adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5c812baa-d614-4f99-88e0-426d950d210f.json

408 lines
305 KiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5c812baa-d614-4f99-88e0-426d950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:54:20.000Z",
"modified": "2019-03-07T14:54:20.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5c812baa-d614-4f99-88e0-426d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:54:20.000Z",
"modified": "2019-03-07T14:54:20.000Z",
"name": "OSINT - New SLUB Backdoor Uses GitHub, Communicates via Slack",
"published": "2019-03-07T14:54:40Z",
"object_refs": [
"observed-data--5c812bb7-f9a4-4e40-8386-2d92950d210f",
"url--5c812bb7-f9a4-4e40-8386-2d92950d210f",
"x-misp-attribute--5c812bd5-5ff0-4398-aa70-44d7950d210f",
"vulnerability--5c812c3b-92e4-4dca-ae5d-423f950d210f",
"observed-data--5c812c61-3fb8-4dd4-a066-426f950d210f",
"file--5c812c61-3fb8-4dd4-a066-426f950d210f",
"artifact--5c812c61-3fb8-4dd4-a066-426f950d210f",
"observed-data--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"file--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"indicator--5c812cd9-3bd0-4fb8-aebf-426f950d210f",
"indicator--5c812e19-f324-4fb4-8321-41b2950d210f",
"indicator--5c812e19-02cc-4e58-ad6f-4531950d210f",
"indicator--caa8ad96-cb54-41af-87e6-0d652834620b",
"x-misp-object--e326acd3-60af-46c8-bdb0-e3879b6dea8b",
"indicator--4712ac16-d976-47b2-8e95-99e0fbbfb94a",
"x-misp-object--ae0fe876-57e2-4670-8a0d-d6fed9a7d0d3",
"relationship--65548822-daaf-4913-86d7-e3783a0ba99c",
"relationship--d8ba1fef-0f49-4491-9de7-d1d28211b4d0"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"",
"misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c812bb7-f9a4-4e40-8386-2d92950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:33:27.000Z",
"modified": "2019-03-07T14:33:27.000Z",
"first_observed": "2019-03-07T14:33:27Z",
"last_observed": "2019-03-07T14:33:27Z",
"number_observed": 1,
"object_refs": [
"url--5c812bb7-f9a4-4e40-8386-2d92950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5c812bb7-f9a4-4e40-8386-2d92950d210f",
"value": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5c812bd5-5ff0-4398-aa70-44d7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:33:57.000Z",
"modified": "2019-03-07T14:33:57.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "We recently came across a previously unknown malware that piqued our interest in multiple ways. For starters, we discovered it being spread via watering hole attacks, a technique that involves an attacker compromising a website before adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only once. The infection was done by exploiting CVE-2018-8174, a VBScript engine vulnerability that was patched by Microsoft back in May 2018.\r\n\r\nSecond, it uses a multi-stage infection scheme. After it exploits the vulnerability, it downloads a DLL and runs it in PowerShell (PS). This file, which is a downloader, then downloads and runs the second executable file containing a backdoor. The first stage downloader also checks for the existence of different kinds of antivirus software processes, and then proceeds to exit if any is found. At the time of discovery, the backdoor was seemingly unknown to AV products.\r\n\r\nIn addition to the previously mentioned facts, we quickly noticed that the malware was connecting to the Slack platform, a collaborative messaging system that lets users create and use their own workspaces through the use of channels, similar to the IRC chatting system. We found this quite interesting, since we haven\u00e2\u20ac\u2122t observed any malware to date that communicates using Slack.\r\n\r\nOur technical investigation and analysis of the attacker\u00e2\u20ac\u2122s tools, techniques, and procedures (TTP) lead us to think that this threat is actually a stealthy targeted attack run by capable actors, and not a typical cybercriminal scheme.\r\n\r\nNote that as soon as this malware was discovered, we informed the Canadian Centre for Cyber Security, which acts as Canada\u00e2\u20ac\u2122s National Computer Security Incident Response Team (CSIRT). The Cyber Centre alerted the site operator, helped them understand the malware that was found, and offered mitigation advice."
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5c812c3b-92e4-4dca-ae5d-423f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:35:39.000Z",
"modified": "2019-03-07T14:35:39.000Z",
"name": "CVE-2018-8174",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2018-8174"
}
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c812c61-3fb8-4dd4-a066-426f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:36:17.000Z",
"modified": "2019-03-07T14:36:17.000Z",
"first_observed": "2019-03-07T14:36:17Z",
"last_observed": "2019-03-07T14:36:17Z",
"number_observed": 1,
"object_refs": [
"file--5c812c61-3fb8-4dd4-a066-426f950d210f",
"artifact--5c812c61-3fb8-4dd4-a066-426f950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c812c61-3fb8-4dd4-a066-426f950d210f",
"name": "SLUB-Figure-5-1.jpg",
"content_ref": "artifact--5c812c61-3fb8-4dd4-a066-426f950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5c812c61-3fb8-4dd4-a066-426f950d210f",
"payload_bin": "/9j/4AAQSkZJRgABAgEAlgCWAAD/7gAOQWRvYmUAZAAAAAAB/+EASkV4aWYAAE1NACoAAAAIAAMBGgAFAAAAAQAAADIBGwAFAAAAAQAAADoBKAADAAAAAQACAAAAAAAAAJYAAAABAAAAlgAAAAEAAP/tACxQaG90b3Nob3AgMy4wADhCSU0D7QAAAAAAEACWAAAAAQABAJYAAAABAAH/4VKfaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/Pg0KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPg0KCTxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+DQoJCTxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyI+DQoJCQk8ZGM6Zm9ybWF0PmltYWdlL2pwZWc8L2RjOmZvcm1hdD4NCgkJCTxkYzp0aXRsZT4NCgkJCQk8cmRmOkFsdD4NCgkJCQkJPHJkZjpsaSB4bWw6bGFuZz0ieC1kZWZhdWx0Ij5GSWd1cmUtNTwvcmRmOmxpPg0KCQkJCTwvcmRmOkFsdD4NCgkJCTwvZGM6dGl0bGU+DQoJCTwvcmRmOkRlc2NyaXB0aW9uPg0KCQk8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcEdJbWc9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9nL2ltZy8iPg0KCQkJPHhtcDpNZXRhZGF0YURhdGU+MjAxOS0wMy0wNVQxNzozNjozNSswODowMDwveG1wOk1ldGFkYXRhRGF0ZT4NCgkJCTx4bXA6TW9kaWZ5RGF0ZT4yMDE5LTAzLTA1VDA5OjM2OjM2WjwveG1wOk1vZGlmeURhdGU+DQoJCQk8eG1wOkNyZWF0ZURhdGU+MjAxOS0wMy0wNVQxNzozNjozNSswODowMDwveG1wOkNyZWF0ZURhdGU+DQoJCQk8eG1wOkNyZWF0b3JUb29sPkFkb2JlIElsbHVzdHJhdG9yIENTNiAoV2luZG93cyk8L3htcDpDcmVhdG9yVG9vbD4NCgkJCTx4bXA6VGh1bWJuYWlscz4NCgkJCQk8cmRmOkFsdD4NCgkJCQkJPHJkZjpsaSByZGY6cGFyc2VUeXBlPSJSZXNvdXJjZSI+DQoJCQkJCQk8eG1wR0ltZzp3aWR0aD4yNTY8L3htcEdJbWc6d2lkdGg+DQoJCQkJCQk8eG1wR0ltZzpoZWlnaHQ+MTUyPC94bXBHSW1nOmhlaWdodD4NCgkJCQkJCTx4bXBHSW1nOmZvcm1hdD5KUEVHPC94bXBHSW1nOmZvcm1hdD4NCgkJCQkJCTx4bXBHSW1nOmltYWdlPi85ai80QUFRU2taSlJnQUJBZ0VBbGdDV0FBRC83UUFzVUdodmRHOXphRzl3SURNdU1BQTRRa2xOQSswQUFBQUFBQkFBbGdBQUFBRUENCkFRQ1dBQUFBQVFBQi8rSU1XRWxEUTE5UVVrOUdTVXhGQUFFQkFBQU1TRXhwYm04Q0VBQUFiVzUwY2xKSFFpQllXVm9nQjg0QUFnQUoNCkFBWUFNUUFBWVdOemNFMVRSbFFBQUFBQVNVVkRJSE5TUjBJQUFBQUFBQUFBQUFBQUFBQUFBUGJXQUFFQUFBQUEweTFJVUNBZ0FBQUENCkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBUlkzQnlkQUFBQVZBQUFBQXoNClpHVnpZd0FBQVlRQUFBQnNkM1J3ZEFBQUFmQUFBQUFVWW10d2RBQUFBZ1FBQUFBVWNsaFpXZ0FBQWhnQUFBQVVaMWhaV2dBQUFpd0ENCkFBQVVZbGhaV2dBQUFrQUFBQUFVWkcxdVpBQUFBbFFBQUFCd1pHMWtaQUFBQXNRQUFBQ0lkblZsWkFBQUEwd0FBQUNHZG1sbGR3QUENCkE5UUFBQUFrYkhWdGFRQUFBL2dBQUFBVWJXVmhjd0FBQkF3QUFBQWtkR1ZqYUFBQUJEQUFBQUFNY2xSU1F3QUFCRHdBQUFnTVoxUlMNClF3QUFCRHdBQUFnTVlsUlNRd0FBQkR3QUFBZ01kR1Y0ZEFBQUFBQkRiM0I1Y21sbmFIUWdLR01wSURFNU9UZ2dTR1YzYkdWMGRDMVENCllXTnJZWEprSUVOdmJYQmhibmtBQUdSbGMyTUFBQUFBQUFBQUVuTlNSMElnU1VWRE5qRTVOall0TWk0eEFBQUFBQUFBQUFBQUFBQVMNCmMxSkhRaUJKUlVNMk1UazJOaTB5TGpFQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUENCkFBQUFBQUFBQUFBQUFGaFpXaUFBQUFBQUFBRHpVUUFCQUFBQUFSYk1XRmxhSUFBQUFBQUFBQUFBQUFBQUFBQUFBQUJZV1ZvZ0FBQUENCkFBQUFiNklBQURqMUFBQURrRmhaV2lBQUFBQUFBQUJpbVFBQXQ0VUFBQmphV0ZsYUlBQUFBQUFBQUNTZ0FBQVBoQUFBdHM5a1pYTmoNCkFBQUFBQUFBQUJaSlJVTWdhSFIwY0RvdkwzZDNkeTVwWldNdVkyZ0FBQUFBQUFBQUFBQUFBQlpKUlVNZ2FIUjBjRG92TDNkM2R5NXANClpXTXVZMmdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBWkdWell3QUENCkFBQUFBQUF1U1VWRElEWXhPVFkyTFRJdU1TQkVaV1poZFd4MElGSkhRaUJqYjJ4dmRYSWdjM0JoWTJVZ0xTQnpVa2RDQUFBQUFBQUENCkFBQUFBQUF1U1VWRElEWXhPVFkyTFRJdU1TQkVaV1poZFd4MElGSkhRaUJqYjJ4dmRYSWdjM0JoWTJVZ0xTQnpVa2RDQUFBQUFBQUENCkFBQUFBQUFBQUFBQUFBQUFBQUFBQUdSbGMyTUFBQUFBQUFBQUxGSmxabVZ5Wlc1alpTQldhV1YzYVc1bklFTnZibVJwZEdsdmJpQnANCmJpQkpSVU0yTVRrMk5pMHlMakVBQUFBQUFBQUFBQUFBQUN4U1pXWmxjbVZ1WTJVZ1ZtbGxkMmx1WnlCRGIyNWthWFJwYjI0Z2FXNGcNClNVVkROakU1TmpZdE1pNHhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQjJhV1YzQUFBQUFBQVRwUDRBRkY4dUFCRFANCkZBQUQ3Y3dBQkJNTEFBTmNuZ0FBQUFGWVdWb2dBQUFBQUFCTUNWWUFVQUFBQUZjZjUyMWxZWE1BQUFBQUFBQUFBUUFBQUFBQUFBQUENCkFBQUFBQUFBQUFBQUFBS1BBQUFBQW5OcFp5QUFBQUFBUTFKVUlHTjFjbllBQUFBQUFBQUVBQUFBQUFVQUNnQVBBQlFBR1FBZUFDTUENCktBQXRBRElBTndBN0FFQUFSUUJLQUU4QVZBQlpBRjRBWXdCb0FHMEFjZ0IzQUh3QWdRQ0dBSXNBa0FDVkFKb0Fud0NrQUtrQXJnQ3kNCkFMY0F2QURCQU1ZQXl3RFFBTlVBMndEZ0FPVUE2d0R3QVBZQSt3RUJBUWN
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:37:20.000Z",
"modified": "2019-03-07T14:37:20.000Z",
"first_observed": "2019-03-07T14:37:20Z",
"last_observed": "2019-03-07T14:37:20Z",
"number_observed": 1,
"object_refs": [
"file--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"name": "SLUB-Figure-9.jpg",
"content_ref": "artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5c812ca0-4fb4-4e00-89a3-424b950d210f",
"payload_bin": "/9j/4AAQSkZJRgABAQEA3ADcAAD/2wBDAAIBAQIBAQICAgICAgICAwUDAwMDAwYEBAMFBwYHBwcGBwcICQsJCAgKCAcHCg0KCgsMDAwMBwkODw0MDgsMDAz/2wBDAQICAgMDAwYDAwYMCAcIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAz/wAARCAIYBOsDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACijNFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeeftV/tLeHf2QfgD4l+Inil5Ro/hu3EzxxY825kZgkcSZ43O7Ko+tfg98bf8Ag49/aK+IfjW7vPDGraR4J0UysbWwtNOhuWjjz8oeSZWLNjqQAM9q/R3/AIOZL+az/wCCaTxxOUS68VadFKB/GoWd8f8AfSqfwr+eaumjBNXZzVptOyPsv/h/7+1V/wBFIj/8Etj/APGqP+H/AL+1V/0UiP8A8Etj/wDGq+NKK25V2Mud9z7L/wCH/v7VX/RSI/8AwS2P/wAao/4f+/tVf9FIj/8ABLY//Gq+NKKOVdg533Psv/h/7+1V/wBFIj/8Etj/APGqP+H/AL+1V/0UiP8A8Etj/wDGq+NKKOVdg533Psv/AIf+/tVf9FIj/wDBLY//ABqj/h/7+1V/0UiP/wAEtj/8ar40oo5V2Dnfc+y/+H/v7VX/AEUiP/wS2P8A8ao/4f8Av7VX/RSI/wDwS2P/AMar40oo5V2Dnfc+y/8Ah/7+1V/0UiP/AMEtj/8AGqP+H/v7VX/RSI//AAS2P/xqvjSijlXYOd9z7L/4f+/tVf8ARSI//BLY/wDxqj/h/wC/tVf9FIj/APBLY/8AxqvjSijlXYOd9z7L/wCH/v7VX/RSI/8AwS2P/wAao/4f+/tVf9FIj/8ABLY//Gq+NKKOVdg533Psv/h/7+1V/wBFIj/8Etj/APGqUf8ABf39qoEH/hZEZx/1BbH/AONV8Z0Uci7BzvufuJ/wR2/4L2+IP2nPjBYfCz4uW2mf27rmU0XXLKIW63MyqW8iaP7oZgDtZccjGOQa/Vyv5Qf+Cd9xJbft+fA9o3ZGPj7Q1yODg6hACPxBI/Gv6vq5q0UnodFGTa1CiiisTYKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiig0AGaK/n6/4LC/8FoPiT8Xf2ifE3gb4e+KdY8H+AvCl/NpatpN01rcazJExjkmkljIcxlg21AQpXBIz0+KR+178V/+imePv/B9df8AxdbxoNq7ZhKuk7JH9bdFfySf8NffFf8A6KZ4+/8AB9df/F0f8NffFf8A6KZ4+/8AB9df/F0/q/mL6x5H9bdFfySf8NffFf8A6KZ4+/8AB9df/F0f8NffFf8A6KZ4+/8AB9df/F0fV/MPrHkf1t0V/JJ/w198V/8Aopnj7/wfXX/xdH/DX3xX/wCimePv/B9df/F0fV/MPrHkf1t
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c812cd9-3bd0-4fb8-aebf-426f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:38:17.000Z",
"modified": "2019-03-07T14:38:17.000Z",
"pattern": "[url:value = 'https://gist.github.com/kancc14522/626a3a68a2cc2a91c1ece1eed7610c8a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-07T14:38:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c812e19-f324-4fb4-8321-41b2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:43:37.000Z",
"modified": "2019-03-07T14:43:37.000Z",
"description": "Trojan.Win32.CVE20151701.E",
"pattern": "[file:hashes.SHA256 = '3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-07T14:43:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c812e19-02cc-4e58-ad6f-4531950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:43:37.000Z",
"modified": "2019-03-07T14:43:37.000Z",
"description": "Backdoor.Win32.SLUB.A",
"pattern": "[file:hashes.SHA256 = '43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-07T14:43:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--caa8ad96-cb54-41af-87e6-0d652834620b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:43:58.000Z",
"modified": "2019-03-07T14:43:58.000Z",
"pattern": "[file:hashes.MD5 = '142ea550d65fbd90cc2a47aeaef0c210' AND file:hashes.SHA1 = 'e092e130a0627015331c3d3e0265befd65c167b4' AND file:hashes.SHA256 = '3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-07T14:43:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e326acd3-60af-46c8-bdb0-e3879b6dea8b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:43:59.000Z",
"modified": "2019-03-07T14:43:59.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-03-01T01:49:19",
"category": "Other",
"comment": "Trojan.Win32.CVE20151701.E",
"uuid": "40be40ac-66c7-45ea-a2d7-0ffaea92ce0a"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7/analysis/1551404959/",
"category": "Payload delivery",
"comment": "Trojan.Win32.CVE20151701.E",
"uuid": "442cf993-0cb9-48a6-8bb1-e1ab6fcb3a0a"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "32/63",
"category": "Payload delivery",
"comment": "Trojan.Win32.CVE20151701.E",
"uuid": "49b64f75-c33f-42ab-a43d-8ea7bfafbe12"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4712ac16-d976-47b2-8e95-99e0fbbfb94a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:44:00.000Z",
"modified": "2019-03-07T14:44:00.000Z",
"pattern": "[file:hashes.MD5 = 'f3004ddaef5b8c18883e716dda966141' AND file:hashes.SHA1 = '786e366ab9edbbba315ee1cc0de12132b107ba9c' AND file:hashes.SHA256 = '43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-07T14:44:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ae0fe876-57e2-4670-8a0d-d6fed9a7d0d3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-07T14:44:00.000Z",
"modified": "2019-03-07T14:44:00.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-03-06T16:37:38",
"category": "Other",
"comment": "Backdoor.Win32.SLUB.A",
"uuid": "a77369bd-22fd-4be7-883e-933bd72867cc"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7/analysis/1551890258/",
"category": "Payload delivery",
"comment": "Backdoor.Win32.SLUB.A",
"uuid": "81801a81-6192-4cfb-8aaf-ead1f36da2e8"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "7/69",
"category": "Payload delivery",
"comment": "Backdoor.Win32.SLUB.A",
"uuid": "a1fe3994-9403-415e-b117-30f4b38e65d4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--65548822-daaf-4913-86d7-e3783a0ba99c",
"created": "2019-03-07T14:44:00.000Z",
"modified": "2019-03-07T14:44:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--caa8ad96-cb54-41af-87e6-0d652834620b",
"target_ref": "x-misp-object--e326acd3-60af-46c8-bdb0-e3879b6dea8b"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d8ba1fef-0f49-4491-9de7-d1d28211b4d0",
"created": "2019-03-07T14:44:00.000Z",
"modified": "2019-03-07T14:44:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--4712ac16-d976-47b2-8e95-99e0fbbfb94a",
"target_ref": "x-misp-object--ae0fe876-57e2-4670-8a0d-d6fed9a7d0d3"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink