2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5cc3fa33-2fac-4dbd-9e06-60de02de0b81" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T07:43:18.000Z" ,
"modified" : "2019-04-27T07:43:18.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5cc3fa33-2fac-4dbd-9e06-60de02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T07:43:18.000Z" ,
"modified" : "2019-04-27T07:43:18.000Z" ,
"name" : "OSINT - BabyShark Malware Part Two \u00e2\u20ac\u201c Attacks Continue Using KimJongRAT and PCRat" ,
"published" : "2019-04-27T09:02:41Z" ,
"object_refs" : [
"x-misp-attribute--5cc3fa44-db00-4a96-9e27-607502de0b81" ,
"observed-data--5cc3fa72-76e4-4a59-9290-bdbe02de0b81" ,
"file--5cc3fa72-76e4-4a59-9290-bdbe02de0b81" ,
"artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81" ,
"indicator--5cc3fafa-8580-46cb-916a-44db02de0b81" ,
"indicator--5cc3fafb-5408-433e-8b31-408b02de0b81" ,
"indicator--5cc3fafb-c8c0-42e6-bc0b-44a502de0b81" ,
"indicator--5cc3fafb-7a28-4088-8973-4cc602de0b81" ,
"indicator--5cc3fafb-5174-4cf6-b028-4e1202de0b81" ,
"indicator--5cc3fafb-7744-4075-838a-49c702de0b81" ,
"x-misp-object--5cc4069c-ed84-47b2-8f41-43b0950d210f" ,
"indicator--c5a73ecb-7963-487b-9c12-4b0e86a495ae" ,
"x-misp-object--ec43ff24-211c-430f-84ab-5f57fa153d60" ,
"indicator--e04af19f-c666-456b-95c9-b1b19d401d5d" ,
"x-misp-object--af318753-2c6d-41cc-a37b-f9db1cec6b7a" ,
"indicator--1ca9e3cc-11cf-4417-ae89-12d0db9e9240" ,
"x-misp-object--210c73d6-356a-4be2-ba0a-cbf5b9ed607e" ,
"indicator--41e3fdee-552a-4961-8183-635188ef931d" ,
"x-misp-object--5620ac27-0a6e-466a-90ff-6e97ab1e498d" ,
2024-08-07 08:13:15 +00:00
"relationship--f9b6c771-8a3a-4782-800e-e7c7e1d94cfe" ,
"relationship--dec16baf-0c91-4b8f-bfa0-9d7b5d59a126" ,
"relationship--ba8ae707-c260-4b3d-8374-cb637fb8c7e2" ,
"relationship--6bdf98de-bfc7-44cd-a0ca-efa601944b9b"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:tool=\"BabyShark\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5cc3fa44-db00-4a96-9e27-607502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T06:44:20.000Z" ,
"modified" : "2019-04-27T06:44:20.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.\r\n\r\nWhile tracking the latest activities of the threat group, Unit 42 researchers were able to collect both the BabyShark malware\u00e2\u20ac\u2122s server-side and client-side files, as well as two encoded secondary PE payload files that the malware installs on the victim hosts upon receiving an operator\u00e2\u20ac\u2122s command. By analyzing the files, we were able to further understand the overall multi-staging structure of the BabyShark malware and features, such as how it attempts to maintain operational security and supported remote administration commands. Based on our research, it appears the malware author calls the encoded secondary payload \u00e2\u20ac\u0153Cowboy\u00e2\u20ac\u009d regardless of what malware family is delivered.\r\n\r\nOur research shows the most recent malicious activities involving BabyShark malware appear to be carried out for two purposes:\r\n\r\n Espionage on nuclear security and the Korean peninsula\u00e2\u20ac\u2122s national security issues\r\n Financial gain with focus on the cryptocurrency industry based on the decoy contents used in the samples, shown in Figure 1. Xcryptocrash is an online cryptocurrency gambling game."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5cc3fa72-76e4-4a59-9290-bdbe02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T06:45:06.000Z" ,
