723 lines
32 KiB
JSON
723 lines
32 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5cd2ec29-16fc-4842-b954-282902de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T15:20:32.000Z",
|
||
|
"modified": "2019-05-08T15:20:32.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5cd2ec29-16fc-4842-b954-282902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T15:20:32.000Z",
|
||
|
"modified": "2019-05-08T15:20:32.000Z",
|
||
|
"name": "OSINT - Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak",
|
||
|
"published": "2019-05-08T15:20:40Z",
|
||
|
"object_refs": [
|
||
|
"indicator--5cd2ed5b-ed08-4fe3-bf5d-2829950d210f",
|
||
|
"indicator--5cd2ed5b-f164-4f34-8ecd-2829950d210f",
|
||
|
"indicator--5cd2ed5b-b458-4acf-b636-2829950d210f",
|
||
|
"indicator--5cd2ed5b-eca8-4834-a29a-2829950d210f",
|
||
|
"indicator--5cd2ed5b-8ce0-4eab-bdf1-2829950d210f",
|
||
|
"indicator--5cd2ed5b-639c-4e92-9ef1-2829950d210f",
|
||
|
"indicator--5cd2ed5b-b7c4-45a4-8544-2829950d210f",
|
||
|
"indicator--5cd2ed5b-75ac-4259-9dc9-2829950d210f",
|
||
|
"indicator--5cd2ed5b-8600-4adf-8514-2829950d210f",
|
||
|
"indicator--5cd2ed5b-6c24-4586-b546-2829950d210f",
|
||
|
"indicator--5cd2ed5b-3434-4064-bf3c-2829950d210f",
|
||
|
"indicator--5cd2ed5b-a248-4e3e-8892-2829950d210f",
|
||
|
"indicator--5cd2ed5b-5860-4fbd-a655-2829950d210f",
|
||
|
"indicator--5cd2ed5b-b054-4431-b920-2829950d210f",
|
||
|
"indicator--5cd2ed5b-6b38-47d6-9a7c-2829950d210f",
|
||
|
"indicator--5cd2ed5b-0258-45d5-930e-2829950d210f",
|
||
|
"observed-data--5cd2f38f-2274-4de6-b0a0-482402de0b81",
|
||
|
"url--5cd2f38f-2274-4de6-b0a0-482402de0b81",
|
||
|
"x-misp-attribute--5cd2f3b2-d488-4322-b60c-445f02de0b81",
|
||
|
"indicator--cb969a73-6e24-4be3-9e56-19d7b012bdf9",
|
||
|
"x-misp-object--b8448b23-79bc-4adb-b285-e620e36372f9",
|
||
|
"indicator--29707d14-8018-4c35-9bb4-2ee259cf9724",
|
||
|
"x-misp-object--9f0f1973-38c8-4a2c-9ab8-0b71e5a37a2c",
|
||
|
"indicator--6b996ac5-d722-4603-a955-0264c5081cb2",
|
||
|
"x-misp-object--cdbb3fad-5a1c-4032-b488-71878e955d17",
|
||
|
"relationship--621e2680-0256-4952-8ab7-1b1efd96f454",
|
||
|
"relationship--74e17bce-3183-4a20-869d-c829a5547668",
|
||
|
"relationship--1ad3d9ff-19fd-44c9-b0b3-6b039a113df4"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"osint:lifetime=\"perpetual\"",
|
||
|
"osint:certainty=\"50\"",
|
||
|
"misp-galaxy:threat-actor=\"UPS\"",
|
||
|
"misp-galaxy:mitre-intrusion-set=\"APT3 - G0022\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-ed08-4fe3-bf5d-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Pirpi (first variant)",
|
||
|
"pattern": "[file:hashes.MD5 = '7020bcb347404654e17f6303848b7ec4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-f164-4f34-8ecd-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Pirpi (first variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cbe23daa9d2f8e1f5d59c8336dd5b7d7ba1d5cf3f0d45e66107668e80b073ac3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-b458-4acf-b636-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Pirpi (second variant)",
|
||
|
"pattern": "[file:hashes.MD5 = 'aacfef51a4a242f52fbb838c1d063d9b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-eca8-4834-a29a-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Pirpi (second variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = '53145f374299e673d82d108b133341dc7bee642530b560118e3cbcdb981ee92c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-8ce0-4eab-bdf1-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Command line utility to list user accounts on remote machine",
|
||
|
"pattern": "[file:hashes.MD5 = 'c2f902f398783922a921df7d46590295']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-639c-4e92-9ef1-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Command line utility to list user accounts on remote machine",
|
||
|
"pattern": "[file:hashes.SHA256 = '01f53953db8ba580ee606043a482f790082460c8cdbd7ff151d84e03fdc87e42']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-b7c4-45a4-8544-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Filensfer (C/C++)",
|
||
|
"pattern": "[file:hashes.MD5 = '6458806a5071a7c4fefae084791e8c67']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-75ac-4259-9dc9-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Filensfer (C/C++)",
|
||
|
"pattern": "[file:hashes.SHA256 = '6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-8600-4adf-8514-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Filensfer (Powershell)",
