772 lines
34 KiB
JSON
772 lines
34 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5cc023e7-9c7c-418e-b908-4d46950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T11:21:10.000Z",
|
||
|
"modified": "2019-04-24T11:21:10.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5cc023e7-9c7c-418e-b908-4d46950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T11:21:10.000Z",
|
||
|
"modified": "2019-04-24T11:21:10.000Z",
|
||
|
"name": "OSINT - DNSpionage brings out the Karkoff",
|
||
|
"published": "2019-04-24T11:21:35Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--5cc023f7-8650-4b3b-b631-4d52950d210f",
|
||
|
"url--5cc023f7-8650-4b3b-b631-4d52950d210f",
|
||
|
"x-misp-attribute--5cc0240c-fb80-4eb2-99bb-4040950d210f",
|
||
|
"indicator--5cc0242b-2ba8-419f-8d14-42e7950d210f",
|
||
|
"indicator--5cc0242b-e1cc-4aec-a163-471f950d210f",
|
||
|
"indicator--5cc0242b-1ac0-448a-a3c9-45ff950d210f",
|
||
|
"indicator--5cc0242b-d758-44d4-9614-4759950d210f",
|
||
|
"indicator--5cc02456-7350-4263-bbc9-4205950d210f",
|
||
|
"indicator--5cc02456-7a84-49a2-b073-4ea8950d210f",
|
||
|
"indicator--5cc02456-b618-4f07-9281-4404950d210f",
|
||
|
"observed-data--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
|
||
|
"network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
|
||
|
"ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
|
||
|
"observed-data--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
|
||
|
"network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
|
||
|
"ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
|
||
|
"indicator--5cc02a7b-08f8-493b-b253-247f950d210f",
|
||
|
"indicator--5cc02ab1-70b0-446f-8b28-2497950d210f",
|
||
|
"indicator--3148bbb8-f76e-4556-b973-3dea9cf89820",
|
||
|
"x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61",
|
||
|
"indicator--6393b267-5ff7-4204-85cf-709530bc110d",
|
||
|
"x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e",
|
||
|
"indicator--52ca9602-5ef6-4de3-b528-058d33844ea3",
|
||
|
"x-misp-object--993871f0-b786-4813-9811-7f60eb385014",
|
||
|
"indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a",
|
||
|
"x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6",
|
||
|
"indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e",
|
||
|
"x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3",
|
||
|
"relationship--32150263-0a25-4053-a03c-7237072e629a",
|
||
|
"relationship--6a4824dd-74ff-4f66-b923-42037d5dd2d0",
|
||
|
"relationship--8862bb8d-7bbc-4c4c-b897-8f4b7124d350",
|
||
|
"relationship--90c7c2d8-d7d1-4757-b9fd-ab4ed5c8e1f0",
|
||
|
"relationship--3e199573-1c43-4dc1-9259-b6b8009f15cc"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:malpedia=\"DNSpionage\"",
|
||
|
"misp-galaxy:threat-actor=\"DNSpionage\"",
|
||
|
"type:OSINT",
|
||
|
"osint:lifetime=\"perpetual\"",
|
||
|
"osint:certainty=\"50\"",
|
||
|
"misp-galaxy:tool=\"Karkoff\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5cc023f7-8650-4b3b-b631-4d52950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T08:53:11.000Z",
|
||
|
"modified": "2019-04-24T08:53:11.000Z",
|
||
|
"first_observed": "2019-04-24T08:53:11Z",
|
||
|
"last_observed": "2019-04-24T08:53:11Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5cc023f7-8650-4b3b-b631-4d52950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5cc023f7-8650-4b3b-b631-4d52950d210f",
|
||
|
"value": "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5cc0240c-fb80-4eb2-99bb-4040950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T08:53:32.000Z",
|
||
|
"modified": "2019-04-24T08:53:32.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "In November 2018, Cisco Talos discovered an attack campaign, called DNSpionage, in which threat actors created a new remote administrative tool that supports HTTP and DNS communication with the attackers' command and control(C2). Since then, there have been several other public reports of additional DNSpionage attacks, and in January, the U.S. Department of Homeland Security issued an alert warning users about this threat activity.\r\n\r\nIn addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February, we discovered some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, we also discovered the actors using a new malware, which we are calling \"Karkoff.\"\r\n\r\nThis post will cover the aforementioned DNSpionage updates, the discovery of the Karkoff malware and an analysis of the recent Oilrig malware toolset leak \u00e2\u20ac\u201d and how it could be connected to these two attacks."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc0242b-2ba8-419f-8d14-42e7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T08:54:03.000Z",
|
||
|
"modified": "2019-04-24T08:54:03.000Z",
|
||
|
"description": "Karkoff sample",
|
||
|
"pattern": "[file:hashes.SHA256 = '5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T08:54:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc0242b-e1cc-4aec-a163-471f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T08:54:03.000Z",
|
||
|
"modified": "2019-04-24T08:54:03.000Z",
|
||
|
"description": "Karkoff sample",
|
||
|
"pattern": "[file:hashes.SHA256 = '6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T08:54:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc0242b-1ac0-448a-a3c9-45ff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T08:54:03.000Z",
|
||
|
"modified": "2019-04-24T08:54:03.000Z",
|
||
|
"description": "Karkoff sample",
|
||
|
"pattern": "[file:hashes.SHA256 = 'b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T08:54:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc0242b-d758-44d4-9614-4759950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T08:54:03.000Z",
|
||
|
"modified": "2019-04-24T08:54:03.000Z",
|
||
|
"description": "Karkoff sample",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T08:54:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc02456-7350-4263-bbc9-4205950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T08:54:46.000Z",
|
||
|
"modified": "2019-04-24T08:54:46.000Z",
|
||
|
"description": "C2 server",
|
||
|
"pattern": "[domain-name:value = 'coldfart.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T08:54:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc02456-7a84-49a2-b073-4ea8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T08:54:46.000Z",
|
||
|
"modified": "2019-04-24T08:54:46.000Z",
|
||
|
"description": "C2 server",
|
||
|
"pattern": "[domain-name:value = 'rimrun.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T08:54:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc02456-b618-4f07-9281-4404950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T08:54:46.000Z",
|
||
|
"modified": "2019-04-24T08:54:46.000Z",
|
||
|
"description": "C2 server",
|
||
|
"pattern": "[domain-name:value = 'kuternull.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T08:54:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T08:56:10.000Z",
|
||
|
"modified": "2019-04-24T08:56:10.000Z",
|
||
|
"first_observed": "2019-04-24T08:56:10Z",
|
||
|
"last_observed": "2019-04-24T08:56:10Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
|
||
|
"ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-src\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
|
||
|
"src_ref": "ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
|
||
|
"value": "108.62.141.247"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T08:56:25.000Z",
|
||
|
"modified": "2019-04-24T08:56:25.000Z",
|
||
|
"first_observed": "2019-04-24T08:56:25Z",
|
||
|
"last_observed": "2019-04-24T08:56:25Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
|
||
|
"ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-src\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
|
||
|
"src_ref": "ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
|
||
|
"value": "74.118.138.192"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc02a7b-08f8-493b-b253-247f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:20:59.000Z",
|
||
|
"modified": "2019-04-24T09:20:59.000Z",
|
||
|
"description": "DNSpionage XLS document",
|
||
|
"pattern": "[file:hashes.SHA256 = '2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T09:20:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc02ab1-70b0-446f-8b28-2497950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:21:53.000Z",
|
||
|
"modified": "2019-04-24T09:21:53.000Z",
|
||
|
"description": "DNSpionage",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T09:21:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--3148bbb8-f76e-4556-b973-3dea9cf89820",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:22:50.000Z",
|
||
|
"modified": "2019-04-24T09:22:50.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'a583430c9c504fb216c9f976401ecd13' AND file:hashes.SHA1 = 'cd3b6c517227ad356264ff076cf0ea106b67fc13' AND file:hashes.SHA256 = 'cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T09:22:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:22:51.000Z",
|
||
|
"modified": "2019-04-24T09:22:51.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-24T08:58:49",
|
||
|
"category": "Other",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "cb98656d-453e-40aa-b337-e83a5c473a20"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5/analysis/1556096329/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "28a8b196-6a06-44d6-962b-6efc4d4f3945"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "38/71",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "b29d31d3-c624-4c4c-99cd-626101e0d47b"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--6393b267-5ff7-4204-85cf-709530bc110d",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:22:51.000Z",
|
||
|
"modified": "2019-04-24T09:22:51.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '530606b66bcd5a776f2cdecb34ee0fd1' AND file:hashes.SHA1 = '72ada4db1c70214e19eece2021669d95b94c0d4f' AND file:hashes.SHA256 = 'e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T09:22:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:22:51.000Z",
|
||
|
"modified": "2019-04-24T09:22:51.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-24T09:05:37",
|
||
|
"category": "Other",
|
||
|
"comment": "DNSpionage",
|
||
|
"uuid": "6e2a7b92-867b-4c11-8b30-b925221ce51a"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8/analysis/1556096737/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DNSpionage",
|
||
|
"uuid": "9eda0fba-ebc8-494e-81a2-3c45135c591e"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "48/69",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DNSpionage",
|
||
|
"uuid": "ee3f4732-30c5-49fc-9b1d-a6a732cb4f42"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--52ca9602-5ef6-4de3-b528-058d33844ea3",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:22:51.000Z",
|
||
|
"modified": "2019-04-24T09:22:51.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'a37703a0d08996a5fc04db52b71b9bcd' AND file:hashes.SHA1 = '7c7e1179eb3cd9effa92f303dd5e45ba881db15d' AND file:hashes.SHA256 = '6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T09:22:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--993871f0-b786-4813-9811-7f60eb385014",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:22:51.000Z",
|
||
|
"modified": "2019-04-24T09:22:51.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-24T07:39:13",
|
||
|
"category": "Other",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "a0e51f81-2cc5-438d-96d0-de19d5e93442"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11/analysis/1556091553/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "ccb7b733-4e20-4840-9ee4-be4b8451f1e1"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "39/66",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "c6600e9e-5bf0-402c-8666-df0823154fe9"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:22:51.000Z",
|
||
|
"modified": "2019-04-24T09:22:51.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '5733afe71bd0a32328d6ed9978260fa4' AND file:hashes.SHA1 = '5dbaaf4b338471ad58065fcdf335673977b2b261' AND file:hashes.SHA256 = '5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T09:22:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:22:51.000Z",
|
||
|
"modified": "2019-04-24T09:22:51.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-24T07:39:16",
|
||
|
"category": "Other",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "287255d9-5d0f-49f7-afd9-256da7290db1"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c/analysis/1556091556/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "d2ae94de-8869-48a0-bff0-acf3465c6a74"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "42/71",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "7c4854e3-0c44-4143-b133-8273c30bf122"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:22:51.000Z",
|
||
|
"modified": "2019-04-24T09:22:51.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '85a3a5f55fcbe63d2181cfa753f35fe1' AND file:hashes.SHA1 = 'd9844a1845446367822944464ba65965b1b70c4f' AND file:hashes.SHA256 = 'b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-24T09:22:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-24T09:22:51.000Z",
|
||
|
"modified": "2019-04-24T09:22:51.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-24T07:39:18",
|
||
|
"category": "Other",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "4ab8fa22-de5b-4d45-b328-a28f6ca4bc4f"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04/analysis/1556091558/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "2490a445-4913-49ad-9366-9cecf26b7505"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "41/65",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Karkoff sample",
|
||
|
"uuid": "3d31e031-8726-4941-a004-143375bd7aa0"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--32150263-0a25-4053-a03c-7237072e629a",
|
||
|
"created": "2019-04-24T09:22:51.000Z",
|
||
|
"modified": "2019-04-24T09:22:51.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--3148bbb8-f76e-4556-b973-3dea9cf89820",
|
||
|
"target_ref": "x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--6a4824dd-74ff-4f66-b923-42037d5dd2d0",
|
||
|
"created": "2019-04-24T09:22:52.000Z",
|
||
|
"modified": "2019-04-24T09:22:52.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--6393b267-5ff7-4204-85cf-709530bc110d",
|
||
|
"target_ref": "x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--8862bb8d-7bbc-4c4c-b897-8f4b7124d350",
|
||
|
"created": "2019-04-24T09:22:52.000Z",
|
||
|
"modified": "2019-04-24T09:22:52.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--52ca9602-5ef6-4de3-b528-058d33844ea3",
|
||
|
"target_ref": "x-misp-object--993871f0-b786-4813-9811-7f60eb385014"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--90c7c2d8-d7d1-4757-b9fd-ab4ed5c8e1f0",
|
||
|
"created": "2019-04-24T09:22:52.000Z",
|
||
|
"modified": "2019-04-24T09:22:52.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a",
|
||
|
"target_ref": "x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--3e199573-1c43-4dc1-9259-b6b8009f15cc",
|
||
|
"created": "2019-04-24T09:22:52.000Z",
|
||
|
"modified": "2019-04-24T09:22:52.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e",
|
||
|
"target_ref": "x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|