1" ,
"id" : "ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9" ,
"value" : "46.183.219.85"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5d78bb46-8dbc-41cf-971d-431de387cbd9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T09:15:50.000Z" ,
"modified" : "2019-09-11T09:15:50.000Z" ,
"first_observed" : "2019-09-11T09:15:50Z" ,
"last_observed" : "2019-09-11T09:15:50Z" ,
"number_observed" : 1 ,
"object_refs" : [
"network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9" ,
"ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9"
] ,
"labels" : [
"misp:type=\"ip-src\"" ,
"misp:category=\"Network activity\""
]
} ,
{
"type" : "network-traffic" ,
"spec_version" : "2.1" ,
"id" : "network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9" ,
"src_ref" : "ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9" ,
"protocols" : [
"tcp"
]
} ,
{
"type" : "ipv4-addr" ,
"spec_version" : "2.1" ,
"id" : "ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9" ,
"value" : "193.105.134.75"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:06:01.000Z" ,
"modified" : "2019-09-11T08:06:01.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Uninstall itself" ,
"category" : "Other" ,
"uuid" : "5d78aae9-9994-4be3-90b5-4f4e950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "K" ,
"category" : "Other" ,
"uuid" : "5d78aaef-b248-4e75-a0eb-4453950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:07:56.000Z" ,
"modified" : "2019-09-11T08:07:56.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Update configuration data" ,
"category" : "Other" ,
"uuid" : "5d78ab5c-a738-43f5-9441-8aa5950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "CFG" ,
"category" : "Other" ,
"uuid" : "5d78ab62-3fd8-49d7-9c2e-8aa5950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:15:13.000Z" ,
"modified" : "2019-09-11T08:15:13.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Execute the specified application" ,
"category" : "Other" ,
"uuid" : "5d78ad11-5028-48f2-a2d7-e7f0950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "RC" ,
"category" : "Other" ,
"uuid" : "5d78ad11-deb8-4372-a92a-e7f0950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:15:34.000Z" ,
"modified" : "2019-09-11T08:15:34.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Write downloaded data to file" ,
"category" : "Other" ,
"uuid" : "5d78ad26-9728-4f7e-b0d1-ca95950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "DL" ,
"category" : "Other" ,
"uuid" : "5d78ad26-84c0-4df6-884e-ca95950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:15:54.000Z" ,
"modified" : "2019-09-11T08:15:54.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Prepare a file for exfiltration" ,
"category" : "Other" ,
"uuid" : "5d78ad3a-3c64-4abb-917a-8aa5950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "CF" ,
"category" : "Other" ,
"uuid" : "5d78ad3a-4e10-403d-8aac-8aa5950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:16:32.000Z" ,
"modified" : "2019-09-11T08:16:32.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Not implemented/no operation" ,
"category" : "Other" ,
"uuid" : "5d78ad60-b23c-4624-9dbe-8aa9950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "CFWD" ,
"category" : "Other" ,
"uuid" : "5d78ad60-44bc-474a-b925-8aa9950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:17:49.000Z" ,
"modified" : "2019-09-11T08:17:49.000Z" ,
"labels" : [
"misp:name=\"command-line\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Exfiltrate and delete files" ,
"category" : "Other" ,
"uuid" : "5d78adad-02d8-4d3d-8e80-8aaa950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "value" ,
"value" : "CFW" ,
"category" : "Other" ,
"uuid" : "5d78adad-0394-46aa-8539-8aaa950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command-line"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5d78aee4-c290-488a-a73c-e7f0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T08:23:00.000Z" ,
"modified" : "2019-09-11T08:23:00.000Z" ,
"first_observed" : "2019-09-11T08:23:00Z" ,
"last_observed" : "2019-09-11T08:23:00Z" ,
"number_observed" : 1 ,
"object_refs" : [
"user-account--5d78aee4-c290-488a-a73c-e7f0950d210f"
] ,
"labels" : [
"misp:name=\"credential\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"False\""
]
} ,
{
"type" : "user-account" ,
"spec_version" : "2.1" ,
"id" : "user-account--5d78aee4-c290-488a-a73c-e7f0950d210f" ,
"credential" : "258A4A9D139823F55D7B9DA1825D101107FBF88634A870DE9800580DAD556BA3" ,
"x_misp_format" : "clear-text" ,
"x_misp_origin" : "malware-analysis" ,
"x_misp_password" : [
"2519DB0FFEC604D6C9A655CF56B98EDCE10405DE36810BC3DCF125CDE30BA5A2" ,
"3EDB6EA77CD0987668B360365D5F39FDCF6B366D0DEAC9ECE5ADC6FFD20227F6" ,
"8DFFDE77A39F3AF46D0CE0B84A189DB25A2A0FEFD71A0CD0054D8E0D60AB08DE"
] ,
"x_misp_text" : "Note: Malware derives a second RC4 key by XORing each byte of the hardcoded key with 0x3D." ,
"x_misp_type" : "encryption-key"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-09-11T09:12:00.000Z" ,
"modified" : "2019-09-11T09:12:00.000Z" ,
"labels" : [
"misp:name=\"command\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "Win32/StealthFalcon is a DLL file which, after execution, schedules itself as a task running on each user login. It only supports basic commands but displays a systematic approach to data collection, data exfiltration, employing further malicious tools, and updating its configuration." ,
"category" : "Other" ,
"uuid" : "5d78b6f7-b7a4-49ac-9369-c534950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "trigger" ,
"value" : "Network" ,
"category" : "Other" ,
"uuid" : "5d78b6f7-17a8-4b54-8725-c534950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "location" ,
"value" : "Bundled" ,
"category" : "Other" ,
"uuid" : "5d78b6f7-be18-4e99-add1-c534950d210f"
}
] ,
"x_misp_comment" : "Backdoor commands" ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "command"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--11ea2db5-e9f5-4406-8732-2bfb17341b31" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-09-11T08:58:18.000Z" ,
"modified" : "2019-09-11T08:58:18.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f" ,
"target_ref" : "x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--1a71e8f9-1444-4ccb-87ec-e92b27c765bd" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-09-11T09:05:16.000Z" ,
"modified" : "2019-09-11T09:05:16.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f" ,
"target_ref" : "x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--60500b73-cbbb-4523-9f37-eb0b7f39f3cf" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-09-11T09:05:28.000Z" ,
"modified" : "2019-09-11T09:05:28.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f" ,
"target_ref" : "x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--78cbbd04-c35a-41bd-be20-f5fdd0cea567" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-09-11T09:05:39.000Z" ,
"modified" : "2019-09-11T09:05:39.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f" ,
"target_ref" : "x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--60c76dee-f327-49e3-b0e7-6f767333df72" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-09-11T09:06:37.000Z" ,
"modified" : "2019-09-11T09:06:37.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f" ,
"target_ref" : "x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--bc2f613a-a8ba-4d76-8347-cf176dea4e83" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-09-11T09:06:49.000Z" ,
"modified" : "2019-09-11T09:06:49.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f" ,
"target_ref" : "x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--e0239be2-027f-4747-9420-4b1970e49225" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-09-11T09:07:11.000Z" ,
"modified" : "2019-09-11T09:07:11.000Z" ,
"relationship_type" : "contains" ,
"source_ref" : "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f" ,
"target_ref" : "x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}