"modified" : "2019-04-27T06:45:06.000Z" ,
"first_observed" : "2019-04-27T06:45:06Z" ,
"last_observed" : "2019-04-27T06:45:06Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5cc3fa72-76e4-4a59-9290-bdbe02de0b81" ,
"artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"Payload delivery\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5cc3fa72-76e4-4a59-9290-bdbe02de0b81" ,
"name" : "Fig-2.-BabyShark-flowchart.png" ,
"content_ref" : "artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81" ,
"payload_bin" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A 0 0 A A A H H C A Y A A A B j t 7 O 7 A A A K r W l D Q 1 B J Q 0 M g U H J v Z m l s Z Q A A S I m V l g d U U 2 k W x 7 / 30 h s t I d I J N X T p V X o N I E Q 6 i E p I K K G E E A g g d m R w B M e C i g g o I z o I o u C o F F E R s W A b B B T B O i C D g r o O F r C g s g 9 Y w s 7 u 2 d 2 z / 5 y b 73 d u v v d / 931595 w L A H m A I x S m w D I A p A o y R U H e b o y I y C g G b h i g g S w g A C N A 4 X A z h K 5 s t j 9 A N L / + V Z P 3 A T S z 3 j W e 8 f r 33 / + r Z H l x G V w A I D b C s b w M b i r C Z 5 B o 4 w p F m Q C g k A B a 2 Z n C G S 5 F m C Z C C k T 4 + A w n z H H 7 D M f O 8 b 3 Z P S F B 7 g i P A o A n c z i i B A B I H 5 A 8 I 4 u b g P i Q a Q i b C n h 8 A c I e C D t x E z k 8 h P M R N k p N T Z v h k w j r x f 6 T T 8 J f P G M l n h x O g o T n n m V W e A 9 + h j C F s / r / P I 7 / r d Q U 8 f w 9 N J E g J 4 p 8 g p C V j p x Z T X K a n 4 Q F s Q G B 88 z n z e 6 f 5 U S x T + g 8 c z P c o + a Z x / H w m 2 d x c q j r P H N E C 9 f y M 1 k h 8 y x K C 5 L 4 C 1 I C / C X + c S w J x 2 V 4 B s 9 z P N + L N c + 5 i S H h 85 z F D w u Y 54 z k Y L + F P e 6 S v E g c J K k 5 X u Q l e c b U j I X a u J y F e 2 U m h v g s 1 B A h q Y c X 5 + E p y Q t C J f u F m W 4 S T 2 E K e 6 H + F G 9 J P i M r W H J t J v K C z X M S x 5e94 M O W n A / w A J 7 A H / k w A B u Y A 0 t g B u w A U l V m X M 7 M O w 3 c 0 4 S r R f y E x E y G K 9 I 1 c Q y W g G t i x D A 3 N b M D Y K Y H 5 / 7 i 9 w O z v Q X R 8 Q s 53 g g A F j N 9 o r e Q S 0 I 6 + N w k 0 k 6 N C z n m E A A y B w B o Z 3 P F o q y 5 H H r m C w O I Q B r Q g C J Q A 1 p A D x g j 9 V k D B + C C V O w L A k E I i A Q r A R c k g l Q g A t l g L d g E C k A R 2 A n 2 g j J Q C Q 6 D G n A C n A L N 4 D y 4 B K 6 B W 6 A b 9 I F H Y B C M g F d g H E y C K Q i C c B A F o k K K k D q k A x l C 5 p A t 5 A R 5 Q v 5 Q E B Q J x U A J k A A S Q 2 u h z V A R V A y V Q Y e g W u h X 6 C x 0 C b o B 9 U A P o C F o D H o H f Y F R M B m m w a q w L r w Y t o V d Y T 84 B F 4 B J 8 D p c C 6 c D 2 + H S + E q + D j c B F + C b 8 F 98 C D 8 C p 5 A A R Q J R U d p o I x R t i h 3 V C A q C h W P E q H W o w p R J a g q V D 2 q F d W J u o s a R L 1 G f U Z j 0 V Q 0 A 22 M d k D 7 o E P R X H Q 6 e j 16 G 7 o M X Y N u Q l 9 B 30 U P o c f R 3 z E U j A r G E G O P Y W E i M A m Y b E w B p g R T j W n E X M X 0 Y U Y w k 1 g s l o 5 l Y m 2 w P t h I b B J 2 D X Y b 9 g C 2 A d u O 7 c E O Y y d w O J w i z h D n i A v E c X C Z u A L c f t x x 3 E V c L 24E9 w l P w q v j z f F e + C i 8 A J + H L 8 E f w 7 f h e / E v 8 F M E G Y I O w Z 4 Q S O A R V h N 2 E I 4 Q W g l 3 C C O E K a I s k U l 0 J I Y Q k 4 i b i K X E e u J V 4 m P i e x K J p E m y I y 0 j 8 U k b S a W k k 6 T r p C H S Z 7 I c 2 Y D s T o 4 m i 8 n b y U f J 7 e Q H 5 P c U C k W X 4 k K J o m R S t l N q K Z c p T y m f p K h S J l I s K Z 7 U B q l y q S a p X q k 30 g R p H W l X 6 Z X S u d I l 0 q e l 70 i / l i H I 6 M q 4 y 3 B k 1 s u U y 5 y V 6 Z e Z k K X K m s k G y q b K b p M 9 J n t D d l Q O J 6 c r 5 y n H k 8 u X O y x 3 W W 6 Y i q J q U d 2 p X O p m 6 h H q V e o I D U t j 0 l i 0 J F o R 7 Q S t i z Y u L y d v K R 8 m n y N f L n 9 B f p C O o u v S W f Q U + g 76 K f p 9 + p d F q o t c F 8 U t 2 r q o f l H v o o 8 K y g o u C n E K h Q o N C n 0 K X x Q Z i p 6 K y Y q 7 F J s V n y i h l Q y U l i l l K x 1 U u q r 0 W p m m 7 K D M V S 5 U P q X 8 U A V W M V A J U l m j c l j l t s q E q p q q t 6 p Q d b / q Z d X X a n Q 1 F 7 U k t T 1 q b W p j 6 l R 1 J 3 W + + h 71 i + o v G f I M V 0 Y K o 5 R x h T G u o a L h o y H W O K T R p T G l y d Q M 1 c z T b N B 8 o k X U s t W K 19 q j 1 a E 1 r q 2 u v V R 7 r X a d 9 k M d g o 6 t T q L O P p 1 O n Y + 6 T N 1 w 3 S 26 z b q j T A U m i 5 n L r G M + 1 q P o O e u l 61 X p 3 d P H 6 t v q J + s f 0 O 82 g A 2 s D B I N y g 3 u G M K G 1 o Z 8 w w O G P U Y Y I z s j g V G V U b 8 x 2 d j V O M u 4 z n j I h G 7 i b 5 J n 0 m z y Z r H 24 q j F u x Z 3 L v 5 u a m W a Y n r E 9 J G Z n J m v W Z 5 Z q 9 k 7 c w N z r n m 5 + T 0 L i o W X x Q a L F o u 3 l o a W c Z Y H L Q e s q F Z L r b Z Y d V h 9 s 7 a x F l n X W 4 / Z a N v E 2 F T Y 9 N v S b N m 222 y v 22 H s 3 O w 22 J 23 + 2 x v b Z 9 p f 8 r + T w d j h 2 S H Y w 6 j S 5 h L 4 p Y c W T L s q O n I c T z k O O j E c I p x + t l p 0 F n D m e N c 5 f z M R c u F 51 L t 8 s J V 3 z X J 9 b j r G z d T N 5 F b o 9 t H d 3 v 3 d e 7 t H i g P b 49 C j y 5 P O c 9 Q z z L P p 16 a X g l e d V 7 j 3 l b e a 7 z b f T A + f j 67 f P p Z q i w u q 5 Y 17 m v j u 873 i h / Z L 9 i v z O + Z v 4 G / y L 91 K b z U d + n u p Y 8 D d A I E A c 2 B I J A V u D v w C Z v J T m e f W 4 Z d x l 5 W v u x 5 k F n Q 2 q D O Y G r w q u B j w Z M h b i E 7 Q h 6 F 6 o W K Q z v C p M O i w 2 r D P o Z 7 h B e H D 0 Y s j l g X c S t S K Z I f 2 R K F i w q L q o 6 a W O 65 f O / y k W i r 6 I L o + y u Y K 3 J W 3 F i p t D J l 5 Y V V 0 q s 4 q 0 7 H Y G L C Y 47 F f O U E c q o 4E7 G s 2 I r Y c a 47 d x / 3 F c + F t 4 c 3 F u c Y V x z 3 I t 4 x v j h + N M E x Y X f C W K J z Y k n i a 747 v 4 z / N s k n q T L p Y 3 J g 8 t H k 6 Z T w l I Z U f G p M 6 l m B n C B Z c C V N L S 0 n r U d o K C w Q D q b b p + 9 N H x f 5 i a o z o I w V G S 2 Z N G T Y u S 3 W E / 8 g H s p y y i r P + p Q d l n 0 6 R z Z H k H N 7 t c H q r a t f 5 H r l / r I G v Y a 7 p m O t x t p N a 4 f W u a 47 t B 5 a H 7 u + Y 4 P W h v w N I x u 9 N 9 Z s I m 5 K 3 v R b n m l e c d 6 H z e G b W / N V 8 z f m D //g/UNdgVSBqKB/i8OWyh/RP/J/7NpqsXX/1u+FvMKbRaZFJUVft3G33fzJ7KfSn6a3x2/v2mG94+BO7E7Bzvu7nHfVFMsW5xYP7166u2kPY0/hng97V+29UWJZUrmPuE+8b7DUv7Rlv/b+nfu/liWW9ZW7lTdUqFRsrfh4gHeg96DLwfpK1cqiyi8/838eOOR9qKlKt6rkMPZw1uHnR8KOdP5i+0tttVJ1UfW3o4KjgzVBNVdqbWprj6kc21EH14nrxo5HH+8+4XGipd64/lADvaHoJDgpPvny15hf75/yO9Vx2vZ0/RmdMxWN1MbCJqhpddN4c2LzYEtkS89Z37MdrQ6tjedMzh09r3G+/IL8hR1txLb8tumLuRcn2oXtry8lXBruWNXx6HLE5XtXll3puup39fo1r2uXO107L153vH7+hv2Nszdtbzbfsr7VdNvqduNvVr81dll3Nd2xudPSbdfd2rOkp63XuffSXY+71+6x7t3qC+jruR96f6A/un9wgDcw+iDlwduHWQ+nHm18jHlc+ETmSclTladVv+v/3jBoPXhhyGPo9rPgZ4+GucOv/sj44+tI/nPK85IX6i9qR81Hz495jXW/XP5y5JXw1dTrgr/J/q3ijd6bM3+6/Hl7PGJ85K3o7fS7be8V3x/9YPmhY4I98XQydXLqY+EnxU81n20/d34J//JiKvsr7mvpN/1vrd/9vj+eTp2eFnJEnNlRAIUEHB8PwLujAFAiAaB2A0CUmpuRZwXNzfWzBP4Tz83Rs7IGALECYUgEuQBQgQQTCemNALCRNcQFwBYWkviHMuItzOe8SM3IaFIyPf0emQ1x+gB865+enmqenv5WjRT7EJljJudm8xnJIPN/9wNTC1///tAh8K/6Oze9BkYKTefQAAABnWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGV
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc3fafa-8580-46cb-916a-44db02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T06:47:22.000Z" ,
"modified" : "2019-04-27T06:47:22.000Z" ,
"pattern" : "[file:hashes.SHA256 = '75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-27T06:47:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc3fafb-5408-433e-8b31-408b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T06:47:23.000Z" ,
"modified" : "2019-04-27T06:47:23.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'f86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-27T06:47:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\"" ,
"misp-galaxy:malpedia=\"Ghost RAT\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc3fafb-c8c0-42e6-bc0b-44a502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T06:47:23.000Z" ,
"modified" : "2019-04-27T06:47:23.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'd50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-27T06:47:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc3fafb-7a28-4088-8973-4cc602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T06:47:41.000Z" ,
"modified" : "2019-04-27T06:47:41.000Z" ,
"description" : "Malicious Word Macro Document" ,
"pattern" : "[file:hashes.SHA256 = '4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-27T06:47:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc3fafb-5174-4cf6-b028-4e1202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T06:47:23.000Z" ,
"modified" : "2019-04-27T06:47:23.000Z" ,
"pattern" : "[file:hashes.SHA256 = '33ce9bcaeb0733a77ff0d85263ce03502ac20873bf58a118d1810861caced254']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-27T06:47:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5cc3fafb-7744-4075-838a-49c702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T06:47:23.000Z" ,
"modified" : "2019-04-27T06:47:23.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-27T06:47:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5cc4069c-ed84-47b2-8f41-43b0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T07:37:00.000Z" ,
"modified" : "2019-04-27T07:37:00.000Z" ,
"labels" : [
"misp:name=\"script\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "script" ,
"value" : "import base64\r\n\r\nwith open(\u00e2\u20ac\u02dccowboy\u00e2\u20ac\u2122, \u00e2\u20ac\u02dcr\u00e2\u20ac\u2122) as file_in, open(\u00e2\u20ac\u02dccowboy_clear.bin\u00e2\u20ac\u2122, \u00e2\u20ac\u02dcwb\u00e2\u20ac\u2122) as file_out:\r\n\r\n EncStr = file_in.read()\r\n\r\n BlkSz = 10\r\n\r\n len_EncStr = len(EncStr)\r\n\r\n NonBlk10_ptr = len_EncStr \u00e2\u20ac\u201c (BlkSz -1) * (len_EncStr // BlkSz)\r\n\r\n NonBlk10 = EncStr [:NonBlk10_ptr]\r\n\r\n result = \u00e2\u20ac\u009d\r\n\r\n EncStr = EncStr [NonBlk10_ptr::]\r\n\r\n #print EncStr\r\n\r\n x = range (-1,BlkSz-1)\r\n\r\n Blksize1 = len_EncStr // BlkSz\r\n\r\n for n in x:\r\n\r\n loop_buff1_ptr = n * (len_EncStr // BlkSz)\r\n\r\n loop_buff1 = EncStr [loop_buff1_ptr:loop_buff1_ptr+Blksize1]\r\n\r\n #print loop_buff1\r\n\r\n result = loop_buff1 + result\r\n\r\n result = result + NonBlk10\r\n\r\n clear = base64.b64decode(result)[::-1]\r\n\r\n print clear\r\n\r\nfile_out.write(clear)" ,
"category" : "Other" ,
"uuid" : "5cc4069d-e05c-4b0b-a27b-42ee950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "language" ,
"value" : "Python" ,
"category" : "Other" ,
"uuid" : "5cc4069d-8094-4565-8c48-4b4c950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "comment" ,
"value" : "Python Script for Decoding Cowboy" ,
"category" : "Other" ,
"uuid" : "5cc4069d-95dc-4ca0-ab95-4114950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "state" ,
"value" : "Trusted" ,
"category" : "Other" ,
"uuid" : "5cc4069d-0010-4538-93dc-4a8d950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "script"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--c5a73ecb-7963-487b-9c12-4b0e86a495ae" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T07:43:16.000Z" ,
"modified" : "2019-04-27T07:43:16.000Z" ,
"pattern" : "[file:hashes.MD5 = '03dbc1b3d79a4ff70f06fd6e67e00985' AND file:hashes.SHA1 = 'dbfdf474c76428f02fc4fbe408a8fe81a9402421' AND file:hashes.SHA256 = '75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-27T07:43:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--ec43ff24-211c-430f-84ab-5f57fa153d60" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T07:43:17.000Z" ,
"modified" : "2019-04-27T07:43:17.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-27T00:43:44" ,
"category" : "Other" ,
"uuid" : "1ef7752b-f188-42f5-8df8-5eb52e7c1a3e"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5/analysis/1556325824/" ,
"category" : "Payload delivery" ,
"uuid" : "8e8a2ce7-e747-4d32-9183-77f4d3439518"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "24/63" ,
"category" : "Payload delivery" ,
"uuid" : "10278f12-9615-4779-8ec1-d851b3124373"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--e04af19f-c666-456b-95c9-b1b19d401d5d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T07:43:17.000Z" ,
"modified" : "2019-04-27T07:43:17.000Z" ,
"pattern" : "[file:hashes.MD5 = '57ef27823865c8f7784b0d37fd2c4aa8' AND file:hashes.SHA1 = 'd953005a70bf9d6282a9792c2598218657f31e25' AND file:hashes.SHA256 = 'bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-27T07:43:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--af318753-2c6d-41cc-a37b-f9db1cec6b7a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T07:43:17.000Z" ,
"modified" : "2019-04-27T07:43:17.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-24T20:00:44" ,
"category" : "Other" ,
"uuid" : "52406c92-c58c-45e1-a839-40a456d351a1"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1/analysis/1556136044/" ,
"category" : "Payload delivery" ,
"uuid" : "cd77c1bb-6b7e-41c2-a379-e94a091812aa"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "3/71" ,
"category" : "Payload delivery" ,
"uuid" : "34e8e79b-d608-4c84-91bd-d00813a4e0f8"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--1ca9e3cc-11cf-4417-ae89-12d0db9e9240" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T07:43:17.000Z" ,
"modified" : "2019-04-27T07:43:17.000Z" ,
"pattern" : "[file:hashes.MD5 = '6590830061f85c0acc5259013555d079' AND file:hashes.SHA1 = 'b014e1b20499fcbab4c8e7af351ce08ac7f7832e' AND file:hashes.SHA256 = '4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-27T07:43:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--210c73d6-356a-4be2-ba0a-cbf5b9ed607e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T07:43:17.000Z" ,
"modified" : "2019-04-27T07:43:17.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-04-26T09:23:39" ,
"category" : "Other" ,
"comment" : "Malicious Word Macro Document" ,
"uuid" : "9ed264d6-a346-4239-b5af-573ec35466d9"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7/analysis/1556270619/" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Word Macro Document" ,
"uuid" : "b7329de0-871d-4813-84a6-ca73093ef4a7"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "5/71" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Word Macro Document" ,
"uuid" : "a5f82c6b-902f-4b62-8bb2-a4b00f39e40b"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--41e3fdee-552a-4961-8183-635188ef931d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T07:43:17.000Z" ,
"modified" : "2019-04-27T07:43:17.000Z" ,
"pattern" : "[file:hashes.MD5 = '61f42c2dc1da18b046c6b274abe6f4ca' AND file:hashes.SHA1 = 'da188539e0dddae87245bcbc6e30eeb8ea607657' AND file:hashes.SHA256 = 'd50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-04-27T07:43:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5620ac27-0a6e-466a-90ff-6e97ab1e498d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-04-27T07:43:17.000Z" ,
"modified" : "2019-04-27T07:43:17.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-12-31T07:08:17" ,
"category" : "Other" ,
"uuid" : "74fc5c3e-b17b-4d9e-88a5-f222d2fd231e"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712/analysis/1546240097/" ,
"category" : "Payload delivery" ,
"uuid" : "4afc8fc9-8686-4923-8dba-43f8fcc94109"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "11/68" ,
"category" : "Payload delivery" ,
"uuid" : "67182b20-bb11-4fa0-b212-31ac0634bc3a"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-08-07 08:13:15 +00:00
"id" : "relationship--f9b6c771-8a3a-4782-800e-e7c7e1d94cfe" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-27T07:43:18.000Z" ,
"modified" : "2019-04-27T07:43:18.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--c5a73ecb-7963-487b-9c12-4b0e86a495ae" ,
"target_ref" : "x-misp-object--ec43ff24-211c-430f-84ab-5f57fa153d60"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-08-07 08:13:15 +00:00
"id" : "relationship--dec16baf-0c91-4b8f-bfa0-9d7b5d59a126" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-27T07:43:18.000Z" ,
"modified" : "2019-04-27T07:43:18.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--e04af19f-c666-456b-95c9-b1b19d401d5d" ,
"target_ref" : "x-misp-object--af318753-2c6d-41cc-a37b-f9db1cec6b7a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-08-07 08:13:15 +00:00
"id" : "relationship--ba8ae707-c260-4b3d-8374-cb637fb8c7e2" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-27T07:43:18.000Z" ,
"modified" : "2019-04-27T07:43:18.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--1ca9e3cc-11cf-4417-ae89-12d0db9e9240" ,
"target_ref" : "x-misp-object--210c73d6-356a-4be2-ba0a-cbf5b9ed607e"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-08-07 08:13:15 +00:00
"id" : "relationship--6bdf98de-bfc7-44cd-a0ca-efa601944b9b" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-04-27T07:43:18.000Z" ,
"modified" : "2019-04-27T07:43:18.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--41e3fdee-552a-4961-8183-635188ef931d" ,
"target_ref" : "x-misp-object--5620ac27-0a6e-466a-90ff-6e97ab1e498d"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
