{ "type": "bundle", "id": "bundle--2ebc21a4-5635-4a7d-9553-ec5f58be0ee6", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--2ebc21a4-5635-4a7d-9553-ec5f58be0ee6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "name": "OSINT - Kobalos \u2013 A complex Linux threat to high performance computing infrastructure", "published": "2021-02-02T13:11:55Z", "object_refs": [ "observed-data--07103d07-aa9a-4694-a89c-5cd4fc94221e", "url--07103d07-aa9a-4694-a89c-5cd4fc94221e", "observed-data--fd42b022-1d71-4dda-ab1f-3f9e4a49e663", "url--fd42b022-1d71-4dda-ab1f-3f9e4a49e663", "x-misp-object--f35188ee-2150-4d49-940a-16d588cf7562", "x-misp-object--026c0bbe-8e18-47ff-9069-0ce387459a39", "indicator--bbc90dca-7637-45a0-a897-e5832580635e", "indicator--59711fce-1669-416e-a863-282972f05a30", "indicator--ce16efd3-b989-4fdb-9cad-3cb622be8c92", "x-misp-object--96edf472-61bf-4f3c-81ce-932eb0329136", "indicator--143c7525-68f6-4367-97a8-4540bdffa019", "indicator--422f962e-0a08-4bf4-9d95-406422b35bcb", "indicator--56810ac9-e525-446d-b903-62fa770ae06a", "indicator--394bf3c8-c3a2-412d-828c-d5e2b0c6811f", "indicator--0fa4cd2e-4304-4657-99ad-962f7eb548f0", "x-misp-object--5564a28d-f2a5-41da-9339-6b72f64c6832", "indicator--683e6644-bb2e-4ae9-b1e4-139453b8402e", "x-misp-object--f10e10ba-0d66-4505-a4d5-1689c9f5e25b", "indicator--84bd6b39-8189-4eee-8fef-6d9ee06306a1", "x-misp-object--b2a8b157-a04f-484f-8d88-549ede5b0068", "indicator--68ac0130-82b6-4709-ae98-cee6fe7fb4ed", "indicator--d4f9f303-b8b7-421a-b1bc-b2ad6f0396c6", "x-misp-object--fe1474ac-d0a1-4792-8936-e25686ad6662", "indicator--1e04dc6e-de14-441d-a7f6-09a5d54f0667", "indicator--137efbb9-75cd-46e9-8dba-7d8e36a983b5", "x-misp-object--6743c14d-5278-41a1-a8d2-678f94f59d6d", "indicator--cd4a56fb-10a5-46f9-868e-2d2d9cee93c5", "x-misp-object--5d93ad07-c377-43cc-b9e4-1b0ab3d0da83", "indicator--bb8fc68e-77a6-4115-abf5-3fc14c1039dd", "x-misp-object--a9cacc5a-a03f-463a-95a1-854718064bb3", "x-misp-object--8dc33498-4ead-4457-a3eb-e85032df1405", "indicator--b4f748c5-41f0-4a59-bf7a-069086896c94", "x-misp-object--5b93ec98-7b27-4038-b9ca-6c8ae8ae44da", "indicator--577cde70-7de9-4776-975b-9c0100ceae5e", "x-misp-object--977fbf1c-4163-45ce-a014-4f58536d3703", "indicator--9a711583-6ce7-4265-aba8-7350383961b6", "x-misp-object--3f558b7a-d342-4090-92a2-82e2210b68e7", "relationship--ad44ea65-909e-41a5-8725-de45cefa54d8", "relationship--f6242472-e158-4382-956c-b7f6382ed60e", "relationship--8b08d00b-d6f5-4939-842b-343192e434d4", "relationship--9aca85e7-101c-4336-8579-e3af4507c099", "relationship--8563ab2e-388b-4039-a41f-2c7b804ff697", "relationship--2d9795e1-802a-40c9-8b64-997ad973b375", "relationship--410675f0-b7c9-4b73-80cd-526e64d42979", "relationship--871f8591-e619-47c4-9a86-d62e1fe5c731", "relationship--785b9204-7d53-4276-a7fc-1a45067231df", "relationship--d9488286-2d44-4c90-8158-b3dafa1aae88", "relationship--ac1a99f1-908a-403f-a95d-21d931338608", "relationship--e4958db3-eb6a-49ca-8ba1-e81b612efe30", "relationship--b59b54aa-1e63-4c73-a90a-cddda95125cb", "relationship--b1b4bb68-3d5d-447d-bd49-ec37a82bfe5c", "relationship--11dd2d0d-cc9e-481b-8446-cc34c244a165" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "estimative-language:confidence-in-analytic-judgment=\"high\"", "misp-galaxy:mitre-attack-pattern=\"Compromise Client Software Binary - T1554\"", "misp-galaxy:mitre-attack-pattern=\"Traffic Signaling - T1205\"", "misp-galaxy:mitre-attack-pattern=\"Clear Command History - T1070.003\"", "misp-galaxy:mitre-attack-pattern=\"Timestomp - T1070.006\"", "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--07103d07-aa9a-4694-a89c-5cd4fc94221e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:02:20.000Z", "modified": "2021-02-02T13:02:20.000Z", "first_observed": "2021-02-02T13:02:20Z", "last_observed": "2021-02-02T13:02:20Z", "number_observed": 1, "object_refs": [ "url--07103d07-aa9a-4694-a89c-5cd4fc94221e" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--07103d07-aa9a-4694-a89c-5cd4fc94221e", "value": "https://github.com/eset/malware-ioc/blob/master/kobalos/README.adoc" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--fd42b022-1d71-4dda-ab1f-3f9e4a49e663", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:02:20.000Z", "modified": "2021-02-02T13:02:20.000Z", "first_observed": "2021-02-02T13:02:20Z", "last_observed": "2021-02-02T13:02:20Z", "number_observed": 1, "object_refs": [ "url--fd42b022-1d71-4dda-ab1f-3f9e4a49e663" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--fd42b022-1d71-4dda-ab1f-3f9e4a49e663", "value": "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f35188ee-2150-4d49-940a-16d588cf7562", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T11:07:49.000Z", "modified": "2021-02-02T11:07:49.000Z", "labels": [ "misp:name=\"crypto-material\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "type", "value": "RC4", "category": "Other", "uuid": "02240c3f-3379-48bc-ac66-849be8ab76ba" }, { "type": "text", "object_relation": "generic-symmetric-key", "value": "AE0E05090F3AC2B50B1BC6E91D2FE3CE", "category": "Other", "uuid": "809ba87e-5329-498a-86ae-66755abaf2e9" } ], "x_misp_comment": "Static RC4 key for strings", "x_misp_meta_category": "misc", "x_misp_name": "crypto-material" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--026c0bbe-8e18-47ff-9069-0ce387459a39", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T11:08:40.000Z", "modified": "2021-02-02T11:08:40.000Z", "labels": [ "misp:name=\"crypto-material\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "type", "value": "RSA", "category": "Other", "uuid": "2b4462a4-6d51-4f69-8e02-6308c444d046" }, { "type": "text", "object_relation": "public", "value": "-----BEGIN PUBLIC KEY-----\r\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOUgD8sEF1kZ04QxCd60HrB+TxWnLQED\r\nwzb0sZ8vMMD6xnUAJspdYzSVDnRnKYjTOM43qtLNcJOwVj6cuC1uHHMCAwEAAQ==\r\n-----END PUBLIC KEY-----", "category": "Other", "uuid": "6030c4fb-79de-4652-9e2c-cda3a0dca7b4" } ], "x_misp_meta_category": "misc", "x_misp_name": "crypto-material" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bbc90dca-7637-45a0-a897-e5832580635e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T11:09:49.000Z", "modified": "2021-02-02T11:09:49.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '151.80.57.191') AND network-traffic:dst_port = '7070']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T11:09:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59711fce-1669-416e-a863-282972f05a30", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "description": "Stand-alone binary - (Debian OS) - Connects to 151.80.57.191:7070", "pattern": "[file:hashes.SHA1 = '479f470e83f9a5b66363fba5547fdfcf727949da' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T13:09:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ce16efd3-b989-4fdb-9cad-3cb622be8c92", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T11:12:06.000Z", "modified": "2021-02-02T11:12:06.000Z", "pattern": "[file:hashes.MD5 = '2c693d26ba9df26edf77557c1a709528' AND file:hashes.SHA1 = '479f470e83f9a5b66363fba5547fdfcf727949da' AND file:hashes.SHA256 = '73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T11:12:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--96edf472-61bf-4f3c-81ce-932eb0329136", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T11:12:07.000Z", "modified": "2021-02-02T11:12:07.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-02-01T18:56:46+00:00", "category": "Other", "uuid": "35baa849-71a0-4406-a3b8-7135a4442667" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58/detection/f-73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58-1612205806", "category": "Payload delivery", "uuid": "b451437f-a3ad-4026-a74f-ed19ae19bce1" }, { "type": "text", "object_relation": "detection-ratio", "value": "3/62", "category": "Payload delivery", "uuid": "1b93b043-b92b-489d-8372-2c0df9f680f2" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--143c7525-68f6-4367-97a8-4540bdffa019", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T11:14:55.000Z", "modified": "2021-02-02T11:14:55.000Z", "description": "RHEL\r\n\t\r\n\r\nsshd\r\n\t\r\n\r\nWait for connection from source port 55201", "pattern": "[file:hashes.SHA1 = 'fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T11:14:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--422f962e-0a08-4bf4-9d95-406422b35bcb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T11:17:54.000Z", "modified": "2021-02-02T11:17:54.000Z", "description": "FreeBSD\r\n\t\r\n\r\nsshd Wait for connection from source port 55201", "pattern": "[file:hashes.SHA1 = 'affa12cc94578d63a8b178ae19f6601d5c8bb224' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T11:17:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56810ac9-e525-446d-b903-62fa770ae06a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T11:18:39.000Z", "modified": "2021-02-02T11:18:39.000Z", "description": "Ubuntu\r\n\t\r\n\r\nsshd\r\n\t\r\n\r\nWait for connection from source port 55201", "pattern": "[file:hashes.SHA1 = '325f24e8f5d56db43d6914d9234c08c888cdae50' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T11:18:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--394bf3c8-c3a2-412d-828c-d5e2b0c6811f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T11:19:54.000Z", "modified": "2021-02-02T11:19:54.000Z", "description": "Arch Linux\r\n\t\r\n\r\nsshd\r\n\t\r\n\r\nWait for connection from source port 55201", "pattern": "[file:hashes.SHA1 = 'a4050a8171b0fa3ae9031e0f8b7272facf04a3aa' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T11:19:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0fa4cd2e-4304-4657-99ad-962f7eb548f0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T12:49:26.000Z", "modified": "2021-02-02T12:49:26.000Z", "description": "SSH credential stealer ", "pattern": "[file:hashes.SHA1 = '6616de799b5105ee2eb83bbe25c7f4433420dff7' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T12:49:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5564a28d-f2a5-41da-9339-6b72f64c6832", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T11:22:41.000Z", "modified": "2021-02-02T11:22:41.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "fullpath", "value": "/var/run/nscd/ns.pid", "category": "Other", "uuid": "ce3d187a-ca3b-4be6-9cc4-74a7169a1868" } ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--683e6644-bb2e-4ae9-b1e4-139453b8402e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T12:51:48.000Z", "modified": "2021-02-02T12:51:48.000Z", "description": "SSH credential stealer ", "pattern": "[file:hashes.SHA1 = 'e094dd02cc954b6104791925e0d1880782b046cf' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T12:51:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f10e10ba-0d66-4505-a4d5-1689c9f5e25b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T12:51:24.000Z", "modified": "2021-02-02T12:51:24.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "fullpath", "value": "/var/run/udev/ud.pid", "category": "Other", "uuid": "bf6ee019-dcf4-465b-9897-6c9752b717d3" } ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--84bd6b39-8189-4eee-8fef-6d9ee06306a1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T12:56:24.000Z", "modified": "2021-02-02T12:56:24.000Z", "description": "SSH credential stealer FreeBSD", "pattern": "[file:hashes.SHA1 = '1dd0edc5744d63a731db8c3b42efbd09d91fed78' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T12:56:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--b2a8b157-a04f-484f-8d88-549ede5b0068", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T12:55:48.000Z", "modified": "2021-02-02T12:55:48.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "fullpath", "value": "/var/run/udevd.pid", "category": "Other", "uuid": "364d8668-bf3b-4cf1-8841-e38c9a1c8b15" } ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--68ac0130-82b6-4709-ae98-cee6fe7fb4ed", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T12:57:50.000Z", "modified": "2021-02-02T12:57:50.000Z", "description": "SSH credential stealer ", "pattern": "[file:hashes.SHA1 = 'c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T12:57:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d4f9f303-b8b7-421a-b1bc-b2ad6f0396c6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T12:59:16.000Z", "modified": "2021-02-02T12:59:16.000Z", "description": "SSH credential stealer ", "pattern": "[file:hashes.SHA1 = '659cbdf9288137937bb71146b6f722ffcda1c5fe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T12:59:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--fe1474ac-d0a1-4792-8936-e25686ad6662", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T12:58:51.000Z", "modified": "2021-02-02T12:58:51.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "fullpath", "value": "/var/run/sshd/sshd.pid", "category": "Other", "uuid": "2940c1e1-451c-40a0-ab8b-bf02d05bec56" } ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e04dc6e-de14-441d-a7f6-09a5d54f0667", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:00:20.000Z", "modified": "2021-02-02T13:00:20.000Z", "pattern": "rule kobalos\r\n{\r\n meta:\r\n description = \\\\\"Kobalos malware\\\\\"\r\n author = \\\\\"Marc-Etienne M.L\u00e9veill\u00e9\\\\\"\r\n date = \\\\\"2020-11-02\\\\\"\r\n reference = \\\\\"http://www.welivesecurity.com\\\\\"\r\n source = \\\\\"https://github.com/eset/malware-ioc/\\\\\"\r\n license = \\\\\"BSD 2-Clause\\\\\"\r\n version = \\\\\"1\\\\\"\r\n\r\n strings:\r\n $encrypted_strings_sizes = {\r\n 05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00\r\n 08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00\r\n 01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00\r\n 05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00\r\n }\r\n $password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C }\r\n $rsa_512_mod_header = { 10 11 02 00 09 02 00 }\r\n $strings_rc4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE }\r\n\r\n condition:\r\n any of them\r\n}", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2021-02-02T13:00:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "all" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--137efbb9-75cd-46e9-8dba-7d8e36a983b5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:00:55.000Z", "modified": "2021-02-02T13:00:55.000Z", "pattern": "rule kobalos_ssh_credential_stealer {\r\n meta:\r\n description = \\\\\"Kobalos SSH credential stealer seen in OpenSSH client\\\\\"\r\n author = \\\\\"Marc-Etienne M.L\u00e9veill\u00e9\\\\\"\r\n date = \\\\\"2020-11-02\\\\\"\r\n reference = \\\\\"http://www.welivesecurity.com\\\\\"\r\n source = \\\\\"https://github.com/eset/malware-ioc/\\\\\"\r\n license = \\\\\"BSD 2-Clause\\\\\"\r\n version = \\\\\"1\\\\\"\r\n\r\n strings:\r\n $ = \\\\\"user: \\\\%.128s host: \\\\%.128s port \\\\%05d user: \\\\%.128s password: \\\\%.128s\\\\\"\r\n\r\n condition:\r\n any of them\r\n}", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2021-02-02T13:00:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "all" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6743c14d-5278-41a1-a8d2-678f94f59d6d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:03:24.000Z", "modified": "2021-02-02T13:03:24.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "summary", "value": "ESET researchers have analyzed malware that has been targeting high performance computing (HPC) clusters, among other high-profile targets. We reverse engineered this small, yet complex, malware that is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows. We have named this malware Kobalos for its tiny code size and many tricks; in Greek mythology, a Kobalos is a small, mischievous creature. Today we publish a paper titled \u201cA wild Kobalos appears: Tricksy Linux malware goes after HPCs\u201d describing the inner working of this threat.", "category": "Other", "uuid": "de941abb-8360-41fd-88b8-14ab18906b30" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cd4a56fb-10a5-46f9-868e-2d2d9cee93c5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "pattern": "[file:hashes.MD5 = '4e52980f06f211668df959175d6c3d58' AND file:hashes.SHA1 = 'e094dd02cc954b6104791925e0d1880782b046cf' AND file:hashes.SHA256 = '75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T13:09:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5d93ad07-c377-43cc-b9e4-1b0ab3d0da83", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2020-03-04T18:41:56+00:00", "category": "Other", "uuid": "8135e42c-4a36-47da-b8ad-595dcda6a2e6" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45/detection/f-75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45-1583347316", "category": "Payload delivery", "uuid": "e5a8ebcf-af6e-444f-adc6-f8465fae0676" }, { "type": "text", "object_relation": "detection-ratio", "value": "0/61", "category": "Payload delivery", "uuid": "4ff0afc9-cac1-44be-b730-67fe00f15bef" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bb8fc68e-77a6-4115-abf5-3fc14c1039dd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "pattern": "[file:hashes.MD5 = '87837cc81c346e2a38ab1fe5e4826af2' AND file:hashes.SHA1 = '6616de799b5105ee2eb83bbe25c7f4433420dff7' AND file:hashes.SHA256 = '6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T13:09:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--a9cacc5a-a03f-463a-95a1-854718064bb3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-02-02T11:56:14+00:00", "category": "Other", "uuid": "a1c31bf0-5438-4d5b-b6df-f13319a1cc84" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a/detection/f-6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a-1612266974", "category": "Payload delivery", "uuid": "6299cd4c-b13d-42a4-94b3-6254cfd7fd59" }, { "type": "text", "object_relation": "detection-ratio", "value": "1/62", "category": "Payload delivery", "uuid": "2eeeaca5-5c72-4ea2-8c76-591780ddab71" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8dc33498-4ead-4457-a3eb-e85032df1405", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-02-01T18:56:46+00:00", "category": "Other", "uuid": "40f30083-4b87-42ab-b515-9f8e07055145" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58/detection/f-73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58-1612205806", "category": "Payload delivery", "uuid": "fc710595-3fb3-4fcf-87b0-daa1a5f69423" }, { "type": "text", "object_relation": "detection-ratio", "value": "3/62", "category": "Payload delivery", "uuid": "bf6548e5-2428-455c-929d-3a342ec0f4bf" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b4f748c5-41f0-4a59-bf7a-069086896c94", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "pattern": "[file:hashes.MD5 = '7538d0ec96869fd53d7c613a108846c0' AND file:hashes.SHA1 = 'fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe' AND file:hashes.SHA256 = 'd51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T13:09:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5b93ec98-7b27-4038-b9ca-6c8ae8ae44da", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-02-02T08:05:42+00:00", "category": "Other", "uuid": "7f072142-4e7c-490a-9f1d-7c5c3f563499" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/d51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983/detection/f-d51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983-1612253142", "category": "Payload delivery", "uuid": "88f8d78d-9e9e-4931-a826-85529a90ccfa" }, { "type": "text", "object_relation": "detection-ratio", "value": "1/62", "category": "Payload delivery", "uuid": "d11eb3b0-2889-45d8-8f90-f7021df6568c" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--577cde70-7de9-4776-975b-9c0100ceae5e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "pattern": "[file:hashes.MD5 = 'f54ba4ac2eeb5c12a513872acabecbc6' AND file:hashes.SHA1 = 'affa12cc94578d63a8b178ae19f6601d5c8bb224' AND file:hashes.SHA256 = '9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T13:09:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--977fbf1c-4163-45ce-a014-4f58536d3703", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-02-01T18:58:25+00:00", "category": "Other", "uuid": "cae3f6bb-2b69-48eb-9099-658fc16919d7" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74/detection/f-9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74-1612205905", "category": "Payload delivery", "uuid": "4bf2aad3-5dc1-4a81-8c15-4f74538f9c8e" }, { "type": "text", "object_relation": "detection-ratio", "value": "1/61", "category": "Payload delivery", "uuid": "66364ddf-d38e-4d5a-8082-ba0682f6eb3b" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9a711583-6ce7-4265-aba8-7350383961b6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "pattern": "[file:hashes.MD5 = 'bc49dd3da0b2cb1425a466a3d2f0ed41' AND file:hashes.SHA1 = '1dd0edc5744d63a731db8c3b42efbd09d91fed78' AND file:hashes.SHA256 = '13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-02-02T13:09:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--3f558b7a-d342-4090-92a2-82e2210b68e7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-02-02T13:09:20.000Z", "modified": "2021-02-02T13:09:20.