{ "type": "bundle", "id": "bundle--5a54ca42-e9a0-4d71-a9e6-4f9b950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-16T03:00:30.000Z", "modified": "2018-01-16T03:00:30.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5a54ca42-e9a0-4d71-a9e6-4f9b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-16T03:00:30.000Z", "modified": "2018-01-16T03:00:30.000Z", "name": "OSINT - Experts analyzed an Advanced \"all in memory\" CryptoWorm", "published": "2018-02-16T08:50:36Z", "object_refs": [ "observed-data--5a54ca53-f374-44ba-9475-455f950d210f", "url--5a54ca53-f374-44ba-9475-455f950d210f", "x-misp-attribute--5a5c5cdc-dd14-4415-8ce3-4ae3950d210f", "indicator--5a5c5d76-21e8-42fd-8b34-4d39950d210f", "indicator--5a5c5d76-59e8-46ee-88b7-4240950d210f", "x-misp-attribute--5a5c5dfd-aaac-4c47-9eff-417d950d210f", "indicator--5a5c5e0f-4364-483b-98c3-4fad950d210f", "indicator--5a5c5e0f-0dac-46db-b486-4cbb950d210f", "indicator--5a5c5e62-827c-4ed3-94d6-4de0950d210f", "indicator--ef15fe55-96db-4f8e-a563-90107aa04fd8", "x-misp-object--f12256d2-41cd-4eb1-bbd1-fb0128573238", "indicator--d932fbce-6248-4955-bf1c-ddbd669a67b3", "x-misp-object--c46c80e3-a03a-497f-87ee-816333479203", "relationship--d46df717-94b0-46e9-8076-77bf6a03ce6d", "relationship--19813f25-4de5-4f78-9e81-18b7ddc66256" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a54ca53-f374-44ba-9475-455f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:34:09.000Z", "modified": "2018-01-15T09:34:09.000Z", "first_observed": "2018-01-15T09:34:09Z", "last_observed": "2018-01-15T09:34:09Z", "number_observed": 1, "object_refs": [ "url--5a54ca53-f374-44ba-9475-455f950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a54ca53-f374-44ba-9475-455f950d210f", "value": "http://securityaffairs.co/wordpress/63488/malware/advanced-memory-cryptoworm.html" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a5c5cdc-dd14-4415-8ce3-4ae3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:34:10.000Z", "modified": "2018-01-15T09:34:10.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Today I want to share a nice Malware analysis having an interesting flow. The \u00e2\u20ac\u0153interesting\u00e2\u20ac\u009d adjective comes from the abilities the given sample owns. Capabilities of exploiting, hard obfuscations and usage of advanced techniques to steal credentials and run commands.\r\n\r\nThe analyzed sample has been provided by a colleague of mine (Alessandro) who received the first stage by eMail. A special thanks to Luca and Edoardo for having recognized XMRig during the last infection stage." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c5d76-21e8-42fd-8b34-4d39950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:34:10.000Z", "modified": "2018-01-15T09:34:10.000Z", "pattern": "[file:name = 'info6.ps1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:34:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c5d76-59e8-46ee-88b7-4240950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:34:10.000Z", "modified": "2018-01-15T09:34:10.000Z", "pattern": "[url:value = 'http://118.184.48.95:8000/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:34:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a5c5dfd-aaac-4c47-9eff-417d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:34:11.000Z", "modified": "2018-01-15T09:34:11.000Z", "labels": [ "misp:type=\"other\"", "misp:category=\"Financial fraud\"" ], "x_misp_category": "Financial fraud", "x_misp_comment": "Monero Address", "x_misp_type": "other", "x_misp_value": "46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c5e0f-4364-483b-98c3-4fad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T07:53:51.000Z", "modified": "2018-01-15T07:53:51.000Z", "pattern": "[file:hashes.SHA256 = '19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T07:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c5e0f-0dac-46db-b486-4cbb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T07:53:51.000Z", "modified": "2018-01-15T07:53:51.000Z", "pattern": "[file:hashes.SHA256 = '038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T07:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c5e62-827c-4ed3-94d6-4de0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:34:11.000Z", "modified": "2018-01-15T09:34:11.000Z", "pattern": "[file:name = 'y1.bat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:34:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ef15fe55-96db-4f8e-a563-90107aa04fd8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:34:14.000Z", "modified": "2018-01-15T09:34:14.000Z", "pattern": "[file:hashes.MD5 = '9ac3bdb9378cd1fafbb8e08def738481' AND file:hashes.SHA1 = '8da156580747bf9ef8fa4d1c42ee112ab743da69' AND file:hashes.SHA256 = '038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:34:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f12256d2-41cd-4eb1-bbd1-fb0128573238", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:34:13.000Z", "modified": "2018-01-15T09:34:13.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309/analysis/1513112352/", "category": "External analysis", "uuid": "5a5c7595-db48-49f6-84da-459f02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/67", "category": "Other", "uuid": "5a5c7595-4a78-4b7d-b6d0-422f02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-12T20:59:12", "category": "Other", "uuid": "5a5c7596-3728-4530-b061-411f02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d932fbce-6248-4955-bf1c-ddbd669a67b3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:34:17.000Z", "modified": "2018-01-15T09:34:17.000Z", "pattern": "[file:hashes.MD5 = '8365158c74008879df00a9d49e61aaea' AND file:hashes.SHA1 = '686761aff5e4efedbc5b2931c0f214d8ba7b9463' AND file:hashes.SHA256 = '19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:34:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c46c80e3-a03a-497f-87ee-816333479203", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:34:15.000Z", "modified": "2018-01-15T09:34:15.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc/analysis/1513112312/", "category": "External analysis", "uuid": "5a5c7598-efc4-400f-9451-4f2502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "30/65", "category": "Other", "uuid": "5a5c7599-bbfc-49f5-bf91-417d02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-12T20:58:32", "category": "Other", "uuid": "5a5c7599-ce88-4d2a-9ccd-446c02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d46df717-94b0-46e9-8076-77bf6a03ce6d", "created": "2018-02-16T08:50:36.000Z", "modified": "2018-02-16T08:50:36.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--ef15fe55-96db-4f8e-a563-90107aa04fd8", "target_ref": "x-misp-object--f12256d2-41cd-4eb1-bbd1-fb0128573238" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--19813f25-4de5-4f78-9e81-18b7ddc66256", "created": "2018-02-16T08:50:36.000Z", "modified": "2018-02-16T08:50:36.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d932fbce-6248-4955-bf1c-ddbd669a67b3", "target_ref": "x-misp-object--c46c80e3-a03a-497f-87ee-816333479203" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }