586 lines
159 KiB
JSON
586 lines
159 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5cc3fa33-2fac-4dbd-9e06-60de02de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T07:43:18.000Z",
|
||
|
"modified": "2019-04-27T07:43:18.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5cc3fa33-2fac-4dbd-9e06-60de02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T07:43:18.000Z",
|
||
|
"modified": "2019-04-27T07:43:18.000Z",
|
||
|
"name": "OSINT - BabyShark Malware Part Two \u00e2\u20ac\u201c Attacks Continue Using KimJongRAT and PCRat",
|
||
|
"published": "2019-04-27T09:02:41Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--5cc3fa44-db00-4a96-9e27-607502de0b81",
|
||
|
"observed-data--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
|
||
|
"file--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
|
||
|
"artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
|
||
|
"indicator--5cc3fafa-8580-46cb-916a-44db02de0b81",
|
||
|
"indicator--5cc3fafb-5408-433e-8b31-408b02de0b81",
|
||
|
"indicator--5cc3fafb-c8c0-42e6-bc0b-44a502de0b81",
|
||
|
"indicator--5cc3fafb-7a28-4088-8973-4cc602de0b81",
|
||
|
"indicator--5cc3fafb-5174-4cf6-b028-4e1202de0b81",
|
||
|
"indicator--5cc3fafb-7744-4075-838a-49c702de0b81",
|
||
|
"x-misp-object--5cc4069c-ed84-47b2-8f41-43b0950d210f",
|
||
|
"indicator--c5a73ecb-7963-487b-9c12-4b0e86a495ae",
|
||
|
"x-misp-object--ec43ff24-211c-430f-84ab-5f57fa153d60",
|
||
|
"indicator--e04af19f-c666-456b-95c9-b1b19d401d5d",
|
||
|
"x-misp-object--af318753-2c6d-41cc-a37b-f9db1cec6b7a",
|
||
|
"indicator--1ca9e3cc-11cf-4417-ae89-12d0db9e9240",
|
||
|
"x-misp-object--210c73d6-356a-4be2-ba0a-cbf5b9ed607e",
|
||
|
"indicator--41e3fdee-552a-4961-8183-635188ef931d",
|
||
|
"x-misp-object--5620ac27-0a6e-466a-90ff-6e97ab1e498d",
|
||
|
"relationship--a2978e53-4dce-47ff-9a2f-096807695563",
|
||
|
"relationship--494a1d44-509c-456c-89de-4622b6e0e30c",
|
||
|
"relationship--3d370b36-1cde-4ae8-a3e9-91580dd6debf",
|
||
|
"relationship--0635de0b-8d55-4548-9a5e-d91a675c4cc5"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:tool=\"BabyShark\"",
|
||
|
"type:OSINT",
|
||
|
"osint:lifetime=\"perpetual\"",
|
||
|
"osint:certainty=\"50\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5cc3fa44-db00-4a96-9e27-607502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T06:44:20.000Z",
|
||
|
"modified": "2019-04-27T06:44:20.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.\r\n\r\nWhile tracking the latest activities of the threat group, Unit 42 researchers were able to collect both the BabyShark malware\u00e2\u20ac\u2122s server-side and client-side files, as well as two encoded secondary PE payload files that the malware installs on the victim hosts upon receiving an operator\u00e2\u20ac\u2122s command. By analyzing the files, we were able to further understand the overall multi-staging structure of the BabyShark malware and features, such as how it attempts to maintain operational security and supported remote administration commands. Based on our research, it appears the malware author calls the encoded secondary payload \u00e2\u20ac\u0153Cowboy\u00e2\u20ac\u009d regardless of what malware family is delivered.\r\n\r\nOur research shows the most recent malicious activities involving BabyShark malware appear to be carried out for two purposes:\r\n\r\n Espionage on nuclear security and the Korean peninsula\u00e2\u20ac\u2122s national security issues\r\n Financial gain with focus on the cryptocurrency industry based on the decoy contents used in the samples, shown in Figure 1. Xcryptocrash is an online cryptocurrency gambling game."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T06:45:06.000Z",
|
||
|
"modified": "2019-04-27T06:45:06.000Z",
|
||
|
"first_observed": "2019-04-27T06:45:06Z",
|
||
|
"last_observed": "2019-04-27T06:45:06Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
|
||
|
"artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"Payload delivery\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
|
||
|
"name": "Fig-2.-BabyShark-flowchart.png",
|
||
|
"content_ref": "artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
|
||
|
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAA00AAAHHCAYAAABjt7O7AAAKrWlDQ1BJQ0MgUHJvZmlsZQAASImVlgdUU2kWx7/30hstIdIJNXTpVXoNIEQ6iEpIKKGEEAggdmRwBMeCiggoIzoIouCoFFERsWAbBBTBOiCDgroOFrCgsg9Yws7u2d2z/5yb73duvvd/931595wLAHmAIxSmwDIApAoyRUHeboyIyCgGbhiggSwgACNA4XAzhK5stj9ANL/+VZP3ATSz3jWe8fr33/+rZHlxGVwAIDbCsbwMbirCZ5Bo4wpFmQCgkABa2ZnCGS5FmCZCCkT4+AwnzHH7DMfO8b3ZPSFB7giPAoAncziiBABIH5A8I4ubgPiQaQibCnh8AcIeCDtxEzk8hPMRNkpNTZvhkwjrxf6TT8JfPGMlnhxOgoTnnmVWeA9+hjCFs/r/PI7/rdQU8fw9NJEgJ4p8gpCVjpxZTXKan4QFsQGB88znze6f5USxT+g8czPco+aZx/Hwm2dxcqjrPHNEC9fyM1kh8yxKC5L4C1IC/CX+cSwJx2V4Bs9zPN+LNc+5iSHh85zFDwuY54zkYL+FPe6SvEgcJKk5XuQlecbUjIXauJyFe2Umhvgs1BAhqYcX5+EpyQtCJfuFmW4ST2EKe6H+FG9JPiMrWHJtJvKCzXMSx5e94MOWnA/wAJ7AH/kwABuYA0tgBuwAUlVmXM7MOw3c04SrRfyExEyGK9I1cQyWgGtixDA3NbMDYKYH5/7i9wOzvQXR8Qs53ggAFjN9oreQS0I6+Nwk0k6NCznmEAAyBwBoZ3PFoqy5HHrmCwOIQBrQgCJQA1pADxgj9VkDB+CCVOwLAkEIiAQrARckglQgAtlgLdgECkAR2An2gjJQCQ6DGnACnALN4Dy4BK6BW6Ab9IFHYBCMgFdgHEyCKQiCcBAFokKKkDqkAxlC5pAt5AR5Qv5QEBQJxUAJkAASQ2uhzVARVAyVQYegWuhX6Cx0CboB9UAPoCFoDHoHfYFRMBmmwaqwLrwYtoVdYT84BF4BJ8DpcC6cD2+HS+Eq+DjcBF+Cb8F98CD8Cp5AARQJRUdpoIxRtih3VCAqChWPEqHWowpRJagqVD2qFdWJuosaRL1GfUZj0VQ0A22MdkD7oEPRXHQ6ej16G7oMXYNuQl9B30UPocfR3zEUjArGEGOPYWEiMAmYbEwBpgRTjWnEXMX0YUYwk1gslo5lYm2wPthIbBJ2DXYb9gC2AduO7cEOYydwOJwizhDniAvEcXCZuALcftxx3EVcL24E9wlPwqvjzfFe+Ci8AJ+HL8Efw7fhe/Ev8FMEGYIOwZ4QSOARVhN2EI4QWgl3CCOEKaIskUl0JIYQk4ibiKXEeuJV4mPiexKJpEmyIy0j8UkbSaWkk6TrpCHSZ7Ic2YDsTo4mi8nbyUfJ7eQH5PcUCkWX4kKJomRStlNqKZcpTymfpKhSJlIsKZ7UBqlyqSapXqk30gRpHWlX6ZXSudIl0qel70i/liHI6Mq4y3Bk1suUy5yV6ZeZkKXKmskGyqbKbpM9JntDdlQOJ6cr5ynHk8uXOyx3WW6YiqJqUd2pXOpm6hHqVeoIDUtj0li0JFoR7QStizYuLydvKR8mnyNfLn9BfpCOouvSWfQU+g76Kfp9+pdFqotcF8Ut2rqoflHvoo8KygouCnEKhQoNCn0KXxQZip6KyYq7FJsVnyihlQyUlillKx1Uuqr0Wpmm7KDMVS5UPqX8UAVWMVAJUlmjcljltsqEqpqqt6pQdb/qZdXXanQ1F7UktT1qbWpj6lR1J3W++h71i+ovGfIMV0YKo5RxhTGuoaLhoyHWOKTRpTGlydQM1czTbNB8okXUstWK19qj1aE1rq2uvVR7rXad9kMdgo6tTqLOPp1OnY+6TN1w3S26zbqjTAUmi5nLrGM+1qPoOeul61Xp3dPH6tvqJ+sf0O82gA2sDBINyg3uGMKG1oZ8wwOGPUYYIzsjgVGVUb8x2djVOMu4znjIhG7ib5Jn0mzyZrH24qjFuxZ3Lv5uamWaYnrE9JGZnJmvWZ5Zq9k7cwNzrnm5+T0LioWXxQaLFou3loaWcZYHLQesqFZLrbZYdVh9s7axFlnXW4/ZaNvE2FTY9NvSbNm222yv22Hs3Ow22J23+2xvbZ9pf8r+Twdjh2SHYw6jS5hL4pYcWTLsqOnIcTzkOOjEcIpx+tlp0FnDmeNc5fzMRcuF51Lt8sJV3zXJ9bjrGzdTN5Fbo9tHd3v3de7tHigPb49Cjy5POc9QzzLPp16aXgledV7j3lbea7zbfTA+fj67fPpZqiwuq5Y17mvju873ih/ZL9ivzO+Zv4G/yL91KbzUd+nupY8DdAIEAc2BIJAVuDvwCZvJTmefW4Zdxl5Wvux5kFnQ2qDOYGrwquBjwZMhbiE7Qh6F6oWKQzvCpMOiw2rDPoZ7hBeHD0YsjlgXcStSKZIf2RKFiwqLqo6aWO65fO/ykWir6ILo+yuYK3JW3FiptDJl5YVV0qs4q07HYGLCY47FfOUEcqo4E7Gs2IrYca47dx/3Fc+Ft4c3FucYVxz3It4xvjh+NMExYXfCWKJzYknia747v4z/NsknqTLpY3Jg8tHk6ZTwlIZUfGpM6lmBnCBZcCVNLS0nrUdoKCwQDqbbp+9NHxf5iaozoIwVGS2ZNGTYuS3WE/8gHspyyirP+pQdln06RzZHkHN7tcHqratf5Hrl/rIGvYa7pmOtxtpNa4fWua47tB5aH7u+Y4PWhvwNIxu9N9ZsIm5K3vRbnmlecd6HzeGbW/NV8zfmD//g/UNdgVSBqKB/i8OWyh/RP/J/7NpqsXX/1u+FvMKbRaZFJUVft3G33fzJ7KfSn6a3x2/v2mG94+BO7E7Bzvu7nHfVFMsW5xYP7166u2kPY0/hng97V+29UWJZUrmPuE+8b7DUv7Rlv/b+nfu/liWW9ZW7lTdUqFRsrfh4gHeg96DLwfpK1cqiyi8/838eOOR9qKlKt6rkMPZw1uHnR8KOdP5i+0tttVJ1UfW3o4KjgzVBNVdqbWprj6kc21EH14nrxo5HH+8+4XGipd64/lADvaHoJDgpPvny15hf75/yO9Vx2vZ0/RmdMxWN1MbCJqhpddN4c2LzYEtkS89Z37MdrQ6tjedMzh09r3G+/IL8hR1txLb8tumLuRcn2oXtry8lXBruWNXx6HLE5XtXll3puup39fo1r2uXO107L153vH7+hv2Nszdtbzbfsr7VdNvqduNvVr81dll3Nd2xudPSbdfd2rOkp63XuffSXY+71+6x7t3qC+jruR96f6A/un9wgDcw+iDlwduHWQ+nHm18jHlc+ETmSclTladVv+v/3jBoPXhhyGPo9rPgZ4+GucOv/sj44+tI/nPK85IX6i9qR81Hz495jXW/XP5y5JXw1dTrgr/J/q3ijd6bM3+6/Hl7PGJ85K3o7fS7be8V3x/9YPmhY4I98XQydXLqY+EnxU81n20/d34J//JiKvsr7mvpN/1vrd/9vj+eTp2eFnJEnNlRAIUEHB8PwLujAFAiAaB2A0CUmpuRZwXNzfWzBP4Tz83Rs7IGALECYUgEuQBQgQQTCemNALCRNcQFwBYWkviHMuItzOe8SM3IaFIyPf0emQ1x+gB865+enmqenv5WjRT7EJljJudm8xnJIPN/9wNTC1///tAh8K/6Oze9BkYKTefQAAABnWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGV
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc3fafa-8580-46cb-916a-44db02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T06:47:22.000Z",
|
||
|
"modified": "2019-04-27T06:47:22.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-27T06:47:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc3fafb-5408-433e-8b31-408b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T06:47:23.000Z",
|
||
|
"modified": "2019-04-27T06:47:23.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-27T06:47:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"misp-galaxy:malpedia=\"Ghost RAT\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc3fafb-c8c0-42e6-bc0b-44a502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T06:47:23.000Z",
|
||
|
"modified": "2019-04-27T06:47:23.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-27T06:47:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc3fafb-7a28-4088-8973-4cc602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T06:47:41.000Z",
|
||
|
"modified": "2019-04-27T06:47:41.000Z",
|
||
|
"description": "Malicious Word Macro Document",
|
||
|
"pattern": "[file:hashes.SHA256 = '4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-27T06:47:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc3fafb-5174-4cf6-b028-4e1202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T06:47:23.000Z",
|
||
|
"modified": "2019-04-27T06:47:23.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '33ce9bcaeb0733a77ff0d85263ce03502ac20873bf58a118d1810861caced254']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-27T06:47:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc3fafb-7744-4075-838a-49c702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T06:47:23.000Z",
|
||
|
"modified": "2019-04-27T06:47:23.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-27T06:47:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5cc4069c-ed84-47b2-8f41-43b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T07:37:00.000Z",
|
||
|
"modified": "2019-04-27T07:37:00.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"script\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "script",
|
||
|
"value": "import base64\r\n\r\nwith open(\u00e2\u20ac\u02dccowboy\u00e2\u20ac\u2122, \u00e2\u20ac\u02dcr\u00e2\u20ac\u2122) as file_in, open(\u00e2\u20ac\u02dccowboy_clear.bin\u00e2\u20ac\u2122, \u00e2\u20ac\u02dcwb\u00e2\u20ac\u2122) as file_out:\r\n\r\n EncStr = file_in.read()\r\n\r\n BlkSz = 10\r\n\r\n len_EncStr = len(EncStr)\r\n\r\n NonBlk10_ptr = len_EncStr \u00e2\u20ac\u201c (BlkSz -1) * (len_EncStr // BlkSz)\r\n\r\n NonBlk10 = EncStr [:NonBlk10_ptr]\r\n\r\n result = \u00e2\u20ac\u009d\r\n\r\n EncStr = EncStr [NonBlk10_ptr::]\r\n\r\n #print EncStr\r\n\r\n x = range (-1,BlkSz-1)\r\n\r\n Blksize1 = len_EncStr // BlkSz\r\n\r\n for n in x:\r\n\r\n loop_buff1_ptr = n * (len_EncStr // BlkSz)\r\n\r\n loop_buff1 = EncStr [loop_buff1_ptr:loop_buff1_ptr+Blksize1]\r\n\r\n #print loop_buff1\r\n\r\n result = loop_buff1 + result\r\n\r\n result = result + NonBlk10\r\n\r\n clear = base64.b64decode(result)[::-1]\r\n\r\n print clear\r\n\r\nfile_out.write(clear)",
|
||
|
"category": "Other",
|
||
|
"uuid": "5cc4069d-e05c-4b0b-a27b-42ee950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "language",
|
||
|
"value": "Python",
|
||
|
"category": "Other",
|
||
|
"uuid": "5cc4069d-8094-4565-8c48-4b4c950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "comment",
|
||
|
"value": "Python Script for Decoding Cowboy",
|
||
|
"category": "Other",
|
||
|
"uuid": "5cc4069d-95dc-4ca0-ab95-4114950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "state",
|
||
|
"value": "Trusted",
|
||
|
"category": "Other",
|
||
|
"uuid": "5cc4069d-0010-4538-93dc-4a8d950d210f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "script"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--c5a73ecb-7963-487b-9c12-4b0e86a495ae",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T07:43:16.000Z",
|
||
|
"modified": "2019-04-27T07:43:16.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '03dbc1b3d79a4ff70f06fd6e67e00985' AND file:hashes.SHA1 = 'dbfdf474c76428f02fc4fbe408a8fe81a9402421' AND file:hashes.SHA256 = '75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-27T07:43:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--ec43ff24-211c-430f-84ab-5f57fa153d60",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T07:43:17.000Z",
|
||
|
"modified": "2019-04-27T07:43:17.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-27T00:43:44",
|
||
|
"category": "Other",
|
||
|
"uuid": "1ef7752b-f188-42f5-8df8-5eb52e7c1a3e"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5/analysis/1556325824/",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "8e8a2ce7-e747-4d32-9183-77f4d3439518"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "24/63",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "10278f12-9615-4779-8ec1-d851b3124373"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--e04af19f-c666-456b-95c9-b1b19d401d5d",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T07:43:17.000Z",
|
||
|
"modified": "2019-04-27T07:43:17.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '57ef27823865c8f7784b0d37fd2c4aa8' AND file:hashes.SHA1 = 'd953005a70bf9d6282a9792c2598218657f31e25' AND file:hashes.SHA256 = 'bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-27T07:43:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--af318753-2c6d-41cc-a37b-f9db1cec6b7a",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T07:43:17.000Z",
|
||
|
"modified": "2019-04-27T07:43:17.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-24T20:00:44",
|
||
|
"category": "Other",
|
||
|
"uuid": "52406c92-c58c-45e1-a839-40a456d351a1"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1/analysis/1556136044/",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "cd77c1bb-6b7e-41c2-a379-e94a091812aa"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "3/71",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "34e8e79b-d608-4c84-91bd-d00813a4e0f8"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--1ca9e3cc-11cf-4417-ae89-12d0db9e9240",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T07:43:17.000Z",
|
||
|
"modified": "2019-04-27T07:43:17.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '6590830061f85c0acc5259013555d079' AND file:hashes.SHA1 = 'b014e1b20499fcbab4c8e7af351ce08ac7f7832e' AND file:hashes.SHA256 = '4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-27T07:43:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--210c73d6-356a-4be2-ba0a-cbf5b9ed607e",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T07:43:17.000Z",
|
||
|
"modified": "2019-04-27T07:43:17.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-26T09:23:39",
|
||
|
"category": "Other",
|
||
|
"comment": "Malicious Word Macro Document",
|
||
|
"uuid": "9ed264d6-a346-4239-b5af-573ec35466d9"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7/analysis/1556270619/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Word Macro Document",
|
||
|
"uuid": "b7329de0-871d-4813-84a6-ca73093ef4a7"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "5/71",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Word Macro Document",
|
||
|
"uuid": "a5f82c6b-902f-4b62-8bb2-a4b00f39e40b"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--41e3fdee-552a-4961-8183-635188ef931d",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T07:43:17.000Z",
|
||
|
"modified": "2019-04-27T07:43:17.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '61f42c2dc1da18b046c6b274abe6f4ca' AND file:hashes.SHA1 = 'da188539e0dddae87245bcbc6e30eeb8ea607657' AND file:hashes.SHA256 = 'd50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-27T07:43:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5620ac27-0a6e-466a-90ff-6e97ab1e498d",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-27T07:43:17.000Z",
|
||
|
"modified": "2019-04-27T07:43:17.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-12-31T07:08:17",
|
||
|
"category": "Other",
|
||
|
"uuid": "74fc5c3e-b17b-4d9e-88a5-f222d2fd231e"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712/analysis/1546240097/",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "4afc8fc9-8686-4923-8dba-43f8fcc94109"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "11/68",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "67182b20-bb11-4fa0-b212-31ac0634bc3a"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--a2978e53-4dce-47ff-9a2f-096807695563",
|
||
|
"created": "2019-04-27T07:43:18.000Z",
|
||
|
"modified": "2019-04-27T07:43:18.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--c5a73ecb-7963-487b-9c12-4b0e86a495ae",
|
||
|
"target_ref": "x-misp-object--ec43ff24-211c-430f-84ab-5f57fa153d60"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--494a1d44-509c-456c-89de-4622b6e0e30c",
|
||
|
"created": "2019-04-27T07:43:18.000Z",
|
||
|
"modified": "2019-04-27T07:43:18.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--e04af19f-c666-456b-95c9-b1b19d401d5d",
|
||
|
"target_ref": "x-misp-object--af318753-2c6d-41cc-a37b-f9db1cec6b7a"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--3d370b36-1cde-4ae8-a3e9-91580dd6debf",
|
||
|
"created": "2019-04-27T07:43:18.000Z",
|
||
|
"modified": "2019-04-27T07:43:18.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--1ca9e3cc-11cf-4417-ae89-12d0db9e9240",
|
||
|
"target_ref": "x-misp-object--210c73d6-356a-4be2-ba0a-cbf5b9ed607e"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--0635de0b-8d55-4548-9a5e-d91a675c4cc5",
|
||
|
"created": "2019-04-27T07:43:18.000Z",
|
||
|
"modified": "2019-04-27T07:43:18.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--41e3fdee-552a-4961-8183-635188ef931d",
|
||
|
"target_ref": "x-misp-object--5620ac27-0a6e-466a-90ff-6e97ab1e498d"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|