{ "type": "bundle", "id": "bundle--596724b6-83dc-417f-962a-4cc8950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:31.000Z", "modified": "2017-07-13T08:17:31.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--596724b6-83dc-417f-962a-4cc8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:31.000Z", "modified": "2017-07-13T08:17:31.000Z", "name": "OSINT - LockPoS Joins the Flock", "published": "2017-07-13T08:17:56Z", "object_refs": [ "observed-data--5967252b-5fe0-4a7d-8d4d-44ff950d210f", "url--5967252b-5fe0-4a7d-8d4d-44ff950d210f", "x-misp-attribute--5967254e-9ac8-45bc-8b14-417b950d210f", "x-misp-attribute--59672c22-9c8c-4123-a747-4ad1950d210f", "indicator--59672c3f-6678-412c-a543-436b950d210f", "indicator--59672c67-e798-4996-9533-45a1950d210f", "indicator--59672c87-d8d0-4cf5-92ac-427002de0b81", "indicator--59672c87-8068-45a5-8285-472102de0b81", "observed-data--59672c88-e380-4b6f-9a68-4ec202de0b81", "url--59672c88-e380-4b6f-9a68-4ec202de0b81", "indicator--59672c88-67fc-4e04-9113-4f1302de0b81", "indicator--59672c88-c918-456d-b4d4-4ab202de0b81", "observed-data--59672c88-d000-4c09-b3e8-464002de0b81", "url--59672c88-d000-4c09-b3e8-464002de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5967252b-5fe0-4a7d-8d4d-44ff950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:31.000Z", "modified": "2017-07-13T08:17:31.000Z", "first_observed": "2017-07-13T08:17:31Z", "last_observed": "2017-07-13T08:17:31Z", "number_observed": 1, "object_refs": [ "url--5967252b-5fe0-4a7d-8d4d-44ff950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5967252b-5fe0-4a7d-8d4d-44ff950d210f", "value": "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5967254e-9ac8-45bc-8b14-417b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:31.000Z", "modified": "2017-07-13T08:17:31.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "While revisiting a Flokibot campaign that was targeting point of sale (PoS) systems in Brazil earlier this year, we discovered something interesting. One of the command and control (C2) servers that had been dormant for quite some time had suddenly woken up and started distributing what looks to be a new PoS malware family we\u00e2\u20ac\u2122re calling LockPoS. This post opens the lock up and takes a look inside." }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59672c22-9c8c-4123-a747-4ad1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:11.000Z", "modified": "2017-07-13T08:17:11.000Z", "labels": [ "misp:type=\"pdb\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "pdb", "x_misp_value": "%USERPROFILE%\\Desktop\\key\\dropper\\Release\\dropper.pdb" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59672c3f-6678-412c-a543-436b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:11.000Z", "modified": "2017-07-13T08:17:11.000Z", "pattern": "[file:hashes.SHA256 = 'a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-13T08:17:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59672c67-e798-4996-9533-45a1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:11.000Z", "modified": "2017-07-13T08:17:11.000Z", "pattern": "[file:hashes.SHA256 = '93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-13T08:17:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59672c87-d8d0-4cf5-92ac-427002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:11.000Z", "modified": "2017-07-13T08:17:11.000Z", "description": "- Xchecked via VT: a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa", "pattern": "[file:hashes.SHA1 = 'f9484baf6f7194248a388d41dfd06543b3dc5d26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-13T08:17:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59672c87-8068-45a5-8285-472102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:11.000Z", "modified": "2017-07-13T08:17:11.000Z", "description": "- Xchecked via VT: a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa", "pattern": "[file:hashes.MD5 = '624f84a9d8979789c630327a6b08c7c6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-13T08:17:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59672c88-e380-4b6f-9a68-4ec202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:12.000Z", "modified": "2017-07-13T08:17:12.000Z", "first_observed": "2017-07-13T08:17:12Z", "last_observed": "2017-07-13T08:17:12Z", "number_observed": 1, "object_refs": [ "url--59672c88-e380-4b6f-9a68-4ec202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59672c88-e380-4b6f-9a68-4ec202de0b81", "value": "https://www.virustotal.com/file/a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa/analysis/1499924910/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59672c88-67fc-4e04-9113-4f1302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:12.000Z", "modified": "2017-07-13T08:17:12.000Z", "description": "- Xchecked via VT: 93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488", "pattern": "[file:hashes.SHA1 = '419311da2ef6b2a9ca27dba3241a0d62a4e25848']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-13T08:17:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59672c88-c918-456d-b4d4-4ab202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:12.000Z", "modified": "2017-07-13T08:17:12.000Z", "description": "- Xchecked via VT: 93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488", "pattern": "[file:hashes.MD5 = '3d0f6367f1fedfc08734b35200c7abf9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-13T08:17:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59672c88-d000-4c09-b3e8-464002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-13T08:17:12.000Z", "modified": "2017-07-13T08:17:12.000Z", "first_observed": "2017-07-13T08:17:12Z", "last_observed": "2017-07-13T08:17:12Z", "number_observed": 1, "object_refs": [ "url--59672c88-d000-4c09-b3e8-464002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59672c88-d000-4c09-b3e8-464002de0b81", "value": "https://www.virustotal.com/file/93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488/analysis/1499919639/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }