{ "type": "bundle", "id": "bundle--585b9a80-9910-4d24-a695-4ac4950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:28:54.000Z", "modified": "2016-12-22T09:28:54.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--585b9a80-9910-4d24-a695-4ac4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:28:54.000Z", "modified": "2016-12-22T09:28:54.000Z", "name": "OSINT - New Linux/Rakos threat: devices and servers under SSH scan (again)", "published": "2016-12-22T09:29:15Z", "object_refs": [ "observed-data--585b9ab7-3758-4e28-8a36-420d950d210f", "url--585b9ab7-3758-4e28-8a36-420d950d210f", "x-misp-attribute--585b9acb-d250-4b85-9788-454d950d210f", "indicator--585b9b48-e214-418d-a783-4282950d210f", "indicator--585b9b49-9dbc-48f4-805c-4440950d210f", "indicator--585b9b49-1e04-4b8b-bf8d-4094950d210f", "indicator--585b9b4a-ac98-421e-9bad-4177950d210f", "indicator--585b9b4a-1170-424a-a910-47e2950d210f", "indicator--585b9b4b-e118-4029-acad-457c950d210f", "indicator--585b9b4b-f3e4-4409-9055-4e76950d210f", "indicator--585b9b4c-50fc-4127-8fe1-4124950d210f", "indicator--585b9b4d-8288-425a-b8ee-4ca7950d210f", "indicator--585b9b4d-db34-4230-90a2-4661950d210f", "indicator--585b9b5f-495c-448d-bf2f-453a950d210f", "indicator--585b9b5f-a210-4acc-afcb-4dc9950d210f", "indicator--585b9b60-ad74-4c0d-9e30-4464950d210f", "indicator--585b9b60-8f78-45ab-a703-42a7950d210f", "indicator--585b9b61-2478-4795-8f7f-4fd7950d210f", "indicator--585b9b62-9ef4-47e7-b2d5-42cc950d210f", "indicator--585b9b62-8c0c-435b-bbf7-4be8950d210f", "indicator--585b9b63-a688-4ec8-af50-4fe8950d210f", "indicator--585b9b63-0f50-43f1-b3e2-4e46950d210f", "indicator--585b9b64-2a68-480f-b9e2-4241950d210f", "indicator--585b9b64-a638-4fe0-b8ea-4b4d950d210f", "observed-data--585b9bb7-0e94-45e9-bc34-41d4950d210f", "url--585b9bb7-0e94-45e9-bc34-41d4950d210f", "indicator--585b9c37-6438-41d6-949a-47cd02de0b81", "indicator--585b9c38-6028-4ccd-b272-463302de0b81", "observed-data--585b9c38-f430-495f-9bdf-4cb802de0b81", "url--585b9c38-f430-495f-9bdf-4cb802de0b81", "indicator--585b9c39-5eac-4ab3-8d4d-46aa02de0b81", "indicator--585b9c3a-7244-475b-ab43-4a9302de0b81", "observed-data--585b9c3b-0fbc-42f5-93d8-43c902de0b81", "url--585b9c3b-0fbc-42f5-93d8-43c902de0b81", "indicator--585b9c3c-1334-426d-86a9-4aca02de0b81", "indicator--585b9c3c-33b4-45ad-baee-4b5f02de0b81", "observed-data--585b9c3d-a0d0-4704-9c9b-46d902de0b81", "url--585b9c3d-a0d0-4704-9c9b-46d902de0b81", "indicator--585b9c3e-5974-4d0d-89eb-4bb802de0b81", "indicator--585b9c3e-c5c0-404a-9afb-41c602de0b81", "observed-data--585b9c3f-5838-4479-af90-4fdf02de0b81", "url--585b9c3f-5838-4479-af90-4fdf02de0b81", "indicator--585b9c40-a4c4-45ee-a6ee-4d2d02de0b81", "indicator--585b9c41-9ce4-4657-8bf7-4add02de0b81", "observed-data--585b9c41-1c94-44e6-93f6-440b02de0b81", "url--585b9c41-1c94-44e6-93f6-440b02de0b81", "indicator--585b9c42-30e0-4919-b4cc-4bd902de0b81", "indicator--585b9c43-b8f0-4bd5-9366-4f9502de0b81", "observed-data--585b9c44-fad4-4ea6-a16a-4b6c02de0b81", "url--585b9c44-fad4-4ea6-a16a-4b6c02de0b81", "indicator--585b9c44-f7d0-4d5d-bb8b-417f02de0b81", "indicator--585b9c45-e288-4c14-9377-4e3b02de0b81", "observed-data--585b9c46-725c-4e0a-8f2a-41d802de0b81", "url--585b9c46-725c-4e0a-8f2a-41d802de0b81", "indicator--585b9c46-39d0-42e2-a244-41f802de0b81", "indicator--585b9c47-89cc-4c82-8a7e-440802de0b81", "observed-data--585b9c47-9508-4c02-b9dd-494402de0b81", "url--585b9c47-9508-4c02-b9dd-494402de0b81", "indicator--585b9c48-d588-436a-b429-45e802de0b81", "indicator--585b9c49-9cf0-478b-96a0-4bbb02de0b81", "observed-data--585b9c49-f154-4061-9dd2-418a02de0b81", "url--585b9c49-f154-4061-9dd2-418a02de0b81", "indicator--585b9c4a-c2c4-4696-9479-47cf02de0b81", "indicator--585b9c4a-ba88-4e51-9f22-4bab02de0b81", "observed-data--585b9c4b-5124-4940-b839-484202de0b81", "url--585b9c4b-5124-4940-b839-484202de0b81", "indicator--585b9cd6-d508-4a59-bc68-4d69950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "ms-caro-malware:malware-platform=\"Linux\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9ab7-3758-4e28-8a36-420d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:19:51.000Z", "modified": "2016-12-22T09:19:51.000Z", "first_observed": "2016-12-22T09:19:51Z", "last_observed": "2016-12-22T09:19:51Z", "number_observed": 