|
||
|
"pattern": "[file:hashes.MD5 = '0d2d0d8f4989679f7c26b5531096b8b2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-6c24-4586-b546-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Filensfer (Powershell)",
|
||
|
"pattern": "[file:hashes.SHA256 = '7bfad342ce88de19d090a4cb2ce332022650abd68f34e83fdc694f10a4090d65']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-3434-4064-bf3c-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Filensfer (py2exe)",
|
||
|
"pattern": "[file:hashes.MD5 = 'a3932533efc04ac3fe89fb5b3d60128a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-a248-4e3e-8892-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Filensfer (py2exe)",
|
||
|
"pattern": "[file:hashes.SHA256 = '3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-5860-4fbd-a655-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Command line SMB client",
|
||
|
"pattern": "[file:hashes.MD5 = '58f784c7a292103251930360f9ca713e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-b054-4431-b920-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "Command line SMB client",
|
||
|
"pattern": "[file:hashes.SHA256 = '1c9f1c7056864b5fdd491d5daa49f920c3388cb8a8e462b2bc34181cef6c1f9c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-6b38-47d6-9a7c-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "HTran",
|
||
|
"pattern": "[file:hashes.MD5 = 'a469d48e25e524cf0dec64f01c182b25']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cd2ed5b-0258-45d5-930e-2829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:53:15.000Z",
|
||
|
"modified": "2019-05-08T14:53:15.000Z",
|
||
|
"description": "HTran",
|
||
|
"pattern": "[file:hashes.SHA256 = '951f079031c996c85240831ea1b61507f91990282daae6da2841311322e8a6d7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:53:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5cd2f38f-2274-4de6-b0a0-482402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T15:19:43.000Z",
|
||
|
"modified": "2019-05-08T15:19:43.000Z",
|
||
|
"first_observed": "2019-05-08T15:19:43Z",
|
||
|
"last_observed": "2019-05-08T15:19:43Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5cd2f38f-2274-4de6-b0a0-482402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5cd2f38f-2274-4de6-b0a0-482402de0b81",
|
||
|
"value": "https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5cd2f3b2-d488-4322-b60c-445f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T15:20:18.000Z",
|
||
|
"modified": "2019-05-08T15:20:18.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak\r\nWindows zero day was exploited by Buckeye alongside Equation Group tools during 2016 attacks. Exploit and tools continued to be used after Buckeye's apparent disappearance in 2017.\r\nKey Findings\r\n\r\n The Buckeye attack group was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak.\r\n Variants of Equation Group tools used by Buckeye appear to be different from those released by Shadow Brokers, potentially indicating that they didn't originate from that leak.\r\n Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability. This zero day was reported by Symantec to Microsoft in September 2018 and patched in March 2019.\r\n While Buckeye appeared to cease operations in mid-2017, the Equation Group tools it used continued to be used in attacks until late 2018. It is unknown who continued to use the tools. They may have been passed to another group or Buckeye may have continued operating longer than supposed.\r\n\r\nThe 2017 leak of Equation Group tools by a mysterious group calling itself the Shadow Brokers was one of the most significant cyber security stories in recent years. Equation is regarded as one of the most technically adept espionage groups and the release of a trove of its tools had a major impact, with many attackers rushing to deploy the malware and exploits disclosed."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--cb969a73-6e24-4be3-9e56-19d7b012bdf9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:55:15.000Z",
|
||
|
"modified": "2019-05-08T14:55:15.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '6458806a5071a7c4fefae084791e8c67' AND file:hashes.SHA1 = 'ec6cf407e4f791abb04a2bafde0980a2ba1fd2a8' AND file:hashes.SHA256 = '6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:55:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--b8448b23-79bc-4adb-b285-e620e36372f9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:55:15.000Z",
|
||
|
"modified": "2019-05-08T14:55:15.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-05-08T05:07:44",
|
||
|
"category": "Other",
|
||
|
"comment": "Filensfer (C/C++)",
|
||
|
"uuid": "94260963-ba53-478d-8521-3a62b6a411cb"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc/analysis/1557292064/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Filensfer (C/C++)",
|
||
|
"uuid": "5701e708-1d8c-4670-8b47-0acb9670c276"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "45/73",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Filensfer (C/C++)",
|
||
|
"uuid": "e950587d-ed19-426c-96ac-b93f8a0cd985"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--29707d14-8018-4c35-9bb4-2ee259cf9724",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:55:15.000Z",
|
||
|
"modified": "2019-05-08T14:55:15.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'a3932533efc04ac3fe89fb5b3d60128a' AND file:hashes.SHA1 = '2a01d103b2bb66cba2cdb201f09933fee2055db3' AND file:hashes.SHA256 = '3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:55:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--9f0f1973-38c8-4a2c-9ab8-0b71e5a37a2c",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:55:15.000Z",
|
||
|
"modified": "2019-05-08T14:55:15.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-05-08T05:07:41",
|
||
|
"category": "Other",
|
||
|
"comment": "Filensfer (py2exe)",
|
||
|
"uuid": "7773b23b-26f6-4274-9911-ff7ce63a8c4b"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e/analysis/1557292061/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Filensfer (py2exe)",
|
||
|
"uuid": "7c4abf50-a135-4369-bc1c-12aeabe252b7"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "19/73",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Filensfer (py2exe)",
|
||
|
"uuid": "a31469f5-82a2-4210-88a4-4ffc8a06fcdc"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--6b996ac5-d722-4603-a955-0264c5081cb2",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:55:15.000Z",
|
||
|
"modified": "2019-05-08T14:55:15.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'a469d48e25e524cf0dec64f01c182b25' AND file:hashes.SHA1 = '312f62f4b6a6251a8b6501d665da3069ce21a3b6' AND file:hashes.SHA256 = '951f079031c996c85240831ea1b61507f91990282daae6da2841311322e8a6d7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-05-08T14:55:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"misp-galaxy:malpedia=\"HTran\"",
|
||
|
"misp-galaxy:tool=\"Htran\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--cdbb3fad-5a1c-4032-b488-71878e955d17",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-05-08T14:55:15.000Z",
|
||
|
"modified": "2019-05-08T14:55:15.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-05-08T05:07:48",
|
||
|
"category": "Other",
|
||
|
"comment": "HTran",
|
||
|
"uuid": "440ea4c6-db42-4154-b545-9a240b49dc79"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/951f079031c996c85240831ea1b61507f91990282daae6da2841311322e8a6d7/analysis/1557292068/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "HTran",
|
||
|
"uuid": "e1e619bf-cf06-4e72-bce0-1badbcceb720"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "47/73",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "HTran",
|
||
|
"uuid": "129a5a26-1fe5-4fa8-a304-8b1e6b2c3e30"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--621e2680-0256-4952-8ab7-1b1efd96f454",
|
||
|
"created": "2019-05-08T14:55:16.000Z",
|
||
|
"modified": "2019-05-08T14:55:16.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--cb969a73-6e24-4be3-9e56-19d7b012bdf9",
|
||
|
"target_ref": "x-misp-object--b8448b23-79bc-4adb-b285-e620e36372f9"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--74e17bce-3183-4a20-869d-c829a5547668",
|
||
|
"created": "2019-05-08T14:55:16.000Z",
|
||
|
"modified": "2019-05-08T14:55:16.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--29707d14-8018-4c35-9bb4-2ee259cf9724",
|
||
|
"target_ref": "x-misp-object--9f0f1973-38c8-4a2c-9ab8-0b71e5a37a2c"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--1ad3d9ff-19fd-44c9-b0b3-6b039a113df4",
|
||
|
"created": "2019-05-08T14:55:16.000Z",
|
||
|
"modified": "2019-05-08T14:55:16.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--6b996ac5-d722-4603-a955-0264c5081cb2",
|
||
|
"target_ref": "x-misp-object--cdbb3fad-5a1c-4032-b488-71878e955d17"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|