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2020-03-09T08:44:44+00:00", "category": "Other", "uuid": "2b6ecaa2-bbe1-4903-b28b-8672896fb4d5" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a/detection/f-13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a-1583743484", "category": "Payload delivery", "uuid": "99713b59-7b94-4c9f-9223-84190b6f00d3" }, { "type": "text", "object_relation": "detection-ratio", "value": "0/59", "category": "Payload delivery", "uuid": "227fe71f-0426-4338-b83e-890fc2a5e5ef" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ad44ea65-909e-41a5-8725-de45cefa54d8", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "connects-to", "source_ref": "indicator--59711fce-1669-416e-a863-282972f05a30", "target_ref": "indicator--bbc90dca-7637-45a0-a897-e5832580635e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f6242472-e158-4382-956c-b7f6382ed60e", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--59711fce-1669-416e-a863-282972f05a30", "target_ref": "x-misp-object--8dc33498-4ead-4457-a3eb-e85032df1405" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8b08d00b-d6f5-4939-842b-343192e434d4", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--ce16efd3-b989-4fdb-9cad-3cb622be8c92", "target_ref": "x-misp-object--96edf472-61bf-4f3c-81ce-932eb0329136" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9aca85e7-101c-4336-8579-e3af4507c099", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "writes", "source_ref": "indicator--0fa4cd2e-4304-4657-99ad-962f7eb548f0", "target_ref": "x-misp-object--5564a28d-f2a5-41da-9339-6b72f64c6832" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8563ab2e-388b-4039-a41f-2c7b804ff697", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "writes", "source_ref": "indicator--683e6644-bb2e-4ae9-b1e4-139453b8402e", "target_ref": "x-misp-object--f10e10ba-0d66-4505-a4d5-1689c9f5e25b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2d9795e1-802a-40c9-8b64-997ad973b375", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "writes", "source_ref": "indicator--84bd6b39-8189-4eee-8fef-6d9ee06306a1", "target_ref": "x-misp-object--b2a8b157-a04f-484f-8d88-549ede5b0068" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--410675f0-b7c9-4b73-80cd-526e64d42979", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "writes", "source_ref": "indicator--68ac0130-82b6-4709-ae98-cee6fe7fb4ed", "target_ref": "x-misp-object--5564a28d-f2a5-41da-9339-6b72f64c6832" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--871f8591-e619-47c4-9a86-d62e1fe5c731", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "writes", "source_ref": "indicator--d4f9f303-b8b7-421a-b1bc-b2ad6f0396c6", "target_ref": "x-misp-object--fe1474ac-d0a1-4792-8936-e25686ad6662" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--785b9204-7d53-4276-a7fc-1a45067231df", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "references", "source_ref": "x-misp-object--6743c14d-5278-41a1-a8d2-678f94f59d6d", "target_ref": "observed-data--07103d07-aa9a-4694-a89c-5cd4fc94221e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d9488286-2d44-4c90-8158-b3dafa1aae88", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "references", "source_ref": "x-misp-object--6743c14d-5278-41a1-a8d2-678f94f59d6d", "target_ref": "observed-data--fd42b022-1d71-4dda-ab1f-3f9e4a49e663" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ac1a99f1-908a-403f-a95d-21d931338608", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--cd4a56fb-10a5-46f9-868e-2d2d9cee93c5", "target_ref": "x-misp-object--5d93ad07-c377-43cc-b9e4-1b0ab3d0da83" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e4958db3-eb6a-49ca-8ba1-e81b612efe30", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--bb8fc68e-77a6-4115-abf5-3fc14c1039dd", "target_ref": "x-misp-object--a9cacc5a-a03f-463a-95a1-854718064bb3" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b59b54aa-1e63-4c73-a90a-cddda95125cb", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b4f748c5-41f0-4a59-bf7a-069086896c94", "target_ref": "x-misp-object--5b93ec98-7b27-4038-b9ca-6c8ae8ae44da" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b1b4bb68-3d5d-447d-bd49-ec37a82bfe5c", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--577cde70-7de9-4776-975b-9c0100ceae5e", "target_ref": "x-misp-object--977fbf1c-4163-45ce-a014-4f58536d3703" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--11dd2d0d-cc9e-481b-8446-cc34c244a165", "created": "1970-01-01T00:00:00.000Z", "modified": "1970-01-01T00:00:00.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9a711583-6ce7-4265-aba8-7350383961b6", "target_ref": "x-misp-object--3f558b7a-d342-4090-92a2-82e2210b68e7" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }