misp-circl-feed/feeds/circl/stix-2.1/5997e84c-58b8-4652-a5cc-7d9602de0b81.json

912 lines
1 MiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5997e84c-58b8-4652-a5cc-7d9602de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5997e84c-58b8-4652-a5cc-7d9602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"name": "OSINT - EngineBox Malware Supports 10+ Brazilian Banks",
"published": "2017-08-19T10:13:53Z",
"object_refs": [
"x-misp-attribute--5997e865-cb68-4ee4-8af9-7da502de0b81",
"observed-data--5997e872-99a8-420d-bd26-7da502de0b81",
"url--5997e872-99a8-420d-bd26-7da502de0b81",
"observed-data--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81",
"file--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81",
"artifact--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81",
"indicator--5997e93e-9454-4c92-8799-60ed02de0b81",
"indicator--5997e93e-fafc-4871-984d-60ed02de0b81",
"indicator--5997e93e-7adc-4b92-bcc6-60ed02de0b81",
"indicator--5997e93e-81f4-4d46-93c3-60ed02de0b81",
"indicator--5997e93e-8f28-4958-83b4-60ed02de0b81",
"indicator--5997e93e-4b80-46b5-bf97-60ed02de0b81",
"indicator--5997e93e-aa10-4c55-8f73-60ed02de0b81",
"indicator--5997e953-299c-4c2b-8de4-60f402de0b81",
"indicator--5997e954-3d74-4175-aa53-60f402de0b81",
"indicator--5997e96b-73c8-4618-8b98-7e3202de0b81",
"observed-data--5997e9a7-6f04-429d-8699-7d9c02de0b81",
"url--5997e9a7-6f04-429d-8699-7d9c02de0b81",
"observed-data--5997e9a7-9b24-4d19-9d85-7d9c02de0b81",
"url--5997e9a7-9b24-4d19-9d85-7d9c02de0b81",
"observed-data--5997e9a7-9d7c-412c-b2bc-7d9c02de0b81",
"url--5997e9a7-9d7c-412c-b2bc-7d9c02de0b81",
"indicator--5997e9c9-e970-4309-8d37-7da702de0b81",
"indicator--5997e9c9-368c-427d-89d1-7da702de0b81",
"observed-data--5997e9c9-d700-442a-a40d-7da702de0b81",
"url--5997e9c9-d700-442a-a40d-7da702de0b81",
"indicator--5997e9c9-29f8-472d-b78b-7da702de0b81",
"indicator--5997e9c9-a80c-4323-991f-7da702de0b81",
"observed-data--5997e9c9-0cbc-4b02-a06c-7da702de0b81",
"url--5997e9c9-0cbc-4b02-a06c-7da702de0b81",
"indicator--5997e9c9-8408-4f50-af82-7da702de0b81",
"indicator--5997e9c9-1cac-4f1f-a95b-7da702de0b81",
"observed-data--5997e9c9-9de0-4e62-b0f7-7da702de0b81",
"url--5997e9c9-9de0-4e62-b0f7-7da702de0b81",
"indicator--5997e9c9-caf4-4fc1-a13f-7da702de0b81",
"indicator--5997e9c9-c798-40df-b634-7da702de0b81",
"observed-data--5997e9c9-ee6c-46bd-907f-7da702de0b81",
"url--5997e9c9-ee6c-46bd-907f-7da702de0b81",
"indicator--5997e9c9-2990-4673-98ae-7da702de0b81",
"indicator--5997e9c9-0cd0-4d39-98e0-7da702de0b81",
"observed-data--5997e9c9-ca90-4196-b336-7da702de0b81",
"url--5997e9c9-ca90-4196-b336-7da702de0b81",
"indicator--5997e9c9-739c-4dba-9067-7da702de0b81",
"indicator--5997e9c9-12e4-411c-ba6f-7da702de0b81",
"observed-data--5997e9c9-d4f0-4951-b710-7da702de0b81",
"url--5997e9c9-d4f0-4951-b710-7da702de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"veris:actor:motive=\"Financial\"",