1, "object_refs": [ "url--585b9ab7-3758-4e28-8a36-420d950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9ab7-3758-4e28-8a36-420d950d210f", "value": "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--585b9acb-d250-4b85-9788-454d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:20:11.000Z", "modified": "2016-12-22T09:20:11.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Apparently, frustrated users complain more often recently on various forums about their embedded devices being overloaded with computing and network tasks. What these particular posts have in common is the name of the process causing the problem. It is executed from a temporary directory and disguised as a part of the Java framework, namely \u00e2\u20ac\u0153.javaxxx\u00e2\u20ac\u009d. Additional names like \u00e2\u20ac\u0153.swap\u00e2\u20ac\u009d or \u00e2\u20ac\u0153kworker\u00e2\u20ac\u009d are also used. A few weeks ago, we discussed the recent Mirai incidents and Mirai-connected IoT security problems in The Hive Mind: When IoT devices go rogue and all that was written then still holds true.\r\nAttack vector\r\n\r\nThe attack is performed via brute force attempts at SSH logins, in a similar way to that in which many Linux worms operate, including Linux/Moose (which spread by attacking Telnet logins) \u00e2\u20ac\u201c also referenced here \u00e2\u20ac\u201c as analyzed by ESET since last year. The targets include both embedded devices and servers with an open SSH port and where a very weak password has been set. The obvious aim of this trojan is to assemble a list of unsecured devices and to have an opportunity to create a botnet consisting of as many zombies as possible. The scan starts with not too extensive list of IPs and spreads incrementally to more targets. Only machines that represent low-hanging fruit from the security perspective are compromised. Note that victims reported cases when they had had a strong password but they forgot their device that had online service enabled and it was reverted to a default password after a factory reset. Just a couple of hours of online exposure was enough for such a reset machine to end up compromised!" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b48-e214-418d-a783-4282950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:16.000Z", "modified": "2016-12-22T09:22:16.000Z", "description": "EM_X86_64 - 688", "pattern": "[file:hashes.SHA1 = 'f80836349d6e97251030190ecd30dda0047f1ee6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b49-9dbc-48f4-805c-4440950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:17.000Z", "modified": "2016-12-22T09:22:17.000Z", "description": "EM_X86_64 - 694", "pattern": "[file:hashes.SHA1 = 'def04ec688ac6b41580dd3a6e78445b56536ba34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b49-1e04-4b8b-bf8d-4094950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:17.000Z", "modified": "2016-12-22T09:22:17.000Z", "description": "EM_X86_64 - 695", "pattern": "[file:hashes.SHA1 = '3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b4a-ac98-421e-9bad-4177950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:18.000Z", "modified": "2016-12-22T09:22:18.000Z", "description": "EM_X86_64\t- 697", "pattern": "[file:hashes.SHA1 = 'e53c73fe6a552eab720e7ee685ea4e159ebd4fdd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b4a-1170-424a-a910-47e2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:18.000Z", "modified": "2016-12-22T09:22:18.000Z", "description": "EM_X86_64 - 698", "pattern": "[file:hashes.SHA1 = 'c93bddd9cdb4f2e185b54a4931257954e25e7c37']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b4b-e118-4029-acad-457c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:19.000Z", "modified": "2016-12-22T09:22:19.000Z", "description": "EM_MIPS - ???", "pattern": "[file:hashes.SHA1 = '14af6254d9ca310b4d52778d050cb8dd7a5de1d8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b4b-f3e4-4409-9055-4e76950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:19.000Z", "modified": "2016-12-22T09:22:19.000Z", "description": "EM_386 - 700", "pattern": "[file:hashes.SHA1 = 'c54d50025d9f66ce2ace3361a8626aee468d94ba']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b4c-50fc-4127-8fe1-4124950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:20.000Z", "modified": "2016-12-22T09:22:20.000Z", "description": "EM_386 - 706", "pattern": "[file:hashes.SHA1 = '36b2fffe98f517355425797fc242f2cb82271c0c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b4d-8288-425a-b8ee-4ca7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:21.000Z", "modified": "2016-12-22T09:22:21.000Z", "description": "EM_386\t - 708", "pattern": "[file:hashes.SHA1 = 'e46e8e5e823eb0466981afb7683fd918d6fe78a9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b4d-db34-4230-90a2-4661950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:21.000Z", "modified": "2016-12-22T09:22:21.000Z", "description": "EM_386\t - 711", "pattern": "[file:hashes.SHA1 = '0492e5c07c1426af9ce73ad33e00a3fd8477c6c2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b5f-495c-448d-bf2f-453a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:39.000Z", "modified": "2016-12-22T09:22:39.000Z", "description": "C&C Servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.12.208.28']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b5f-a210-4acc-afcb-4dc9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:39.000Z", "modified": "2016-12-22T09:22:39.000Z", "description": "C&C Servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.12.203.31']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b60-ad74-4c0d-9e30-4464950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:40.000Z", "modified": "2016-12-22T09:22:40.000Z", "description": "C&C Servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.169.245.68']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b60-8f78-45ab-a703-42a7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:40.000Z", "modified": "2016-12-22T09:22:40.000Z", "description": "C&C Servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.8.44.55']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b61-2478-4795-8f7f-4fd7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:41.000Z", "modified": "2016-12-22T09:22:41.000Z", "description": "C&C Servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.123.210.100']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b62-9ef4-47e7-b2d5-42cc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:41.000Z", "modified": "2016-12-22T09:22:41.000Z", "description": "C&C Servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.34.183.231']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b62-8c0c-435b-bbf7-4be8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:42.000Z", "modified": "2016-12-22T09:22:42.000Z", "description": "C&C Servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.34.180.64']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b63-a688-4ec8-af50-4fe8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:43.000Z", "modified": "2016-12-22T09:22:43.000Z", "description": "C&C Servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.82.216.125']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b63-0f50-43f1-b3e2-4e46950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:43.000Z", "modified": "2016-12-22T09:22:43.000Z", "description": "C&C Servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.14.30.78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b64-2a68-480f-b9e2-4241950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:44.000Z", "modified": "2016-12-22T09:22:44.000Z", "description": "C&C Servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.14.29.65']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9b64-a638-4fe0-b8ea-4b4d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:22:44.000Z", "modified": "2016-12-22T09:22:44.000Z", "description": "C&C Servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.184.117']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:22:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9bb7-0e94-45e9-bc34-41d4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:24:07.000Z", "modified": "2016-12-22T09:24:07.000Z", "first_observed": "2016-12-22T09:24:07Z", "last_observed": "2016-12-22T09:24:07Z", "number_observed": 1, "object_refs": [ "url--585b9bb7-0e94-45e9-bc34-41d4950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9bb7-0e94-45e9-bc34-41d4950d210f", "value": "https://github.com/eset/malware-ioc/tree/master/rakos" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c37-6438-41d6-949a-47cd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:15.000Z", "modified": "2016-12-22T09:26:15.000Z", "description": "EM_386\t - 711 - Xchecked via VT: 0492e5c07c1426af9ce73ad33e00a3fd8477c6c2", "pattern": "[file:hashes.SHA256 = '62f875a31c5f8541a68176d03c3b9d6d0ee6fa90cf54307d7d07aed5fc573797']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c38-6028-4ccd-b272-463302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:16.000Z", "modified": "2016-12-22T09:26:16.000Z", "description": "EM_386\t - 711 - Xchecked via VT: 0492e5c07c1426af9ce73ad33e00a3fd8477c6c2", "pattern": "[file:hashes.MD5 = '7b88cf30540ab8df0ded406097c51b46']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9c38-f430-495f-9bdf-4cb802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:16.000Z", "modified": "2016-12-22T09:26:16.000Z", "first_observed": "2016-12-22T09:26:16Z", "last_observed": "2016-12-22T09:26:16Z", "number_observed": 1, "object_refs": [ "url--585b9c38-f430-495f-9bdf-4cb802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9c38-f430-495f-9bdf-4cb802de0b81", "value": "https://www.virustotal.com/file/62f875a31c5f8541a68176d03c3b9d6d0ee6fa90cf54307d7d07aed5fc573797/analysis/1481878860/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c39-5eac-4ab3-8d4d-46aa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:17.000Z", "modified": "2016-12-22T09:26:17.000Z", "description": "EM_386\t - 708 - Xchecked via VT: e46e8e5e823eb0466981afb7683fd918d6fe78a9", "pattern": "[file:hashes.SHA256 = '90cd3e16d6d0069e758bb7c1ec929354be24f52857bd77fdd246e20e4aaca75d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c3a-7244-475b-ab43-4a9302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:18.000Z", "modified": "2016-12-22T09:26:18.000Z", "description": "EM_386\t - 708 - Xchecked via VT: e46e8e5e823eb0466981afb7683fd918d6fe78a9", "pattern": "[file:hashes.MD5 = 'ca21c63269febcfe73fec9e1041ed903']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9c3b-0fbc-42f5-93d8-43c902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:19.000Z", "modified": "2016-12-22T09:26:19.000Z", "first_observed": "2016-12-22T09:26:19Z", "last_observed": "2016-12-22T09:26:19Z", "number_observed": 1, "object_refs": [ "url--585b9c3b-0fbc-42f5-93d8-43c902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9c3b-0fbc-42f5-93d8-43c902de0b81", "value": "https://www.virustotal.com/file/90cd3e16d6d0069e758bb7c1ec929354be24f52857bd77fdd246e20e4aaca75d/analysis/1481878661/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c3c-1334-426d-86a9-4aca02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:20.000Z", "modified": "2016-12-22T09:26:20.000Z", "description": "EM_386 - 706 - Xchecked via VT: 36b2fffe98f517355425797fc242f2cb82271c0c", "pattern": "[file:hashes.SHA256 = '2a77e8d43b347c4ccf80271493eedf7b7b7f45d1e30e818e321657cf9a14f1d9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c3c-33b4-45ad-baee-4b5f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:20.000Z", "modified": "2016-12-22T09:26:20.000Z", "description": "EM_386 - 706 - Xchecked via VT: 36b2fffe98f517355425797fc242f2cb82271c0c", "pattern": "[file:hashes.MD5 = '96c5ec03c20491389a240ead5cbd72fe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9c3d-a0d0-4704-9c9b-46d902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:21.000Z", "modified": "2016-12-22T09:26:21.000Z", "first_observed": "2016-12-22T09:26:21Z", "last_observed": "2016-12-22T09:26:21Z", "number_observed": 1, "object_refs": [ "url--585b9c3d-a0d0-4704-9c9b-46d902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9c3d-a0d0-4704-9c9b-46d902de0b81", "value": "https://www.virustotal.com/file/2a77e8d43b347c4ccf80271493eedf7b7b7f45d1e30e818e321657cf9a14f1d9/analysis/1482355624/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c3e-5974-4d0d-89eb-4bb802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:22.000Z", "modified": "2016-12-22T09:26:22.000Z", "description": "EM_386 - 700 - Xchecked via VT: c54d50025d9f66ce2ace3361a8626aee468d94ba", "pattern": "[file:hashes.SHA256 = 'efedce38a1908a27115e05b3e62fab52f68fae2db5ae1c50c455f007f964c6d2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c3e-c5c0-404a-9afb-41c602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:22.000Z", "modified": "2016-12-22T09:26:22.000Z", "description": "EM_386 - 700 - Xchecked via VT: c54d50025d9f66ce2ace3361a8626aee468d94ba", "pattern": "[file:hashes.MD5 = 'ce12f465f353bb1b64f790a5e4cd45af']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9c3f-5838-4479-af90-4fdf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:23.000Z", "modified": "2016-12-22T09:26:23.000Z", "first_observed": "2016-12-22T09:26:23Z", "last_observed": "2016-12-22T09:26:23Z", "number_observed": 1, "object_refs": [ "url--585b9c3f-5838-4479-af90-4fdf02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9c3f-5838-4479-af90-4fdf02de0b81", "value": "https://www.virustotal.com/file/efedce38a1908a27115e05b3e62fab52f68fae2db5ae1c50c455f007f964c6d2/analysis/1482355624/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c40-a4c4-45ee-a6ee-4d2d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:24.000Z", "modified": "2016-12-22T09:26:24.000Z", "description": "EM_MIPS - ??? - Xchecked via VT: 14af6254d9ca310b4d52778d050cb8dd7a5de1d8", "pattern": "[file:hashes.SHA256 = 'a7ce7dc40bb8abf835efae5ebacc82cb8af2cc57b5021f0d28dc14924022c85d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c41-9ce4-4657-8bf7-4add02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:25.000Z", "modified": "2016-12-22T09:26:25.000Z", "description": "EM_MIPS - ??? - Xchecked via VT: 14af6254d9ca310b4d52778d050cb8dd7a5de1d8", "pattern": "[file:hashes.MD5 = '9a0ea27a15899e47bfe6fcc7c9df36c6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9c41-1c94-44e6-93f6-440b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:25.000Z", "modified": "2016-12-22T09:26:25.000Z", "first_observed": "2016-12-22T09:26:25Z", "last_observed": "2016-12-22T09:26:25Z", "number_observed": 1, "object_refs": [ "url--585b9c41-1c94-44e6-93f6-440b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9c41-1c94-44e6-93f6-440b02de0b81", "value": "https://www.virustotal.com/file/a7ce7dc40bb8abf835efae5ebacc82cb8af2cc57b5021f0d28dc14924022c85d/analysis/1482355624/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c42-30e0-4919-b4cc-4bd902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:26.000Z", "modified": "2016-12-22T09:26:26.000Z", "description": "EM_X86_64 - 698 - Xchecked via VT: c93bddd9cdb4f2e185b54a4931257954e25e7c37", "pattern": "[file:hashes.SHA256 = 'd59ffe12b75f596a4a30074690f96497800a6ed97be8248c573e4048adac7e05']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c43-b8f0-4bd5-9366-4f9502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:27.000Z", "modified": "2016-12-22T09:26:27.000Z", "description": "EM_X86_64 - 698 - Xchecked via VT: c93bddd9cdb4f2e185b54a4931257954e25e7c37", "pattern": "[file:hashes.MD5 = 'eedab74ca1303647ade4fb0b0b588a36']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9c44-fad4-4ea6-a16a-4b6c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:28.000Z", "modified": "2016-12-22T09:26:28.000Z", "first_observed": "2016-12-22T09:26:28Z", "last_observed": "2016-12-22T09:26:28Z", "number_observed": 1, "object_refs": [ "url--585b9c44-fad4-4ea6-a16a-4b6c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9c44-fad4-4ea6-a16a-4b6c02de0b81", "value": "https://www.virustotal.com/file/d59ffe12b75f596a4a30074690f96497800a6ed97be8248c573e4048adac7e05/analysis/1482355623/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c44-f7d0-4d5d-bb8b-417f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:28.000Z", "modified": "2016-12-22T09:26:28.000Z", "description": "EM_X86_64\t- 697 - Xchecked via VT: e53c73fe6a552eab720e7ee685ea4e159ebd4fdd", "pattern": "[file:hashes.SHA256 = '3fe9e1e0a2e626ef10cc443ec1725a8c17cbfa323864e0eb9359399177998470']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c45-e288-4c14-9377-4e3b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:29.000Z", "modified": "2016-12-22T09:26:29.000Z", "description": "EM_X86_64\t- 697 - Xchecked via VT: e53c73fe6a552eab720e7ee685ea4e159ebd4fdd", "pattern": "[file:hashes.MD5 = '19705141888917dddda4cac32ec8b6fc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9c46-725c-4e0a-8f2a-41d802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:30.000Z", "modified": "2016-12-22T09:26:30.000Z", "first_observed": "2016-12-22T09:26:30Z", "last_observed": "2016-12-22T09:26:30Z", "number_observed": 1, "object_refs": [ "url--585b9c46-725c-4e0a-8f2a-41d802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9c46-725c-4e0a-8f2a-41d802de0b81", "value": "https://www.virustotal.com/file/3fe9e1e0a2e626ef10cc443ec1725a8c17cbfa323864e0eb9359399177998470/analysis/1482355623/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c46-39d0-42e2-a244-41f802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:30.000Z", "modified": "2016-12-22T09:26:30.000Z", "description": "EM_X86_64 - 695 - Xchecked via VT: 3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0", "pattern": "[file:hashes.SHA256 = 'd731ccb407a924ca56fa9b3690e0b7debd1cce61c6de8ec63ede3a992c8af33e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c47-89cc-4c82-8a7e-440802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:31.000Z", "modified": "2016-12-22T09:26:31.000Z", "description": "EM_X86_64 - 695 - Xchecked via VT: 3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0", "pattern": "[file:hashes.MD5 = '1c672ba32e481faeccade0ad43ea5a08']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9c47-9508-4c02-b9dd-494402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:31.000Z", "modified": "2016-12-22T09:26:31.000Z", "first_observed": "2016-12-22T09:26:31Z", "last_observed": "2016-12-22T09:26:31Z", "number_observed": 1, "object_refs": [ "url--585b9c47-9508-4c02-b9dd-494402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9c47-9508-4c02-b9dd-494402de0b81", "value": "https://www.virustotal.com/file/d731ccb407a924ca56fa9b3690e0b7debd1cce61c6de8ec63ede3a992c8af33e/analysis/1482355623/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c48-d588-436a-b429-45e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:32.000Z", "modified": "2016-12-22T09:26:32.000Z", "description": "EM_X86_64 - 694 - Xchecked via VT: def04ec688ac6b41580dd3a6e78445b56536ba34", "pattern": "[file:hashes.SHA256 = '83160da5a4cb335ea2a9a72bc96c833cd7eab9df96a61c1d6f01e13668046b25']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c49-9cf0-478b-96a0-4bbb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:33.000Z", "modified": "2016-12-22T09:26:33.000Z", "description": "EM_X86_64 - 694 - Xchecked via VT: def04ec688ac6b41580dd3a6e78445b56536ba34", "pattern": "[file:hashes.MD5 = '4416e7bfbfa7318f10c8c08cff3fce5d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9c49-f154-4061-9dd2-418a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:33.000Z", "modified": "2016-12-22T09:26:33.000Z", "first_observed": "2016-12-22T09:26:33Z", "last_observed": "2016-12-22T09:26:33Z", "number_observed": 1, "object_refs": [ "url--585b9c49-f154-4061-9dd2-418a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9c49-f154-4061-9dd2-418a02de0b81", "value": "https://www.virustotal.com/file/83160da5a4cb335ea2a9a72bc96c833cd7eab9df96a61c1d6f01e13668046b25/analysis/1482355623/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c4a-c2c4-4696-9479-47cf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:34.000Z", "modified": "2016-12-22T09:26:34.000Z", "description": "EM_X86_64 - 688 - Xchecked via VT: f80836349d6e97251030190ecd30dda0047f1ee6", "pattern": "[file:hashes.SHA256 = 'ce4bb2ce2bf66ab721b808acf9d74a7a8afddd03cbaa6aa56c7788ff7b7251bb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9c4a-ba88-4e51-9f22-4bab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:34.000Z", "modified": "2016-12-22T09:26:34.000Z", "description": "EM_X86_64 - 688 - Xchecked via VT: f80836349d6e97251030190ecd30dda0047f1ee6", "pattern": "[file:hashes.MD5 = '841eac692e4c5fb09f18c229c59a3fcb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-22T09:26:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--585b9c4b-5124-4940-b839-484202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:26:35.000Z", "modified": "2016-12-22T09:26:35.000Z", "first_observed": "2016-12-22T09:26:35Z", "last_observed": "2016-12-22T09:26:35Z", "number_observed": 1, "object_refs": [ "url--585b9c4b-5124-4940-b839-484202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--585b9c4b-5124-4940-b839-484202de0b81", "value": "https://www.virustotal.com/file/ce4bb2ce2bf66ab721b808acf9d74a7a8afddd03cbaa6aa56c7788ff7b7251bb/analysis/1482247676/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--585b9cd6-d508-4a59-bc68-4d69950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-22T09:28:54.000Z", "modified": "2016-12-22T09:28:54.000Z", "pattern": "[rule linux_rakos\r\n{\r\n meta:\r\n description = \"Linux/Rakos.A executable\"\r\n author = \"Peter K\u00c3\u00a1lnai\"\r\n date = \"2016-12-13\"\r\n reference = \"http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/\"\r\n version = \"1\"\r\n contact = \"threatintel@eset.com\"\r\n license = \"BSD 2-Clause\"\r\n\r\n\r\n strings:\r\n $ = \"upgrade/vars.yaml\"\r\n $ = \"MUTTER\"\r\n $ = \"/tmp/.javaxxx\"\r\n $ = \"uckmydi\"\r\n\r\n condition:\r\n 3 of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2016-12-22T09:28:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }