misp-circl-feed/feeds/circl/stix-2.1/5d78a50e-ba3c-40b3-a5c1-4fb1950d210f.json

818 lines
34 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5d78a50e-ba3c-40b3-a5c1-4fb1950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T09:15:00.000Z",
"modified": "2019-09-11T09:15:00.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5d78a50e-ba3c-40b3-a5c1-4fb1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T09:15:00.000Z",
"modified": "2019-09-11T09:15:00.000Z",
"name": "OSINT - ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group",
"published": "2019-09-11T12:17:21Z",
"object_refs": [
"observed-data--5d78a9c4-1108-4eb4-aca8-e76e950d210f",
"url--5d78a9c4-1108-4eb4-aca8-e76e950d210f",
"x-misp-attribute--5d78a9db-1b4c-4f0b-8e96-8aaa950d210f",
"indicator--5d78acb4-ae5c-468f-8570-e7f0950d210f",
"indicator--5d78acb4-8a10-4a25-9981-e7f0950d210f",
"indicator--5d78acb4-91d4-4a43-b367-e7f0950d210f",
"indicator--5d78acb4-fed4-4e1a-9239-e7f0950d210f",
"indicator--5d78acb4-1f6c-43db-9dc0-e7f0950d210f",
"indicator--5d78acde-9514-4e9d-968b-c52e950d210f",
"indicator--5d78acde-80f8-4127-81c8-c52e950d210f",
"indicator--5d78acde-69bc-4b16-935d-c52e950d210f",
"indicator--5d78acde-d94c-48a4-9770-c52e950d210f",
"x-misp-attribute--5d78ba7f-97f0-4ba7-8062-95e4950d210f",
"observed-data--5d78bb45-783c-456e-a632-4105e387cbd9",
"network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9",
"ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9",
"observed-data--5d78bb45-5550-4792-81df-43b1e387cbd9",
"network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9",
"ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9",
"observed-data--5d78bb46-8dbc-41cf-971d-431de387cbd9",
"network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9",
"ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9",
"x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f",
"x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f",
"x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f",
"x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f",
"x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f",
"x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f",
"x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f",
"observed-data--5d78aee4-c290-488a-a73c-e7f0950d210f",
"user-account--5d78aee4-c290-488a-a73c-e7f0950d210f",
"x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
2024-04-05 12:15:17 +00:00
"relationship--11ea2db5-e9f5-4406-8732-2bfb17341b31",
"relationship--1a71e8f9-1444-4ccb-87ec-e92b27c765bd",
"relationship--60500b73-cbbb-4523-9f37-eb0b7f39f3cf",
"relationship--78cbbd04-c35a-41bd-be20-f5fdd0cea567",
"relationship--60c76dee-f327-49e3-b0e7-6f767333df72",
"relationship--bc2f613a-a8ba-4d76-8347-cf176dea4e83",
"relationship--e0239be2-027f-4747-9420-4b1970e49225"
2023-04-21 14:44:17 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon - G0038\"",
"misp-galaxy:mitre-intrusion-set=\"Stealth Falcon\"",
"misp-galaxy:mitre-intrusion-set=\"Stealth Falcon - G0038\"",
"misp-galaxy:threat-actor=\"Stealth Falcon\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:mitre-attack-pattern=\"BITS Jobs - T1197\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"BITS Jobs - T1197\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5d78a9c4-1108-4eb4-aca8-e76e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:01:08.000Z",
"modified": "2019-09-11T08:01:08.000Z",
"first_observed": "2019-09-11T08:01:08Z",
"last_observed": "2019-09-11T08:01:08Z",
"number_observed": 1,
"object_refs": [
"url--5d78a9c4-1108-4eb4-aca8-e76e950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5d78a9c4-1108-4eb4-aca8-e76e950d210f",
"value": "https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5d78a9db-1b4c-4f0b-8e96-8aaa950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:01:31.000Z",
"modified": "2019-09-11T08:01:31.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. It has been tracked by the Citizen Lab, a non-profit organization focusing on security and human rights, which published an analysis of a particular cyberattack in 2016. In January of 2019, Reuters published an investigative report into Project Raven, an initiative allegedly employing former NSA operatives and aiming at the same types of targets as Stealth Falcon."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d78acb4-ae5c-468f-8570-e7f0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:13:40.000Z",
"modified": "2019-09-11T08:13:40.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'footballtimes.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-09-11T08:13:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d78acb4-8a10-4a25-9981-e7f0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:13:40.000Z",
"modified": "2019-09-11T08:13:40.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'vegetableportfolio.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-09-11T08:13:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d78acb4-91d4-4a43-b367-e7f0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:13:40.000Z",
"modified": "2019-09-11T08:13:40.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'windowsearchcache.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-09-11T08:13:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d78acb4-fed4-4e1a-9239-e7f0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:13:40.000Z",
"modified": "2019-09-11T08:13:40.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'electricalweb.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-09-11T08:13:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d78acb4-1f6c-43db-9dc0-e7f0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:13:40.000Z",
"modified": "2019-09-11T08:13:40.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'upnpdiscover.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-09-11T08:13:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d78acde-9514-4e9d-968b-c52e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:14:22.000Z",
"modified": "2019-09-11T08:14:22.000Z",
"description": "malware as detected by ESET",
"pattern": "[file:hashes.SHA1 = '31b54aebdaf5fbc73a66ac41ccb35943cc9b7f72']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-09-11T08:14:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d78acde-80f8-4127-81c8-c52e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:14:22.000Z",
"modified": "2019-09-11T08:14:22.000Z",
"description": "malware as detected by ESET",
"pattern": "[file:hashes.SHA1 = '50973a3fc57d70c7911f7a952356188b9939e56b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-09-11T08:14:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d78acde-69bc-4b16-935d-c52e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:14:22.000Z",
"modified": "2019-09-11T08:14:22.000Z",
"description": "malware as detected by ESET",
"pattern": "[file:hashes.SHA1 = '244eb62b9ac30934098ca4204447440d6fc4e259']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-09-11T08:14:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d78acde-d94c-48a4-9770-c52e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:14:22.000Z",
"modified": "2019-09-11T08:14:22.000Z",
"description": "malware as detected by ESET",
"pattern": "[file:hashes.SHA1 = '5c8f83cc4ff57e7c67925df4d9daabe5d0cc07e2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-09-11T08:14:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5d78ba7f-97f0-4ba7-8062-95e4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T09:12:31.000Z",
"modified": "2019-09-11T09:12:31.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "Win32/StealthFalcon"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5d78bb45-783c-456e-a632-4105e387cbd9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T09:15:49.000Z",
"modified": "2019-09-11T09:15:49.000Z",
"first_observed": "2019-09-11T09:15:49Z",
"last_observed": "2019-09-11T09:15:49Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9",
"ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9",
"src_ref": "ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9",
"value": "185.227.82.19"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5d78bb45-5550-4792-81df-43b1e387cbd9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T09:15:49.000Z",
"modified": "2019-09-11T09:15:49.000Z",
"first_observed": "2019-09-11T09:15:49Z",
"last_observed": "2019-09-11T09:15:49Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9",
"ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9",
"src_ref": "ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9",
"value": "46.183.219.85"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5d78bb46-8dbc-41cf-971d-431de387cbd9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T09:15:50.000Z",
"modified": "2019-09-11T09:15:50.000Z",
"first_observed": "2019-09-11T09:15:50Z",
"last_observed": "2019-09-11T09:15:50Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9",
"ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9",
"src_ref": "ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9",
"value": "193.105.134.75"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:06:01.000Z",
"modified": "2019-09-11T08:06:01.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Uninstall itself",
"category": "Other",
"uuid": "5d78aae9-9994-4be3-90b5-4f4e950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "K",
"category": "Other",
"uuid": "5d78aaef-b248-4e75-a0eb-4453950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:07:56.000Z",
"modified": "2019-09-11T08:07:56.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Update configuration data",
"category": "Other",
"uuid": "5d78ab5c-a738-43f5-9441-8aa5950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "CFG",
"category": "Other",
"uuid": "5d78ab62-3fd8-49d7-9c2e-8aa5950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:15:13.000Z",
"modified": "2019-09-11T08:15:13.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Execute the specified application",
"category": "Other",
"uuid": "5d78ad11-5028-48f2-a2d7-e7f0950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "RC",
"category": "Other",
"uuid": "5d78ad11-deb8-4372-a92a-e7f0950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:15:34.000Z",
"modified": "2019-09-11T08:15:34.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Write downloaded data to file",
"category": "Other",
"uuid": "5d78ad26-9728-4f7e-b0d1-ca95950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "DL",
"category": "Other",
"uuid": "5d78ad26-84c0-4df6-884e-ca95950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:15:54.000Z",
"modified": "2019-09-11T08:15:54.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Prepare a file for exfiltration",
"category": "Other",
"uuid": "5d78ad3a-3c64-4abb-917a-8aa5950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "CF",
"category": "Other",
"uuid": "5d78ad3a-4e10-403d-8aac-8aa5950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:16:32.000Z",
"modified": "2019-09-11T08:16:32.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Not implemented/no operation",
"category": "Other",
"uuid": "5d78ad60-b23c-4624-9dbe-8aa9950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "CFWD",
"category": "Other",
"uuid": "5d78ad60-44bc-474a-b925-8aa9950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:17:49.000Z",
"modified": "2019-09-11T08:17:49.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Exfiltrate and delete files",
"category": "Other",
"uuid": "5d78adad-02d8-4d3d-8e80-8aaa950d210f"
},
{
"type": "text",
"object_relation": "value",
"value": "CFW",
"category": "Other",
"uuid": "5d78adad-0394-46aa-8539-8aaa950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5d78aee4-c290-488a-a73c-e7f0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T08:23:00.000Z",
"modified": "2019-09-11T08:23:00.000Z",
"first_observed": "2019-09-11T08:23:00Z",
"last_observed": "2019-09-11T08:23:00Z",
"number_observed": 1,
"object_refs": [
"user-account--5d78aee4-c290-488a-a73c-e7f0950d210f"
],
"labels": [
"misp:name=\"credential\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"False\""
]
},
{
"type": "user-account",
"spec_version": "2.1",
"id": "user-account--5d78aee4-c290-488a-a73c-e7f0950d210f",
"credential": "258A4A9D139823F55D7B9DA1825D101107FBF88634A870DE9800580DAD556BA3",
"x_misp_format": "clear-text",
"x_misp_origin": "malware-analysis",
"x_misp_password": [
"2519DB0FFEC604D6C9A655CF56B98EDCE10405DE36810BC3DCF125CDE30BA5A2",
"3EDB6EA77CD0987668B360365D5F39FDCF6B366D0DEAC9ECE5ADC6FFD20227F6",
"8DFFDE77A39F3AF46D0CE0B84A189DB25A2A0FEFD71A0CD0054D8E0D60AB08DE"
],
"x_misp_text": "Note: Malware derives a second RC4 key by XORing each byte of the hardcoded key with 0x3D.",
"x_misp_type": "encryption-key"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-09-11T09:12:00.000Z",
"modified": "2019-09-11T09:12:00.000Z",
"labels": [
"misp:name=\"command\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "Win32/StealthFalcon is a DLL file which, after execution, schedules itself as a task running on each user login. It only supports basic commands but displays a systematic approach to data collection, data exfiltration, employing further malicious tools, and updating its configuration.",
"category": "Other",
"uuid": "5d78b6f7-b7a4-49ac-9369-c534950d210f"
},
{
"type": "text",
"object_relation": "trigger",
"value": "Network",
"category": "Other",
"uuid": "5d78b6f7-17a8-4b54-8725-c534950d210f"
},
{
"type": "text",
"object_relation": "location",
"value": "Bundled",
"category": "Other",
"uuid": "5d78b6f7-be18-4e99-add1-c534950d210f"
}
],
"x_misp_comment": "Backdoor commands",
"x_misp_meta_category": "misc",
"x_misp_name": "command"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-04-05 12:15:17 +00:00
"id": "relationship--11ea2db5-e9f5-4406-8732-2bfb17341b31",
2023-04-21 14:44:17 +00:00
"created": "2019-09-11T08:58:18.000Z",
"modified": "2019-09-11T08:58:18.000Z",
"relationship_type": "contains",
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
"target_ref": "x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-04-05 12:15:17 +00:00
"id": "relationship--1a71e8f9-1444-4ccb-87ec-e92b27c765bd",
2023-04-21 14:44:17 +00:00
"created": "2019-09-11T09:05:16.000Z",
"modified": "2019-09-11T09:05:16.000Z",
"relationship_type": "contains",
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
"target_ref": "x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-04-05 12:15:17 +00:00
"id": "relationship--60500b73-cbbb-4523-9f37-eb0b7f39f3cf",
2023-04-21 14:44:17 +00:00
"created": "2019-09-11T09:05:28.000Z",
"modified": "2019-09-11T09:05:28.000Z",
"relationship_type": "contains",
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
"target_ref": "x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-04-05 12:15:17 +00:00
"id": "relationship--78cbbd04-c35a-41bd-be20-f5fdd0cea567",
2023-04-21 14:44:17 +00:00
"created": "2019-09-11T09:05:39.000Z",
"modified": "2019-09-11T09:05:39.000Z",
"relationship_type": "contains",
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
"target_ref": "x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-04-05 12:15:17 +00:00
"id": "relationship--60c76dee-f327-49e3-b0e7-6f767333df72",
2023-04-21 14:44:17 +00:00
"created": "2019-09-11T09:06:37.000Z",
"modified": "2019-09-11T09:06:37.000Z",
"relationship_type": "contains",
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
"target_ref": "x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-04-05 12:15:17 +00:00
"id": "relationship--bc2f613a-a8ba-4d76-8347-cf176dea4e83",
2023-04-21 14:44:17 +00:00
"created": "2019-09-11T09:06:49.000Z",
"modified": "2019-09-11T09:06:49.000Z",
"relationship_type": "contains",
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
"target_ref": "x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
2024-04-05 12:15:17 +00:00
"id": "relationship--e0239be2-027f-4747-9420-4b1970e49225",
2023-04-21 14:44:17 +00:00
"created": "2019-09-11T09:07:11.000Z",
"modified": "2019-09-11T09:07:11.000Z",
"relationship_type": "contains",
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
"target_ref": "x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}