"circl:topic=\"finance\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5997e865-cb68-4ee4-8af9-7da502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"very-likely\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "After receiving quite a big amount of malspam with similar messages in my honeypots this week, I decided to dedicate some time to analyze what it was about. To my surprise, after peeling multiple encoding layers protecting the malware\u00e2\u20ac\u2122s core (felt like peeling an onion), I could finally find a sophisticated and well structured banker malware capable of stealing victims' credentials of at least 10 of the biggest Brazilian public and private banks and other financial institutions. Additionally, it can also steal browser, SSH and FTP local stored credentials.\r\n\r\nThe main malware capabilities include a privilege escalation attempt using MS16\u00e2\u20ac\u201c032 exploitation; a HTTP Proxy to intercept banking transactions; a backdoor to make it possible for the attacker to issue arbitrary remote commands and a C&C through a IRC channel. As it's being identified as a \"Generic Trojan\" by most of VirusTotal (VT) engines, let's name it \"EngineBox\"\u00e2\u20ac\u201d the core malware class I saw after reverse engineering it.\r\n\r\nIn today's diary, I'm going to describe the main technical aspects of EngineBox. Let's start with the fluxogram in Figure 1, which illustrates the malware's behavior since the infection vector to the malicious actions. Follow the numbers in blue."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5997e872-99a8-420d-bd26-7da502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"first_observed": "2017-08-19T07:33:29Z",
"last_observed": "2017-08-19T07:33:29Z",
"number_observed": 1,
"object_refs": [
"url--5997e872-99a8-420d-bd26-7da502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"very-likely\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5997e872-99a8-420d-bd26-7da502de0b81",
"value": "https://isc.sans.edu/diary/22736"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"first_observed": "2017-08-19T07:33:29Z",
"last_observed": "2017-08-19T07:33:29Z",
"number_observed": 1,
"object_refs": [
"file--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81",
"artifact--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"very-likely\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81",
"name": "EB-Figure1.png",
"content_ref": "artifact--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAA3YAAASwCAYAAAC3u9iqAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nMS9d5hV1fU+/p5bZu70XmgzdESayCBqLMQSJCpgVEAsoBFbRCTGlpAQYpJPvvZubLFgAQsYk2ADAYciIB1B2gAzwzCF6e3Obef3x3hPzt2z1t77DOT57efh4d5z1l7rXWuvts8594xhmqYJYZimCcMw2GNOz6u+68g/lTKiKov00WN2k8h0Vg2VnXTmUVj/V4Ozr4iBso+M18ngUPFz4pfiMad+qJKlo4fT407W366X7hwZHidDl4cTuujgYvJUyFHNVeURux91d610fPBk8sCpyl0qempwfh49191aQtF0B7OMhw5fVX5xYoPu+p3smH04yUXUec4elL5cvJ5sjuPkcedleLsjX8cGnH4yGaqY4HBwn1U2EGkp2ao65dRudlrduJetsY5s3V5KZU8dvU5FLu+ub8pwdKefFLFSc5z6jw5P2TxdrE57O6d9nYqfji6q2uKkDpF2NYXs3x0lnSYine8ng0cHW3caJdWc7i6uar5KlhMnVvEE+ADtbgPVXVy69lTNPVm8qiLUXR7dpXfaAOrKA+Tx4KToOM0d3W0WZHhOVVxQ9CeTG3WKX3eH07zWHfndzT3djUlZ4dZpBk/Wxk6KsV3u/2roNGqirUQa3eaPm2s/7yRPyeKcixVKltNY5/BQ51W+pVsXdWJD1EG0iWo4jT8d/t3tQ0QZumtM8dTFaac7mT5LFtunsldU1TknPaR9vi5+zmejNJyeTmq/7nDqjzq1RKWPrr4y+TprJIuDzq8mTAAhMwJ/OITWUBBtoSACkTAiMOGCgTi3B4luD5I8XiS4PXAbLhgADKOThwyDEYlETFWCPhXDaXPc3cbwVOHUTYinOkmo5soSlVMb65yX6WgfOnJPxZp2tynTmSuj1eXTHX/sjg+dbGP5v4pHp/S6DaZ4vrv8neLrrlwnQ1WEVBi4ZuFkseoWMNVnmT5RvN3Fqir6Ml24xtp+TMXDCTbdZo5qCjhMnCyRrxNdnTSXsnxh50/VC1VdFelVw0mdlvmebtOsspPuOp6KnNZdjDqDspWscVXh5nxRZcuT1Y/jpVv3VcdUOnC0unmC4ue0JnC2kOnG6cfpFR1ObKqS5zRXyNZWhpPjI8Ou8lFxXsQ00REOoTHYgdK2JuxuqMHR1kZUd7ShNRxEOBKB23AhxRuPrLgEFCSlYFR6HgqTUpHqjUO8y6PuE8zOcdKNomrInIBzQCoZOnU86phuYRVl6+ilwqjLS+ZQThqu7iQJHV46fKNDp2jpyNbFSfF1UshU+FTHVQ2PbgHUxQXoPeKiE88qe51M86E7dH3fSRyI57qD72TX7lTqoSO/uzHjZKhsHR0qm4g5VzaHksXJ5HKXyr90GjUOs8oHKB25uOUwyPhyuVqUJx6z89JpqER6nWbsVDRGKlw6tCqZlL/o0Miw6fqdjr2iQ5WrqSGzMUejE9vd8Xv7eR3flPHVqVsyHCq/011XDqdTX5XlIp265kSmrk46PqHi7QQHx1eXjxM9nOZbp3wBIAITbaEgdjVU418Vh7Cn8QQaAx3oiIQQNjvv4kWHCwZcBhDnciM9zoczMnJxSV5fjMzIQ7LbC5dNvrj20kcxnQ5dAzlxJF16J8lAhd/Ozwmv7jjY/3I4tbP9vG7hlDVMTuTq0qjoZM2BExyA/OqQE/mqJkrGj8KtSohObK27ZjpFr7vFwgkup7p2t+nsro2dFsRTva5O6JziPhl+4rqqmiQnjQo3l8LSXT27k9uc6szxtg9Z/nCCQ8Sj28DacejmBBlvnVyrq59MVxlvuwyKp0yeDIOIh5Ml4yPS68jm6HXWRqfP0sld3DGVbCd2pL6rZOucd5Jn7Ti6k6tl9Lq9gYpeFR+iDrpxFh2yNZThc+ofMltwfiFbG51aQ8WtDhbqnD8UxKGWevzr2EF8U1OO2oAfkehW7keeHsOAx+WCAQPBSAQhs5PCMAy4DQNpnjhcmFeAKT0HYUByBrwulyXLrkOXjZ0OQBndqWgqTiYoRZqTKZoqWd1dYBkPXSfkZOjScVh1C4NMlkpHFQanQ1dXWfK04/tfrLluwaISmW6idILHCV4R56mgl9Ho+pVKJyeFgdJBR4buvO74qNPPOvJPRYxxPiubK9LJGkGu2aB4UHSqNedyHFcPRDniZzu9TnPF2UjVbNixyGzhZMiaGkompxuFR8VXhVuHL/W/HafKf1TYZGug8ksRg0w3zvc5Gid5Tcb/ZGu7zjiZ3KtTb53wVuUMGW+ZjaKDWxed+u/UN+0yVb4hxrB4XJWvdHyaGrK44ugpPE7m69RGVX6SxbxMXpQm1t4GApEQttZX4qPSfdhaX4mwaSI9zodkTxwAoD0cRKLbg96JqciNT4TLMFDpb8GR1kZUtLfCHwkBJmAYQILbg7GZPXFtwWkYmZYDn9vTBZu1setOAOsaWGYIp82ODp7u8JHN1U1ypyIJ6vB2op9O4YyOk8HenUDXsacMl07S0LWVLEmf6qFjq+7E1snK1m0iVby602R2V6dT1YCcqhxzMjKc8O5ObJwsxpP125Od54S3U35OP8tkOW0udHhzDbmMvjv1QoWZoo3isn+PDrHptNPqyNXtI0S+TvOcLk6uZp6KZlPkr9t4d6dmUY0+N19HZ1kjrINPVx8VnaomiZi6myNktLqxJ8Ot4qE6poqP7gyn/ZbMJ3RkUUPWm4t0XF7Q5cPlNKc6hCIR7Gk6gddLdmBrXRXiXC6MzeyBC/MKkBefBBNAY9CPJE8ccuMT4THcCJsRtEdCKG1rxFeVh3GwpQH+UAjt4SD8kQgS3B6MycjHdYVDMSojD17DFWt3U0CtE1ROmxvVAne3mZAtEqUDlWy4z+J8WaBQzqyykSwJOEnmOolGdczJeV0anfndbSz+l+edYpPRO20QZfNkCVSXhw4doH+3gYsV3dHduKdodOntQ8eeJ9v8dsem3cmp1PHu2sdp42MfqtgRh24jTeVK+xxVHtXJ8TKZqtxMDZ340GlodZpDnZqsYyOdJk3W/KhykjhU9U6XVsToFCfX2OnmR/E4d0zHnrIejNKZotXxGR1aHXuqeHG2VdF3B7OOTNlwgjFKo+oJZP4hyuF4/i91VOUMEaNOP8LFug6tzH+c9AQyPWRzVPZ0kmciMHG4tRGvH9yBtTXl8Lpc+Fl+X1xbcBp6JaQgbJpoD4cQjETgNgw0BP3Y3ViL2o42ZMcnYEhKJhI9XjQFO1Dpb8W2+ipsrDuO4+0t8BounJvdC7cOOAP9k9Is2YYhPIqp21RQ9DJjyALTaeOqKiA653XPOXEoJzi6k7hUASazY3SeTiOgG+Q6SYgrik6TA1dgKXuozquSoSqJOx3d8Z1TyUvlHyq67uLvThLWLeAUNicNhgrLyeCy0znxc90GoTuF3I5NRw+VjrI8E+Wvs0acPKd0OvT2cSowOB3dseWp8EGO7lTp4SQ3qnywO3Eiq0NOcp4dkyp3OKl9On3AqfJ7VQw68Tcnw6ltnPDsbh1x4k9O+ehgjw6qV4p+ttPq5HUdf6bm6+J32q+p+Khwqs45yducHiIekc/J+j4nEwAikQhOdLTj/dK9+Pz4IeT5klCUmY9L8/uhf1I6ajrasKuhBhX+FvjDYbgNA/5IEAOTM9A3MQ1H25pQ0tKAMZn5GJmWC6/LhaAZwc6GavyjZAd2NZyAx3DhmoIhuLFwODLifZaeHjsQnUaIM5rMMNS56DGqYVEZ2aksO2YnC8gVTR0cTjGIRUWk4b6LAaTio8KiorfTqZK4/btOwdKdz9lP1Ms0zS64KDtRMlXJQHftqYSt4+cqe4p0HCZRX06mzB+cNOcyrLL5MvyqNaT4yGyhwkvFkOhLOvx1baqKRer/7jRNKswynqItdPKTk0ZAhVMWMzq+xsU7R6fC2x2MXE6hsHE+Ypcv8uTWkqtjslzENXlcbOjYyEnu0ckTMjtSvqqbR6jaJsrXrQs6eVM3Vpycp2oht8acjtxQ+YyYK0+mlsps46T/sH/n8HM
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e93e-9454-4c92-8799-60ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "W7.zip",
"pattern": "[file:hashes.MD5 = 'f9f6bc998dcb8a3f04dffcc6b81dcfc3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e93e-fafc-4871-984d-60ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "W7.dll",
"pattern": "[file:hashes.MD5 = 'e99d3c9d3ee9c8a8448aa3d427c04f0e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e93e-7adc-4b92-bcc6-60ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "1508201700016067882247230289631.vbs",
"pattern": "[file:hashes.MD5 = '78b86206541debb3819e51b7e9c48434']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e93e-81f4-4d46-93c3-60ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "aw7.tiff",
"pattern": "[file:hashes.MD5 = 'bb6756c97ab58fdfeecfe8c75b4bb81e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e93e-8f28-4958-83b4-60ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "aw7.dll",
"pattern": "[file:hashes.MD5 = '90ce84d389eabf96b4ad2f3bb083dada']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e93e-4b80-46b5-bf97-60ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "malware-binary.exe",
"pattern": "[file:hashes.MD5 = 'eb32c070e658937aa9fa9f3ae629b2b8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e93e-aa10-4c55-8f73-60ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "westeros-x.ps",
"pattern": "[file:hashes.MD5 = 'f476db89c2f6621cc36c4a7a11e1e7a3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e953-299c-4c2b-8de4-60f402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"pattern": "[url:value = 'http://vimfvl6s.bslah3d1ajofjeatqu1qlkiurm0iyzwd.xyz/vzcD8L.php?vzcD8L=vIMfVL6sSUPORTE']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e954-3d74-4175-aa53-60f402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"pattern": "[url:value = 'http://170.254.236.10/westeros/x']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e96b-73c8-4618-8b98-7e3202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "On port 443 but (the connection is not over SSL)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '54.232.207.222' AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5997e9a7-6f04-429d-8699-7d9c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"first_observed": "2017-08-19T07:33:29Z",
"last_observed": "2017-08-19T07:33:29Z",
"number_observed": 1,
"object_refs": [
"url--5997e9a7-6f04-429d-8699-7d9c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5997e9a7-6f04-429d-8699-7d9c02de0b81",
"value": "https://technet.microsoft.com/en-us/library/security/ms16-032.aspx"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5997e9a7-9b24-4d19-9d85-7d9c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"first_observed": "2017-08-19T07:33:29Z",
"last_observed": "2017-08-19T07:33:29Z",
"number_observed": 1,
"object_refs": [
"url--5997e9a7-9b24-4d19-9d85-7d9c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5997e9a7-9b24-4d19-9d85-7d9c02de0b81",
"value": "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5997e9a7-9d7c-412c-b2bc-7d9c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"first_observed": "2017-08-19T07:33:29Z",
"last_observed": "2017-08-19T07:33:29Z",
"number_observed": 1,
"object_refs": [
"url--5997e9a7-9d7c-412c-b2bc-7d9c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5997e9a7-9d7c-412c-b2bc-7d9c02de0b81",
"value": "http://www.ilspy.net/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-e970-4309-8d37-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "westeros-x.ps - Xchecked via VT: f476db89c2f6621cc36c4a7a11e1e7a3",
"pattern": "[file:hashes.SHA256 = 'e3fe4546a5930d584f9a1ccd0ab0cb8eac041821cc238010f18190cfc25f845a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-368c-427d-89d1-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "westeros-x.ps - Xchecked via VT: f476db89c2f6621cc36c4a7a11e1e7a3",
"pattern": "[file:hashes.SHA1 = 'da18ecbf61875bab1e71fc13ce2c7ec7e3ebee6a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5997e9c9-d700-442a-a40d-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"first_observed": "2017-08-19T07:33:29Z",
"last_observed": "2017-08-19T07:33:29Z",
"number_observed": 1,
"object_refs": [
"url--5997e9c9-d700-442a-a40d-7da702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5997e9c9-d700-442a-a40d-7da702de0b81",
"value": "https://www.virustotal.com/file/e3fe4546a5930d584f9a1ccd0ab0cb8eac041821cc238010f18190cfc25f845a/analysis/1503114310/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-29f8-472d-b78b-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "malware-binary.exe - Xchecked via VT: eb32c070e658937aa9fa9f3ae629b2b8",
"pattern": "[file:hashes.SHA256 = '70ba57fb0bf2f34b86426d21559f5f6d05c1268193904de8e959d7b06ce964ce']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-a80c-4323-991f-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "malware-binary.exe - Xchecked via VT: eb32c070e658937aa9fa9f3ae629b2b8",
"pattern": "[file:hashes.SHA1 = 'f393d7b531cd44ce418647fe95715adc3e3c61d2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5997e9c9-0cbc-4b02-a06c-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"first_observed": "2017-08-19T07:33:29Z",
"last_observed": "2017-08-19T07:33:29Z",
"number_observed": 1,
"object_refs": [
"url--5997e9c9-0cbc-4b02-a06c-7da702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5997e9c9-0cbc-4b02-a06c-7da702de0b81",
"value": "https://www.virustotal.com/file/70ba57fb0bf2f34b86426d21559f5f6d05c1268193904de8e959d7b06ce964ce/analysis/1503098248/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-8408-4f50-af82-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "aw7.dll - Xchecked via VT: 90ce84d389eabf96b4ad2f3bb083dada",
"pattern": "[file:hashes.SHA256 = '7e476e43a56a56420b5ca05db29979332b327b1c2ccd79f86943a10714afd730']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-1cac-4f1f-a95b-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "aw7.dll - Xchecked via VT: 90ce84d389eabf96b4ad2f3bb083dada",
"pattern": "[file:hashes.SHA1 = '918a80d5c982ba2f3b51c92949b15b1fc8caf2e9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5997e9c9-9de0-4e62-b0f7-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"first_observed": "2017-08-19T07:33:29Z",
"last_observed": "2017-08-19T07:33:29Z",
"number_observed": 1,
"object_refs": [
"url--5997e9c9-9de0-4e62-b0f7-7da702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5997e9c9-9de0-4e62-b0f7-7da702de0b81",
"value": "https://www.virustotal.com/file/7e476e43a56a56420b5ca05db29979332b327b1c2ccd79f86943a10714afd730/analysis/1503123304/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-caf4-4fc1-a13f-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "aw7.tiff - Xchecked via VT: bb6756c97ab58fdfeecfe8c75b4bb81e",
