misp-circl-feed/feeds/circl/stix-2.1/5870f2f5-5744-4ded-a6f5-469c950d210f.json

1005 lines
44 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5870f2f5-5744-4ded-a6f5-469c950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:10:14.000Z",
"modified": "2017-01-07T14:10:14.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5870f2f5-5744-4ded-a6f5-469c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:10:14.000Z",
"modified": "2017-01-07T14:10:14.000Z",
"name": "OSINT - 2016 Updates to Shifu Banking Trojan",
"published": "2017-01-07T14:10:27Z",
"object_refs": [
"x-misp-attribute--5870f31f-01f0-42fa-b746-4d2b950d210f",
"observed-data--5870f32b-6864-4da5-87f3-477c950d210f",
"url--5870f32b-6864-4da5-87f3-477c950d210f",
"vulnerability--5870f363-0640-47d0-9bdd-422d950d210f",
"vulnerability--5870f363-d7dc-4588-815e-4bfb950d210f",
"x-misp-attribute--5870f391-9b5c-440e-b68a-4de3950d210f",
"x-misp-attribute--5870f393-add0-49e8-921f-47a6950d210f",
"x-misp-attribute--5870f393-4888-4dc5-8269-4753950d210f",
"x-misp-attribute--5870f394-4a04-4eac-b562-4d39950d210f",
"x-misp-attribute--5870f395-b0ac-412c-9c9e-4c02950d210f",
"indicator--5870f3ad-77c8-409b-a83f-42e6950d210f",
"indicator--5870f3ae-e4bc-42ea-8d87-4010950d210f",
"indicator--5870f3af-3904-4b3c-b447-41fc950d210f",
"indicator--5870f3af-7a24-489c-9e8a-4cef950d210f",
"indicator--5870f3c6-0068-42bb-bec1-4c6c950d210f",
"indicator--5870f3c7-1940-479d-b282-4b0f950d210f",
"indicator--5870f3dc-fa2c-4b55-b184-439a950d210f",
"indicator--5870f3ef-7c44-4011-a6cb-4038950d210f",
"indicator--5870f400-92d0-4150-b336-4188950d210f",
"indicator--5870f417-9e8c-44e7-aa42-4b41950d210f",
"indicator--5870f418-6144-41da-8f8f-4519950d210f",
"observed-data--5870f459-8f84-46fb-8337-487d950d210f",
"network-traffic--5870f459-8f84-46fb-8337-487d950d210f",
"ipv4-addr--5870f459-8f84-46fb-8337-487d950d210f",
"observed-data--5870f45a-ced0-4005-8c53-4d40950d210f",
"network-traffic--5870f45a-ced0-4005-8c53-4d40950d210f",
"ipv4-addr--5870f45a-ced0-4005-8c53-4d40950d210f",
"observed-data--5870f45b-ab50-4287-a78c-4d5b950d210f",
"network-traffic--5870f45b-ab50-4287-a78c-4d5b950d210f",
"ipv4-addr--5870f45b-ab50-4287-a78c-4d5b950d210f",
"observed-data--5870f4a6-fa74-4521-9406-436e950d210f",
"domain-name--5870f4a6-fa74-4521-9406-436e950d210f",
"indicator--5870f50c-8794-4494-94b6-411f950d210f",
"indicator--5870f51e-2684-41fa-bd5c-411d950d210f",
"indicator--5870f51f-3f24-4d5d-bdbf-416b950d210f",
"indicator--5870f54a-8dd4-4624-8120-4bad02de0b81",
"indicator--5870f54a-d7a4-401c-9416-4dbb02de0b81",
"observed-data--5870f54b-3930-47d3-8f15-4ed602de0b81",
"url--5870f54b-3930-47d3-8f15-4ed602de0b81",
"indicator--5870f54c-9760-4b93-b1eb-43f702de0b81",
"indicator--5870f54c-9fc0-4b09-8064-498602de0b81",
"observed-data--5870f54d-98b4-4843-b50f-417502de0b81",
"url--5870f54d-98b4-4843-b50f-417502de0b81",
"indicator--5870f54e-ddc8-451c-9241-424302de0b81",
"indicator--5870f54f-f520-4ce5-87bf-468202de0b81",
"observed-data--5870f550-7bb0-4a2d-afa9-4fdc02de0b81",
"url--5870f550-7bb0-4a2d-afa9-4fdc02de0b81",
"indicator--5870f550-d244-46af-acc6-4d1102de0b81",
"indicator--5870f551-43f4-4734-9ea4-43c602de0b81",
"observed-data--5870f552-90a0-4f87-8962-426802de0b81",
"url--5870f552-90a0-4f87-8962-426802de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:topic=\"finance\"",
"veris:action:social:target=\"Finance\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5870f31f-01f0-42fa-b746-4d2b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:54:39.000Z",
"modified": "2017-01-07T13:54:39.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.\r\n\r\nPalo Alto Networks Unit 42 research has found that the Shifu authors have evolved Shifu in 2016. Our research has found that Shifu has incorporated multiple new techniques to infect and evade detection on Microsoft Windows systems. Some of these include:\r\n\r\n Exploitation of CVE-2016-0167 a Microsoft Windows Privilege Escalation vulnerability to gain SYSTEM level privileges. Earlier versions of Shifu exploited CVE-2015-0003 to achieve the same goal\r\n Use of a Windows atom to identify if the host is already infected with Shifu in addition to the mutex used by previous versions\r\n Use of \u00e2\u20ac\u0153push-calc-ret\u00e2\u20ac\u009d API obfuscation to hide function calls from malware analysts\r\n Use of alternative Namecoin .bit domains\r\n\r\nWe have also identified new links between Shifu and other tools which suggest Shifu isn\u00e2\u20ac\u2122t simply based on the Shiz Trojan, but is probably the latest evolution of Shiz.\r\n\r\nThe primary goal of this report is to introduce Shifu\u00e2\u20ac\u2122s new features to other malware analysts who may encounter this Trojan in the future. The following sections give an overview of the new features, and the appendix at the end includes the technical details on the overall functionality of Shifu."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f32b-6864-4da5-87f3-477c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:54:51.000Z",
"modified": "2017-01-07T13:54:51.000Z",
"first_observed": "2017-01-07T13:54:51Z",
"last_observed": "2017-01-07T13:54:51Z",
"number_observed": 1,
"object_refs": [
"url--5870f32b-6864-4da5-87f3-477c950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5870f32b-6864-4da5-87f3-477c950d210f",
"value": "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5870f363-0640-47d0-9bdd-422d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:55:47.000Z",
"modified": "2017-01-07T13:55:47.000Z",
"name": "CVE-2016-0167",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload installation\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2016-0167"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5870f363-d7dc-4588-815e-4bfb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:55:47.000Z",
"modified": "2017-01-07T13:55:47.000Z",
"name": "CVE-2015-0003",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload installation\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2015-0003"
}
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5870f391-9b5c-440e-b68a-4de3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:56:33.000Z",
"modified": "2017-01-07T13:56:33.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pdb",
"x_misp_value": "Z:\\coding\\cryptor\\Release\\crypted.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5870f393-add0-49e8-921f-47a6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:56:35.000Z",
"modified": "2017-01-07T13:56:35.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pdb",
"x_misp_value": "Z:\\coding\\malware\\tests\\Release\\cryptoshit.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5870f393-4888-4dc5-8269-4753950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:56:35.000Z",
"modified": "2017-01-07T13:56:35.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pdb",
"x_misp_value": "Z:\\coding\\malware\\RDP\\output\\Release\\rdp_bot.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5870f394-4a04-4eac-b562-4d39950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:56:36.000Z",
"modified": "2017-01-07T13:56:36.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pdb",
"x_misp_value": "Z:\\coding\\malware\\ScanBot\\Release\\bot.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5870f395-b0ac-412c-9c9e-4c02950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:56:37.000Z",
"modified": "2017-01-07T13:56:37.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pdb",
"x_misp_value": "Z:\\coding\\project\\main\\payload\\payload.x86.pdb"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f3ad-77c8-409b-a83f-42e6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:57:01.000Z",
"modified": "2017-01-07T13:57:01.000Z",
"description": "Initial obfuscated loader",
"pattern": "[file:hashes.SHA256 = 'd3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T13:57:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f3ae-e4bc-42ea-8d87-4010950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:57:02.000Z",
"modified": "2017-01-07T13:57:02.000Z",
"description": "Initial obfuscated loader",
"pattern": "[file:hashes.SHA256 = '368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T13:57:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f3af-3904-4b3c-b447-41fc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:57:03.000Z",
"modified": "2017-01-07T13:57:03.000Z",
"description": "Initial obfuscated loader",
"pattern": "[file:hashes.SHA256 = 'e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T13:57:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f3af-7a24-489c-9e8a-4cef950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:57:03.000Z",
"modified": "2017-01-07T13:57:03.000Z",
"description": "Initial obfuscated loader",
"pattern": "[file:hashes.SHA256 = 'f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T13:57:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f3c6-0068-42bb-bec1-4c6c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:57:26.000Z",
"modified": "2017-01-07T13:57:26.000Z",
"description": "Second stage injector",
"pattern": "[file:hashes.SHA256 = '003965bd25acb7e8c6e16de4f387ff9518db7bcca845502d23b6505d8d3cec01']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T13:57:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f3c7-1940-479d-b282-4b0f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:57:27.000Z",
"modified": "2017-01-07T13:57:27.000Z",
"description": "Second stage injector",
"pattern": "[file:hashes.SHA256 = '1188c5c9f04658bef20162f3001d9b89f69c93bf5343a1f849974daf6284a650']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T13:57:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f3dc-fa2c-4b55-b184-439a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:57:48.000Z",
"modified": "2017-01-07T13:57:48.000Z",
"description": "Exploit injector",
"pattern": "[file:hashes.SHA256 = 'e7c1523d93154462ed9e15e84d3af01abe827aa6dd0082bc90fc8b58989e9a9a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T13:57:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f3ef-7c44-4011-a6cb-4038950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:58:07.000Z",
"modified": "2017-01-07T13:58:07.000Z",
"description": "CVE-2016-0167 exploit (x86)",
"pattern": "[file:hashes.SHA256 = '5124f4fec24acb2c83f26d1e70d7c525daac6c9fb6e2262ed1c1c52c88636bad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T13:58:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f400-92d0-4150-b336-4188950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:58:24.000Z",
"modified": "2017-01-07T13:58:24.000Z",
"description": "CVE-2016-0167 exploit (x64)",
"pattern": "[file:hashes.SHA256 = 'f3c2d4090f6f563928e9a9ec86bf0f1c6ee49cdc110b7368db8905781a9a966e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T13:58:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f417-9e8c-44e7-aa42-4b41950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:58:47.000Z",
"modified": "2017-01-07T13:58:47.000Z",
"description": "Main payload",
"pattern": "[file:hashes.SHA256 = 'e9bd4375f9b0b95f385191895edf81c8eadfb3964204bbbe48f7700fc746e4dc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T13:58:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f418-6144-41da-8f8f-4519950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T13:58:48.000Z",
"modified": "2017-01-07T13:58:48.000Z",
"description": "Main payload",
"pattern": "[file:hashes.SHA256 = '5ca2a9de65c998b0d0a0a01b4aa103a9410d76ab86c75d7b968984be53e279b6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T13:58:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f459-8f84-46fb-8337-487d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:01:26.000Z",
"modified": "2017-01-07T14:01:26.000Z",
"first_observed": "2017-01-07T14:01:26Z",
"last_observed": "2017-01-07T14:01:26Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5870f459-8f84-46fb-8337-487d950d210f",
"ipv4-addr--5870f459-8f84-46fb-8337-487d950d210f"
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5870f459-8f84-46fb-8337-487d950d210f",
"dst_ref": "ipv4-addr--5870f459-8f84-46fb-8337-487d950d210f",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5870f459-8f84-46fb-8337-487d950d210f",
"value": "92.222.80.28"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f45a-ced0-4005-8c53-4d40950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:01:36.000Z",
"modified": "2017-01-07T14:01:36.000Z",
"first_observed": "2017-01-07T14:01:36Z",
"last_observed": "2017-01-07T14:01:36Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5870f45a-ced0-4005-8c53-4d40950d210f",
"ipv4-addr--5870f45a-ced0-4005-8c53-4d40950d210f"
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5870f45a-ced0-4005-8c53-4d40950d210f",
"dst_ref": "ipv4-addr--5870f45a-ced0-4005-8c53-4d40950d210f",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5870f45a-ced0-4005-8c53-4d40950d210f",
"value": "78.138.97.93"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f45b-ab50-4287-a78c-4d5b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:01:47.000Z",
"modified": "2017-01-07T14:01:47.000Z",
"first_observed": "2017-01-07T14:01:47Z",
"last_observed": "2017-01-07T14:01:47Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5870f45b-ab50-4287-a78c-4d5b950d210f",
"ipv4-addr--5870f45b-ab50-4287-a78c-4d5b950d210f"
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5870f45b-ab50-4287-a78c-4d5b950d210f",
"dst_ref": "ipv4-addr--5870f45b-ab50-4287-a78c-4d5b950d210f",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5870f45b-ab50-4287-a78c-4d5b950d210f",
"value": "77.66.108.93"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f4a6-fa74-4521-9406-436e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:01:10.000Z",
"modified": "2017-01-07T14:01:10.000Z",
"first_observed": "2017-01-07T14:01:10Z",
"last_observed": "2017-01-07T14:01:10Z",
"number_observed": 1,
"object_refs": [
"domain-name--5870f4a6-fa74-4521-9406-436e950d210f"
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5870f4a6-fa74-4521-9406-436e950d210f",
"value": "ns1.dk.dns.d0wn.biz"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f50c-8794-4494-94b6-411f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:02:52.000Z",
"modified": "2017-01-07T14:02:52.000Z",
"description": "Both domain names, klyatiemoskali.bit and slavaukraine.bit, resolved to the IP address 103.199.16.106 at the time of analysis.",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.199.16.106']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:02:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f51e-2684-41fa-bd5c-411d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:03:10.000Z",
"modified": "2017-01-07T14:03:10.000Z",
"description": "Both domain names, klyatiemoskali.bit and slavaukraine.bit, resolved to the IP address 103.199.16.106 at the time of analysis.",
"pattern": "[file:name = 'klyatiemoskali.bit']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:03:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f51f-3f24-4d5d-bdbf-416b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:03:11.000Z",
"modified": "2017-01-07T14:03:11.000Z",
"description": "Both domain names, klyatiemoskali.bit and slavaukraine.bit, resolved to the IP address 103.199.16.106 at the time of analysis.",
"pattern": "[file:name = 'slavaukraine.bit']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:03:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f54a-8dd4-4624-8120-4bad02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:03:54.000Z",
"modified": "2017-01-07T14:03:54.000Z",
"description": "Initial obfuscated loader - Xchecked via VT: d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9",
"pattern": "[file:hashes.SHA1 = '472c49709b5bf423b05f9c516be9fcf6750c874b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:03:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f54a-d7a4-401c-9416-4dbb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:03:54.000Z",
"modified": "2017-01-07T14:03:54.000Z",
"description": "Initial obfuscated loader - Xchecked via VT: d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9",
"pattern": "[file:hashes.MD5 = '7e8eba7fb31ceab049fe43d020dc34bf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:03:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f54b-3930-47d3-8f15-4ed602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:03:55.000Z",
"modified": "2017-01-07T14:03:55.000Z",
"first_observed": "2017-01-07T14:03:55Z",
"last_observed": "2017-01-07T14:03:55Z",
"number_observed": 1,
"object_refs": [
"url--5870f54b-3930-47d3-8f15-4ed602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5870f54b-3930-47d3-8f15-4ed602de0b81",
"value": "https://www.virustotal.com/file/d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9/analysis/1476315072/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f54c-9760-4b93-b1eb-43f702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:03:56.000Z",
"modified": "2017-01-07T14:03:56.000Z",
"description": "Initial obfuscated loader - Xchecked via VT: 368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b",
"pattern": "[file:hashes.SHA1 = '3cd5a202fd64b8512557a80426f82c3359756f21']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:03:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f54c-9fc0-4b09-8064-498602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:03:56.000Z",
"modified": "2017-01-07T14:03:56.000Z",
"description": "Initial obfuscated loader - Xchecked via VT: 368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b",
"pattern": "[file:hashes.MD5 = 'f25528baf3d68444fa7d7fda382e9835']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:03:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f54d-98b4-4843-b50f-417502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:03:57.000Z",
"modified": "2017-01-07T14:03:57.000Z",
"first_observed": "2017-01-07T14:03:57Z",
"last_observed": "2017-01-07T14:03:57Z",
"number_observed": 1,
"object_refs": [
"url--5870f54d-98b4-4843-b50f-417502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5870f54d-98b4-4843-b50f-417502de0b81",
"value": "https://www.virustotal.com/file/368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b/analysis/1476120793/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f54e-ddc8-451c-9241-424302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:03:58.000Z",
"modified": "2017-01-07T14:03:58.000Z",
"description": "Initial obfuscated loader - Xchecked via VT: e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18",
"pattern": "[file:hashes.SHA1 = 'd74fd4cd8d82450c9436b608631f5ae69fe45187']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:03:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f54f-f520-4ce5-87bf-468202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:03:59.000Z",
"modified": "2017-01-07T14:03:59.000Z",
"description": "Initial obfuscated loader - Xchecked via VT: e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18",
"pattern": "[file:hashes.MD5 = 'ebf3e72f8b698bbb0d026416d7a75a6a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:03:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f550-7bb0-4a2d-afa9-4fdc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:04:00.000Z",
"modified": "2017-01-07T14:04:00.000Z",
"first_observed": "2017-01-07T14:04:00Z",
"last_observed": "2017-01-07T14:04:00Z",
"number_observed": 1,
"object_refs": [
"url--5870f550-7bb0-4a2d-afa9-4fdc02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5870f550-7bb0-4a2d-afa9-4fdc02de0b81",
"value": "https://www.virustotal.com/file/e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18/analysis/1476121083/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f550-d244-46af-acc6-4d1102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:04:00.000Z",
"modified": "2017-01-07T14:04:00.000Z",
"description": "Initial obfuscated loader - Xchecked via VT: f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9",
"pattern": "[file:hashes.SHA1 = 'a09aa148ac6fbbbea05d63c923d44c7126f63ff3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:04:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f551-43f4-4734-9ea4-43c602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:04:01.000Z",
"modified": "2017-01-07T14:04:01.000Z",
"description": "Initial obfuscated loader - Xchecked via VT: f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9",
"pattern": "[file:hashes.MD5 = 'e98459c647a6e328c8b65945884ef29a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:04:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f552-90a0-4f87-8962-426802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:04:02.000Z",
"modified": "2017-01-07T14:04:02.000Z",
"first_observed": "2017-01-07T14:04:02Z",
"last_observed": "2017-01-07T14:04:02Z",
"number_observed": 1,
"object_refs": [
"url--5870f552-90a0-4f87-8962-426802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5870f552-90a0-4f87-8962-426802de0b81",
"value": "https://www.virustotal.com/file/f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9/analysis/1476121104/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}