adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/591df523-1b50-4547-ae34-4dca02de0b81.json

420 lines
19 KiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--591df523-1b50-4547-ae34-4dca02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:30:34.000Z",
"modified": "2017-05-18T19:30:34.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--591df523-1b50-4547-ae34-4dca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:30:34.000Z",
"modified": "2017-05-18T19:30:34.000Z",
"name": "OSINT - Will Astrum Fill the Vacuum in the Exploit Kit Landscape?",
"published": "2017-05-18T19:30:52Z",
"object_refs": [
"observed-data--591df52d-9d40-4b89-93aa-4e9c02de0b81",
"url--591df52d-9d40-4b89-93aa-4e9c02de0b81",
"x-misp-attribute--591df541-cb4c-454a-9ca3-4e7202de0b81",
"indicator--591df59d-ce64-42b5-b2b6-429402de0b81",
"indicator--591df59d-ad88-40e7-9ba9-4c3d02de0b81",
"indicator--591df5ab-1f9c-4aca-8d89-4bb002de0b81",
"indicator--591df5ab-07a4-4467-af75-4af302de0b81",
"indicator--591df5c8-a484-4569-923d-447202de0b81",
"indicator--591df5c9-821c-421d-a18b-452e02de0b81",
"indicator--591df5c9-7b30-4f7d-9d78-418802de0b81",
"indicator--591df5d4-6564-4541-b200-404e02de0b81",
"indicator--591df5d4-6f4c-40e3-baac-4acc02de0b81",
"observed-data--591df5d5-ab48-4e46-83ab-403002de0b81",
"url--591df5d5-ab48-4e46-83ab-403002de0b81",
"indicator--591df5d5-6c84-4bba-950b-48e702de0b81",
"indicator--591df5d6-a22c-4d13-ab1d-45bb02de0b81",
"observed-data--591df5d6-f854-4881-b6da-43bf02de0b81",
"url--591df5d6-f854-4881-b6da-43bf02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:exploit-kit=\"Astrum\"",
"riskiq:threat-type=\"exploit-kit\"",
"enisa:nefarious-activity-abuse=\"exploits-exploit-kits\"",
"dnc:infrastructure-type=\"exploit-kit\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--591df52d-9d40-4b89-93aa-4e9c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:16.000Z",
"modified": "2017-05-18T19:28:16.000Z",
"first_observed": "2017-05-18T19:28:16Z",
"last_observed": "2017-05-18T19:28:16Z",
"number_observed": 1,
"object_refs": [
"url--591df52d-9d40-4b89-93aa-4e9c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--591df52d-9d40-4b89-93aa-4e9c02de0b81",
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/astrum-exploit-kit-abuses-diffie-hellman-key-exchange/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--591df541-cb4c-454a-9ca3-4e7202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:16.000Z",
"modified": "2017-05-18T19:28:16.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "The decline of exploit kit activity\u00e2\u20ac\u201dparticularly from well-known exploit kits like Magnitude, Nuclear, Neutrino, and Rig during the latter half of 2016\u00e2\u20ac\u201ddoesn\u00e2\u20ac\u2122t mean exploit kits are throwing in the towel just yet. This is the casse with Astrum (also known as Stagano), an old and seemingly reticent exploit kit we observed to have been updated multiple times as of late.\r\n\r\nAstrum was known to be have been exclusively used by the AdGholas malvertising campaign that delivered a plethora of threats including banking Trojans Dreambot/Gozi (also known as Ursnif, and detected by Trend Micro as BKDR_URSNIF) and RAMNIT (TROJ_RAMNIT, PE_RAMNIT). We\u00e2\u20ac\u2122re also seeing Astrum redirected by the Seamless malvertising campaign, which is known for using the Rig exploit kit.\r\n\r\nAstrum\u00e2\u20ac\u2122s recent activities feature several upgrades and show how it\u00e2\u20ac\u2122s starting to move away from the more established malware mentioned above. It appears these changes were done to lay the groundwork for future campaigns, and possibly to broaden its use. With a modus operandi that deters analysis and forensics by abusing the Diffie-Hellman key exchange, it appears Astrum is throwing down the gauntlet."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591df59d-ce64-42b5-b2b6-429402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:16.000Z",
"modified": "2017-05-18T19:28:16.000Z",
"description": "IP Address and domain related to Astrum exploit kit:",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '141.255.161.68']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T19:28:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591df59d-ad88-40e7-9ba9-4c3d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:16.000Z",
"modified": "2017-05-18T19:28:16.000Z",
"description": "IP Address and domain related to Astrum exploit kit:",
"pattern": "[url:value = 'http://define.predatorhuntingusa.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T19:28:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591df5ab-1f9c-4aca-8d89-4bb002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:16.000Z",
"modified": "2017-05-18T19:28:16.000Z",
"description": "dropped payload",
"pattern": "[file:hashes.SHA256 = '39b1e99034338d7f5b0cbff9fb9bd93d9e4dd8f4c77b543da435bb2d2259b0b5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T19:28:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591df5ab-07a4-4467-af75-4af302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:16.000Z",
"modified": "2017-05-18T19:28:16.000Z",
"description": "dropped payload",
"pattern": "[file:hashes.SHA256 = 'ccf89a7c8005948b9548cdde12cbd060f618234fd00dfd434c52ea5027353be8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T19:28:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591df5c8-a484-4569-923d-447202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:16.000Z",
"modified": "2017-05-18T19:28:16.000Z",
"description": "IP Addresses related to Seamless Malvertising Campaign",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.124.200.194']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T19:28:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591df5c9-821c-421d-a18b-452e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:16.000Z",
"modified": "2017-05-18T19:28:16.000Z",
"description": "IP Addresses related to Seamless Malvertising Campaign",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.124.200.212']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T19:28:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591df5c9-7b30-4f7d-9d78-418802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:16.000Z",
"modified": "2017-05-18T19:28:16.000Z",
"description": "IP Addresses related to Seamless Malvertising Campaign",
"pattern": "[file:name = '194.58.40.46']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T19:28:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591df5d4-6564-4541-b200-404e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:20.000Z",
"modified": "2017-05-18T19:28:20.000Z",
"description": "dropped payload - Xchecked via VT: ccf89a7c8005948b9548cdde12cbd060f618234fd00dfd434c52ea5027353be8",
"pattern": "[file:hashes.SHA1 = '691d3600ede858cfbb56a76ccaf3e2ae9cd784a2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T19:28:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591df5d4-6f4c-40e3-baac-4acc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:20.000Z",
"modified": "2017-05-18T19:28:20.000Z",
"description": "dropped payload - Xchecked via VT: ccf89a7c8005948b9548cdde12cbd060f618234fd00dfd434c52ea5027353be8",
"pattern": "[file:hashes.MD5 = '34b6eb75b8e973fbb065586b4a169cf6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T19:28:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--591df5d5-ab48-4e46-83ab-403002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:21.000Z",
"modified": "2017-05-18T19:28:21.000Z",
"first_observed": "2017-05-18T19:28:21Z",
"last_observed": "2017-05-18T19:28:21Z",
"number_observed": 1,
"object_refs": [
"url--591df5d5-ab48-4e46-83ab-403002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--591df5d5-ab48-4e46-83ab-403002de0b81",
"value": "https://www.virustotal.com/file/ccf89a7c8005948b9548cdde12cbd060f618234fd00dfd434c52ea5027353be8/analysis/1494841409/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591df5d5-6c84-4bba-950b-48e702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:21.000Z",
"modified": "2017-05-18T19:28:21.000Z",
"description": "dropped payload - Xchecked via VT: 39b1e99034338d7f5b0cbff9fb9bd93d9e4dd8f4c77b543da435bb2d2259b0b5",
"pattern": "[file:hashes.SHA1 = '79b64ec0395ba20f0de4f6139d6d994668c7b45b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T19:28:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591df5d6-a22c-4d13-ab1d-45bb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:22.000Z",
"modified": "2017-05-18T19:28:22.000Z",
"description": "dropped payload - Xchecked via VT: 39b1e99034338d7f5b0cbff9fb9bd93d9e4dd8f4c77b543da435bb2d2259b0b5",
"pattern": "[file:hashes.MD5 = '986df65fe63bcab25996b5edc93b0de0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T19:28:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--591df5d6-f854-4881-b6da-43bf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T19:28:22.000Z",
"modified": "2017-05-18T19:28:22.000Z",
"first_observed": "2017-05-18T19:28:22Z",
"last_observed": "2017-05-18T19:28:22Z",
"number_observed": 1,
"object_refs": [
"url--591df5d6-f854-4881-b6da-43bf02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--591df5d6-f854-4881-b6da-43bf02de0b81",
"value": "https://www.virustotal.com/file/39b1e99034338d7f5b0cbff9fb9bd93d9e4dd8f4c77b543da435bb2d2259b0b5/analysis/1493282868/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink