818 lines
34 KiB
JSON
818 lines
34 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5d78a50e-ba3c-40b3-a5c1-4fb1950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T09:15:00.000Z",
|
||
|
"modified": "2019-09-11T09:15:00.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5d78a50e-ba3c-40b3-a5c1-4fb1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T09:15:00.000Z",
|
||
|
"modified": "2019-09-11T09:15:00.000Z",
|
||
|
"name": "OSINT - ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group",
|
||
|
"published": "2019-09-11T12:17:21Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--5d78a9c4-1108-4eb4-aca8-e76e950d210f",
|
||
|
"url--5d78a9c4-1108-4eb4-aca8-e76e950d210f",
|
||
|
"x-misp-attribute--5d78a9db-1b4c-4f0b-8e96-8aaa950d210f",
|
||
|
"indicator--5d78acb4-ae5c-468f-8570-e7f0950d210f",
|
||
|
"indicator--5d78acb4-8a10-4a25-9981-e7f0950d210f",
|
||
|
"indicator--5d78acb4-91d4-4a43-b367-e7f0950d210f",
|
||
|
"indicator--5d78acb4-fed4-4e1a-9239-e7f0950d210f",
|
||
|
"indicator--5d78acb4-1f6c-43db-9dc0-e7f0950d210f",
|
||
|
"indicator--5d78acde-9514-4e9d-968b-c52e950d210f",
|
||
|
"indicator--5d78acde-80f8-4127-81c8-c52e950d210f",
|
||
|
"indicator--5d78acde-69bc-4b16-935d-c52e950d210f",
|
||
|
"indicator--5d78acde-d94c-48a4-9770-c52e950d210f",
|
||
|
"x-misp-attribute--5d78ba7f-97f0-4ba7-8062-95e4950d210f",
|
||
|
"observed-data--5d78bb45-783c-456e-a632-4105e387cbd9",
|
||
|
"network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9",
|
||
|
"ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9",
|
||
|
"observed-data--5d78bb45-5550-4792-81df-43b1e387cbd9",
|
||
|
"network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9",
|
||
|
"ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9",
|
||
|
"observed-data--5d78bb46-8dbc-41cf-971d-431de387cbd9",
|
||
|
"network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9",
|
||
|
"ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9",
|
||
|
"x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f",
|
||
|
"x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f",
|
||
|
"x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f",
|
||
|
"x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f",
|
||
|
"x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f",
|
||
|
"x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f",
|
||
|
"x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f",
|
||
|
"observed-data--5d78aee4-c290-488a-a73c-e7f0950d210f",
|
||
|
"user-account--5d78aee4-c290-488a-a73c-e7f0950d210f",
|
||
|
"x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
|
||
|
"relationship--cf61164c-5d59-4633-8192-45a170deece1",
|
||
|
"relationship--bd18e389-b0f8-4558-8f5c-88aa1ba64caa",
|
||
|
"relationship--d8063dc9-1f21-4975-b487-173cbf364e49",
|
||
|
"relationship--36aa5fb1-9b1f-461f-b7d8-94280cc8016b",
|
||
|
"relationship--344c084a-d38c-46df-9284-e881b8dea872",
|
||
|
"relationship--067c7ed7-964d-49bd-933a-db2dc5595dfe",
|
||
|
"relationship--47925d34-2441-46d2-b2c9-64cbea0f2dad"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon - G0038\"",
|
||
|
"misp-galaxy:mitre-intrusion-set=\"Stealth Falcon\"",
|
||
|
"misp-galaxy:mitre-intrusion-set=\"Stealth Falcon - G0038\"",
|
||
|
"misp-galaxy:threat-actor=\"Stealth Falcon\"",
|
||
|
"type:OSINT",
|
||
|
"osint:lifetime=\"perpetual\"",
|
||
|
"osint:certainty=\"50\"",
|
||
|
"misp-galaxy:mitre-attack-pattern=\"BITS Jobs - T1197\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"BITS Jobs - T1197\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5d78a9c4-1108-4eb4-aca8-e76e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:01:08.000Z",
|
||
|
"modified": "2019-09-11T08:01:08.000Z",
|
||
|
"first_observed": "2019-09-11T08:01:08Z",
|
||
|
"last_observed": "2019-09-11T08:01:08Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5d78a9c4-1108-4eb4-aca8-e76e950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5d78a9c4-1108-4eb4-aca8-e76e950d210f",
|
||
|
"value": "https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5d78a9db-1b4c-4f0b-8e96-8aaa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:01:31.000Z",
|
||
|
"modified": "2019-09-11T08:01:31.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. It has been tracked by the Citizen Lab, a non-profit organization focusing on security and human rights, which published an analysis of a particular cyberattack in 2016. In January of 2019, Reuters published an investigative report into Project Raven, an initiative allegedly employing former NSA operatives and aiming at the same types of targets as Stealth Falcon."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d78acb4-ae5c-468f-8570-e7f0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:13:40.000Z",
|
||
|
"modified": "2019-09-11T08:13:40.000Z",
|
||
|
"description": "C&C",
|
||
|
"pattern": "[domain-name:value = 'footballtimes.info']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-11T08:13:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d78acb4-8a10-4a25-9981-e7f0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:13:40.000Z",
|
||
|
"modified": "2019-09-11T08:13:40.000Z",
|
||
|
"description": "C&C",
|
||
|
"pattern": "[domain-name:value = 'vegetableportfolio.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-11T08:13:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d78acb4-91d4-4a43-b367-e7f0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:13:40.000Z",
|
||
|
"modified": "2019-09-11T08:13:40.000Z",
|
||
|
"description": "C&C",
|
||
|
"pattern": "[domain-name:value = 'windowsearchcache.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-11T08:13:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d78acb4-fed4-4e1a-9239-e7f0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:13:40.000Z",
|
||
|
"modified": "2019-09-11T08:13:40.000Z",
|
||
|
"description": "C&C",
|
||
|
"pattern": "[domain-name:value = 'electricalweb.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-11T08:13:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d78acb4-1f6c-43db-9dc0-e7f0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:13:40.000Z",
|
||
|
"modified": "2019-09-11T08:13:40.000Z",
|
||
|
"description": "C&C",
|
||
|
"pattern": "[domain-name:value = 'upnpdiscover.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-11T08:13:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d78acde-9514-4e9d-968b-c52e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:14:22.000Z",
|
||
|
"modified": "2019-09-11T08:14:22.000Z",
|
||
|
"description": "malware as detected by ESET",
|
||
|
"pattern": "[file:hashes.SHA1 = '31b54aebdaf5fbc73a66ac41ccb35943cc9b7f72']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-11T08:14:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d78acde-80f8-4127-81c8-c52e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:14:22.000Z",
|
||
|
"modified": "2019-09-11T08:14:22.000Z",
|
||
|
"description": "malware as detected by ESET",
|
||
|
"pattern": "[file:hashes.SHA1 = '50973a3fc57d70c7911f7a952356188b9939e56b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-11T08:14:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d78acde-69bc-4b16-935d-c52e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:14:22.000Z",
|
||
|
"modified": "2019-09-11T08:14:22.000Z",
|
||
|
"description": "malware as detected by ESET",
|
||
|
"pattern": "[file:hashes.SHA1 = '244eb62b9ac30934098ca4204447440d6fc4e259']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-11T08:14:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d78acde-d94c-48a4-9770-c52e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:14:22.000Z",
|
||
|
"modified": "2019-09-11T08:14:22.000Z",
|
||
|
"description": "malware as detected by ESET",
|
||
|
"pattern": "[file:hashes.SHA1 = '5c8f83cc4ff57e7c67925df4d9daabe5d0cc07e2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-11T08:14:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5d78ba7f-97f0-4ba7-8062-95e4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T09:12:31.000Z",
|
||
|
"modified": "2019-09-11T09:12:31.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Win32/StealthFalcon"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5d78bb45-783c-456e-a632-4105e387cbd9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T09:15:49.000Z",
|
||
|
"modified": "2019-09-11T09:15:49.000Z",
|
||
|
"first_observed": "2019-09-11T09:15:49Z",
|
||
|
"last_observed": "2019-09-11T09:15:49Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9",
|
||
|
"ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-src\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9",
|
||
|
"src_ref": "ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9",
|
||
|
"value": "185.227.82.19"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5d78bb45-5550-4792-81df-43b1e387cbd9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T09:15:49.000Z",
|
||
|
"modified": "2019-09-11T09:15:49.000Z",
|
||
|
"first_observed": "2019-09-11T09:15:49Z",
|
||
|
"last_observed": "2019-09-11T09:15:49Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9",
|
||
|
"ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-src\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9",
|
||
|
"src_ref": "ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9",
|
||
|
"value": "46.183.219.85"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5d78bb46-8dbc-41cf-971d-431de387cbd9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T09:15:50.000Z",
|
||
|
"modified": "2019-09-11T09:15:50.000Z",
|
||
|
"first_observed": "2019-09-11T09:15:50Z",
|
||
|
"last_observed": "2019-09-11T09:15:50Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9",
|
||
|
"ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-src\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9",
|
||
|
"src_ref": "ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9",
|
||
|
"value": "193.105.134.75"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:06:01.000Z",
|
||
|
"modified": "2019-09-11T08:06:01.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"command-line\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "description",
|
||
|
"value": "Uninstall itself",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78aae9-9994-4be3-90b5-4f4e950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "value",
|
||
|
"value": "K",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78aaef-b248-4e75-a0eb-4453950d210f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "command-line"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:07:56.000Z",
|
||
|
"modified": "2019-09-11T08:07:56.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"command-line\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "description",
|
||
|
"value": "Update configuration data",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78ab5c-a738-43f5-9441-8aa5950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "value",
|
||
|
"value": "CFG",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78ab62-3fd8-49d7-9c2e-8aa5950d210f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "command-line"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:15:13.000Z",
|
||
|
"modified": "2019-09-11T08:15:13.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"command-line\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "description",
|
||
|
"value": "Execute the specified application",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78ad11-5028-48f2-a2d7-e7f0950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "value",
|
||
|
"value": "RC",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78ad11-deb8-4372-a92a-e7f0950d210f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "command-line"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:15:34.000Z",
|
||
|
"modified": "2019-09-11T08:15:34.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"command-line\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "description",
|
||
|
"value": "Write downloaded data to file",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78ad26-9728-4f7e-b0d1-ca95950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "value",
|
||
|
"value": "DL",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78ad26-84c0-4df6-884e-ca95950d210f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "command-line"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:15:54.000Z",
|
||
|
"modified": "2019-09-11T08:15:54.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"command-line\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "description",
|
||
|
"value": "Prepare a file for exfiltration",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78ad3a-3c64-4abb-917a-8aa5950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "value",
|
||
|
"value": "CF",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78ad3a-4e10-403d-8aac-8aa5950d210f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "command-line"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:16:32.000Z",
|
||
|
"modified": "2019-09-11T08:16:32.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"command-line\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "description",
|
||
|
"value": "Not implemented/no operation",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78ad60-b23c-4624-9dbe-8aa9950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "value",
|
||
|
"value": "CFWD",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78ad60-44bc-474a-b925-8aa9950d210f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "command-line"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:17:49.000Z",
|
||
|
"modified": "2019-09-11T08:17:49.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"command-line\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "description",
|
||
|
"value": "Exfiltrate and delete files",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78adad-02d8-4d3d-8e80-8aaa950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "value",
|
||
|
"value": "CFW",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78adad-0394-46aa-8539-8aaa950d210f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "command-line"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5d78aee4-c290-488a-a73c-e7f0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T08:23:00.000Z",
|
||
|
"modified": "2019-09-11T08:23:00.000Z",
|
||
|
"first_observed": "2019-09-11T08:23:00Z",
|
||
|
"last_observed": "2019-09-11T08:23:00Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"user-account--5d78aee4-c290-488a-a73c-e7f0950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"credential\"",
|
||
|
"misp:meta-category=\"misc\"",
|
||
|
"misp:to_ids=\"False\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "user-account",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "user-account--5d78aee4-c290-488a-a73c-e7f0950d210f",
|
||
|
"credential": "258A4A9D139823F55D7B9DA1825D101107FBF88634A870DE9800580DAD556BA3",
|
||
|
"x_misp_format": "clear-text",
|
||
|
"x_misp_origin": "malware-analysis",
|
||
|
"x_misp_password": [
|
||
|
"2519DB0FFEC604D6C9A655CF56B98EDCE10405DE36810BC3DCF125CDE30BA5A2",
|
||
|
"3EDB6EA77CD0987668B360365D5F39FDCF6B366D0DEAC9ECE5ADC6FFD20227F6",
|
||
|
"8DFFDE77A39F3AF46D0CE0B84A189DB25A2A0FEFD71A0CD0054D8E0D60AB08DE"
|
||
|
],
|
||
|
"x_misp_text": "Note: Malware derives a second RC4 key by XORing each byte of the hardcoded key with 0x3D.",
|
||
|
"x_misp_type": "encryption-key"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-11T09:12:00.000Z",
|
||
|
"modified": "2019-09-11T09:12:00.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"command\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "description",
|
||
|
"value": "Win32/StealthFalcon is a DLL file which, after execution, schedules itself as a task running on each user login. It only supports basic commands but displays a systematic approach to data collection, data exfiltration, employing further malicious tools, and updating its configuration.",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78b6f7-b7a4-49ac-9369-c534950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "trigger",
|
||
|
"value": "Network",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78b6f7-17a8-4b54-8725-c534950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "location",
|
||
|
"value": "Bundled",
|
||
|
"category": "Other",
|
||
|
"uuid": "5d78b6f7-be18-4e99-add1-c534950d210f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_comment": "Backdoor commands",
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "command"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--cf61164c-5d59-4633-8192-45a170deece1",
|
||
|
"created": "2019-09-11T08:58:18.000Z",
|
||
|
"modified": "2019-09-11T08:58:18.000Z",
|
||
|
"relationship_type": "contains",
|
||
|
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
|
||
|
"target_ref": "x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--bd18e389-b0f8-4558-8f5c-88aa1ba64caa",
|
||
|
"created": "2019-09-11T09:05:16.000Z",
|
||
|
"modified": "2019-09-11T09:05:16.000Z",
|
||
|
"relationship_type": "contains",
|
||
|
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
|
||
|
"target_ref": "x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--d8063dc9-1f21-4975-b487-173cbf364e49",
|
||
|
"created": "2019-09-11T09:05:28.000Z",
|
||
|
"modified": "2019-09-11T09:05:28.000Z",
|
||
|
"relationship_type": "contains",
|
||
|
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
|
||
|
"target_ref": "x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--36aa5fb1-9b1f-461f-b7d8-94280cc8016b",
|
||
|
"created": "2019-09-11T09:05:39.000Z",
|
||
|
"modified": "2019-09-11T09:05:39.000Z",
|
||
|
"relationship_type": "contains",
|
||
|
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
|
||
|
"target_ref": "x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--344c084a-d38c-46df-9284-e881b8dea872",
|
||
|
"created": "2019-09-11T09:06:37.000Z",
|
||
|
"modified": "2019-09-11T09:06:37.000Z",
|
||
|
"relationship_type": "contains",
|
||
|
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
|
||
|
"target_ref": "x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--067c7ed7-964d-49bd-933a-db2dc5595dfe",
|
||
|
"created": "2019-09-11T09:06:49.000Z",
|
||
|
"modified": "2019-09-11T09:06:49.000Z",
|
||
|
"relationship_type": "contains",
|
||
|
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
|
||
|
"target_ref": "x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--47925d34-2441-46d2-b2c9-64cbea0f2dad",
|
||
|
"created": "2019-09-11T09:07:11.000Z",
|
||
|
"modified": "2019-09-11T09:07:11.000Z",
|
||
|
"relationship_type": "contains",
|
||
|
"source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f",
|
||
|
"target_ref": "x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|