359 lines
16 KiB
JSON
359 lines
16 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--57c52bbb-6a08-4121-951c-417c950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:56:19.000Z",
|
||
|
"modified": "2016-08-30T06:56:19.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--57c52bbb-6a08-4121-951c-417c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:56:19.000Z",
|
||
|
"modified": "2016-08-30T06:56:19.000Z",
|
||
|
"name": "OSINT - German Speakers Targeted by SPAM Leading to Ozone RAT",
|
||
|
"published": "2016-08-30T06:58:12Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--57c52bf1-4f04-4466-9c0e-4404950d210f",
|
||
|
"url--57c52bf1-4f04-4466-9c0e-4404950d210f",
|
||
|
"x-misp-attribute--57c52c07-b4c0-4e66-82f0-4cce950d210f",
|
||
|
"indicator--57c52c28-a71c-4e6e-820c-47c7950d210f",
|
||
|
"indicator--57c52c29-5318-4609-a82d-45d2950d210f",
|
||
|
"x-misp-attribute--57c52c82-fc9c-4129-9ee1-411b950d210f",
|
||
|
"indicator--57c52cd7-b104-4683-befc-493902de0b81",
|
||
|
"indicator--57c52cd8-e704-4998-9eac-465602de0b81",
|
||
|
"observed-data--57c52cd8-d17c-41eb-99e3-462902de0b81",
|
||
|
"url--57c52cd8-d17c-41eb-99e3-462902de0b81",
|
||
|
"indicator--57c52cd8-13bc-4cd7-b5c1-451d02de0b81",
|
||
|
"indicator--57c52cd8-d148-4252-897d-453f02de0b81",
|
||
|
"observed-data--57c52cd9-b02c-4f91-b14e-407a02de0b81",
|
||
|
"url--57c52cd9-b02c-4f91-b14e-407a02de0b81",
|
||
|
"x-misp-attribute--57c52dca-2844-4603-828f-4905950d210f",
|
||
|
"x-misp-attribute--57c52df9-af58-4f21-917b-4379950d210f",
|
||
|
"x-misp-attribute--57c52e13-6bd8-4b73-96f2-46c7950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"circl:incident-classification=\"malware\"",
|
||
|
"ms-caro-malware:malware-type=\"RemoteAccess\"",
|
||
|
"type:OSINT"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57c52bf1-4f04-4466-9c0e-4404950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:47:13.000Z",
|
||
|
"modified": "2016-08-30T06:47:13.000Z",
|
||
|
"first_observed": "2016-08-30T06:47:13Z",
|
||
|
"last_observed": "2016-08-30T06:47:13Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57c52bf1-4f04-4466-9c0e-4404950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57c52bf1-4f04-4466-9c0e-4404950d210f",
|
||
|
"value": "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57c52c07-b4c0-4e66-82f0-4cce950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:47:35.000Z",
|
||
|
"modified": "2016-08-30T06:47:35.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Remote Administration Tools (RAT) have been around for a long time. They provide users and administrators with the convenience of being able to take full control of their systems without needing to be physically in front of a device. In this age of global operations, that\u00e2\u20ac\u2122s a huge deal. From troubleshooting machines across countries to observing employees across rooms, RAT solutions have become widely used tools for remote maintenance and monitoring.\r\n\r\nUnfortunately, malware authors often utilize these same capabilities to compromise systems. Full remote access capabilities is a dream tool for the black hat community, and are highly sought after.\r\n\r\nAs a case in point, we recently discovered a SPAM campaign targeting German-speaking users that involves a relatively new commercialized RAT called Ozone."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c52c28-a71c-4e6e-820c-47c7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:48:08.000Z",
|
||
|
"modified": "2016-08-30T06:48:08.000Z",
|
||
|
"description": "W32/OzoneRAT.A!tr",
|
||
|
"pattern": "[file:hashes.SHA256 = '70ece9b44f54fa5ac525908da412bf707ce7fae08a8f2b8134f34133df43e982']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-08-30T06:48:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c52c29-5318-4609-a82d-45d2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:48:09.000Z",
|
||
|
"modified": "2016-08-30T06:48:09.000Z",
|
||
|
"description": "-JS/Nemucod.C060!tr.dldr",
|
||
|
"pattern": "[file:hashes.SHA256 = '71f1073d0b8aabaf0a2481e9b7c1cd0ca906fee719b45f7d4722d01884c75a17']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-08-30T06:48:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57c52c82-fc9c-4129-9ee1-411b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:49:38.000Z",
|
||
|
"modified": "2016-08-30T06:49:38.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "W32/OzoneRAT"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c52cd7-b104-4683-befc-493902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:51:03.000Z",
|
||
|
"modified": "2016-08-30T06:51:03.000Z",
|
||
|
"description": "-JS/Nemucod.C060!tr.dldr - Xchecked via VT: 71f1073d0b8aabaf0a2481e9b7c1cd0ca906fee719b45f7d4722d01884c75a17",
|
||
|
"pattern": "[file:hashes.SHA1 = 'e118c60fbe73cdf3144ecadf97e8a79d3e3f2d4f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-08-30T06:51:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c52cd8-e704-4998-9eac-465602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:51:04.000Z",
|
||
|
"modified": "2016-08-30T06:51:04.000Z",
|
||
|
"description": "-JS/Nemucod.C060!tr.dldr - Xchecked via VT: 71f1073d0b8aabaf0a2481e9b7c1cd0ca906fee719b45f7d4722d01884c75a17",
|
||
|
"pattern": "[file:hashes.MD5 = 'e49ae5faaf3b2cdef6d55481f55c3819']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-08-30T06:51:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57c52cd8-d17c-41eb-99e3-462902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:51:04.000Z",
|
||
|
"modified": "2016-08-30T06:51:04.000Z",
|
||
|
"first_observed": "2016-08-30T06:51:04Z",
|
||
|
"last_observed": "2016-08-30T06:51:04Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57c52cd8-d17c-41eb-99e3-462902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57c52cd8-d17c-41eb-99e3-462902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/71f1073d0b8aabaf0a2481e9b7c1cd0ca906fee719b45f7d4722d01884c75a17/analysis/1471782216/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c52cd8-13bc-4cd7-b5c1-451d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:51:04.000Z",
|
||
|
"modified": "2016-08-30T06:51:04.000Z",
|
||
|
"description": "W32/OzoneRAT.A!tr - Xchecked via VT: 70ece9b44f54fa5ac525908da412bf707ce7fae08a8f2b8134f34133df43e982",
|
||
|
"pattern": "[file:hashes.SHA1 = '9723f64aa74b32ffe86cef380f3e8397fe754c9e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-08-30T06:51:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c52cd8-d148-4252-897d-453f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:51:04.000Z",
|
||
|
"modified": "2016-08-30T06:51:04.000Z",
|
||
|
"description": "W32/OzoneRAT.A!tr - Xchecked via VT: 70ece9b44f54fa5ac525908da412bf707ce7fae08a8f2b8134f34133df43e982",
|
||
|
"pattern": "[file:hashes.MD5 = '01e438effb7eb350308ffc0c2d0a60b4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-08-30T06:51:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57c52cd9-b02c-4f91-b14e-407a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:51:05.000Z",
|
||
|
"modified": "2016-08-30T06:51:05.000Z",
|
||
|
"first_observed": "2016-08-30T06:51:05Z",
|
||
|
"last_observed": "2016-08-30T06:51:05Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57c52cd9-b02c-4f91-b14e-407a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57c52cd9-b02c-4f91-b14e-407a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/70ece9b44f54fa5ac525908da412bf707ce7fae08a8f2b8134f34133df43e982/analysis/1471603833/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57c52dca-2844-4603-828f-4905950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:55:06.000Z",
|
||
|
"modified": "2016-08-30T06:55:06.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"threat-actor\"",
|
||
|
"misp:category=\"Attribution\""
|
||
|
],
|
||
|
"x_misp_category": "Attribution",
|
||
|
"x_misp_comment": "ciboryn (Skype account)",
|
||
|
"x_misp_type": "threat-actor",
|
||
|
"x_misp_value": "ciboryn"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57c52df9-af58-4f21-917b-4379950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:55:53.000Z",
|
||
|
"modified": "2016-08-30T06:55:53.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"threat-actor\"",
|
||
|
"misp:category=\"Attribution\""
|
||
|
],
|
||
|
"x_misp_category": "Attribution",
|
||
|
"x_misp_comment": "XMPP account of the RAT seller",
|
||
|
"x_misp_type": "threat-actor",
|
||
|
"x_misp_value": "cibor@jabbim.com"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57c52e13-6bd8-4b73-96f2-46c7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-08-30T06:56:19.000Z",
|
||
|
"modified": "2016-08-30T06:56:19.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"threat-actor\"",
|
||
|
"misp:category=\"Attribution\""
|
||
|
],
|
||
|
"x_misp_category": "Attribution",
|
||
|
"x_misp_comment": "Email of the RAT seller",
|
||
|
"x_misp_type": "threat-actor",
|
||
|
"x_misp_value": "cibosales@gmail.com"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|