"pattern": "[file:hashes.SHA256 = '9663e164be742893c6d1b4586796bff9b778d695823a09cfada18bec0106414a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-c798-40df-b634-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "aw7.tiff - Xchecked via VT: bb6756c97ab58fdfeecfe8c75b4bb81e",
"pattern": "[file:hashes.SHA1 = 'edac27ccb0191bd0726af39b13226f073452cde7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5997e9c9-ee6c-46bd-907f-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"first_observed": "2017-08-19T07:33:29Z",
"last_observed": "2017-08-19T07:33:29Z",
"number_observed": 1,
"object_refs": [
"url--5997e9c9-ee6c-46bd-907f-7da702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5997e9c9-ee6c-46bd-907f-7da702de0b81",
"value": "https://www.virustotal.com/file/9663e164be742893c6d1b4586796bff9b778d695823a09cfada18bec0106414a/analysis/1502992532/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-2990-4673-98ae-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "1508201700016067882247230289631.vbs - Xchecked via VT: 78b86206541debb3819e51b7e9c48434",
"pattern": "[file:hashes.SHA256 = 'c05836c76d0e462bb817742f1c4a9ea2db523161c5b9c8506cfb8c7335060e57']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-0cd0-4d39-98e0-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "1508201700016067882247230289631.vbs - Xchecked via VT: 78b86206541debb3819e51b7e9c48434",
"pattern": "[file:hashes.SHA1 = 'f6c940072ce82b7f58a6a86e49d57e2c9a92c154']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5997e9c9-ca90-4196-b336-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"first_observed": "2017-08-19T07:33:29Z",
"last_observed": "2017-08-19T07:33:29Z",
"number_observed": 1,
"object_refs": [
"url--5997e9c9-ca90-4196-b336-7da702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5997e9c9-ca90-4196-b336-7da702de0b81",
"value": "https://www.virustotal.com/file/c05836c76d0e462bb817742f1c4a9ea2db523161c5b9c8506cfb8c7335060e57/analysis/1503123770/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-739c-4dba-9067-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "W7.zip - Xchecked via VT: f9f6bc998dcb8a3f04dffcc6b81dcfc3",
"pattern": "[file:hashes.SHA256 = '66c3cae1464231a801b0388a5ea858883118b9ef529fa7071146fae0bdb93565']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5997e9c9-12e4-411c-ba6f-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"description": "W7.zip - Xchecked via VT: f9f6bc998dcb8a3f04dffcc6b81dcfc3",
"pattern": "[file:hashes.SHA1 = '1812647fafd4f086614c950cfc8c6b405cfc1fac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-19T07:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5997e9c9-d4f0-4951-b710-7da702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-19T07:33:29.000Z",
"modified": "2017-08-19T07:33:29.000Z",
"first_observed": "2017-08-19T07:33:29Z",
"last_observed": "2017-08-19T07:33:29Z",
"number_observed": 1,
"object_refs": [
"url--5997e9c9-d4f0-4951-b710-7da702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5997e9c9-d4f0-4951-b710-7da702de0b81",
"value": "https://www.virustotal.com/file/66c3cae1464231a801b0388a5ea858883118b9ef529fa7071146fae0bdb93565/analysis/1502994328/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}