230 lines
11 KiB
JSON
230 lines
11 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5735c472-124c-495e-bebd-4bc5950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-13T12:17:33.000Z",
|
||
|
"modified": "2016-05-13T12:17:33.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5735c472-124c-495e-bebd-4bc5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-13T12:17:33.000Z",
|
||
|
"modified": "2016-05-13T12:17:33.000Z",
|
||
|
"name": "OSINT - Cyber Heist Attribution",
|
||
|
"published": "2016-05-13T12:17:42Z",
|
||
|
"object_refs": [
|
||
|
"indicator--5735c4cd-b618-4017-99b8-4a42950d210f",
|
||
|
"indicator--5735c509-257c-4157-841e-4b80950d210f",
|
||
|
"indicator--5735c525-ea58-426b-ada0-40e4950d210f",
|
||
|
"x-misp-attribute--5735c53f-2628-432d-9844-4411950d210f",
|
||
|
"indicator--5735c5c3-10ec-44bc-8812-4f7b02de0b81",
|
||
|
"indicator--5735c5c4-b084-4bf4-8f30-4dd202de0b81",
|
||
|
"observed-data--5735c5c4-c4fc-4518-a60e-4c1602de0b81",
|
||
|
"url--5735c5c4-c4fc-4518-a60e-4c1602de0b81",
|
||
|
"x-misp-attribute--5735c5dd-e23c-4948-a76b-4764950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"circl:topic=\"finance\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5735c4cd-b618-4017-99b8-4a42950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-13T12:13:01.000Z",
|
||
|
"modified": "2016-05-13T12:13:01.000Z",
|
||
|
"description": "This sample was uploaded from a user in the US on 4th March 2016",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-13T12:13:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5735c509-257c-4157-841e-4b80950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-13T12:14:14.000Z",
|
||
|
"modified": "2016-05-13T12:14:14.000Z",
|
||
|
"description": "msoutc.exe accepts a number of parameters passed with the command line. When executed, it checks if there is another instance of itself already running on a system, by attempting to create a mutex called:",
|
||
|
"pattern": "[mutex:name = 'Global\\\\FwtSqmSession106839323_S-1-5-20']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-13T12:14:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5735c525-ea58-426b-ada0-40e4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-13T12:14:29.000Z",
|
||
|
"modified": "2016-05-13T12:14:29.000Z",
|
||
|
"pattern": "[file:name = '\\\\%TEMP\\\\%\\\\sysman\\\\svchost.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-13T12:14:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5735c53f-2628-432d-9844-4411950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-13T12:15:11.000Z",
|
||
|
"modified": "2016-05-13T12:15:11.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pattern-in-memory\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "The malware keeps its logs within an encrypted file wmplog15r.sqm and/or wmplog21t.sqm, located in the same directory. The logged messages are encrypted with a key",
|
||
|
"x_misp_type": "pattern-in-memory",
|
||
|
"x_misp_value": "y@s!11yid60u7f!07ou74n001"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5735c5c3-10ec-44bc-8812-4f7b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-13T12:17:07.000Z",
|
||
|
"modified": "2016-05-13T12:17:07.000Z",
|
||
|
"description": "This sample was uploaded from a user in the US on 4th March 2016 - Xchecked via VT: c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad",
|
||
|
"pattern": "[file:hashes.SHA256 = '4cf164497c275ae0f86c28d7847b10f5bd302ba12b995646c32cb53d03b7e6b5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-13T12:17:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5735c5c4-b084-4bf4-8f30-4dd202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-13T12:17:08.000Z",
|
||
|
"modified": "2016-05-13T12:17:08.000Z",
|
||
|
"description": "This sample was uploaded from a user in the US on 4th March 2016 - Xchecked via VT: c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad",
|
||
|
"pattern": "[file:hashes.MD5 = '558b020ce2c80710605ed30678b6fd0c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-13T12:17:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5735c5c4-c4fc-4518-a60e-4c1602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-13T12:17:08.000Z",
|
||
|
"modified": "2016-05-13T12:17:08.000Z",
|
||
|
"first_observed": "2016-05-13T12:17:08Z",
|
||
|
"last_observed": "2016-05-13T12:17:08Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5735c5c4-c4fc-4518-a60e-4c1602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5735c5c4-c4fc-4518-a60e-4c1602de0b81",
|
||
|
"value": "https://www.virustotal.com/file/4cf164497c275ae0f86c28d7847b10f5bd302ba12b995646c32cb53d03b7e6b5/analysis/1463129351/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5735c5dd-e23c-4948-a76b-4764950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-13T12:17:33.000Z",
|
||
|
"modified": "2016-05-13T12:17:33.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Attributing a single cyber-attack is a hard task and often impossible. However, when multiple attacks are conducted over long periods of time, they leave a trail of digital evidence. Piecing this together into a campaign can help investigators to see the bigger picture, and even hint at who may be behind the attacks.\r\n\r\nOur research into malware used on SWIFT based systems running in banks has turned up multiple bespoke tools used by a set of attackers. What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign. This led to the identification of a commercial bank in Vietnam that also appears to have been targeted in a similar fashion using tailored malware, but based off a common code-base.\r\n\r\nIn the bank malware cases we know of, the coders used a unique file wipe-out function. This implementation was so distinctive that it further drew our attention \u00e2\u20ac\u201c and so we began to look for other instances of code which had used the same function. Using disassembled machine opcodes (with masked out dynamic virtual addresses) we generated signatures to scan a large malware corpus.\r\n\r\nOur initial search turned up an additional sample which implemented the same wipe-out function."
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|