{ "type": "bundle", "id": "bundle--5ce24b65-40d0-4010-b7ec-2c28950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-20T07:10:46.000Z", "modified": "2019-05-20T07:10:46.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5ce24b65-40d0-4010-b7ec-2c28950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-20T07:10:46.000Z", "modified": "2019-05-20T07:10:46.000Z", "name": "OSINT - ATM Malware using CSCWCNG device handler", "context": "suspicious-activity", "object_refs": [ "x-misp-object--5ce24bd7-65d8-4ee8-a647-4a77950d210f", "x-misp-object--5ce24d6e-33cc-4003-a107-23aa950d210f", "indicator--5ce24f13-93d0-498d-9257-6a67950d210f", "indicator--5ce24f57-d3e4-49a1-94ac-6c8f950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:financial-fraud=\"ATM Black Box Attack\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "workflow:todo=\"expansion\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5ce24bd7-65d8-4ee8-a647-4a77950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-20T06:40:23.000Z", "modified": "2019-05-20T06:40:23.000Z", "labels": [ "misp:name=\"microblog\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "post", "value": "Another shitty #ATM #Malware using CSCWCNG device handler. Uploaded to VT yesterday from Mexico. 0 detected rate by AV vendors currently. (link: https://www.virustotal.com/gui/file/4a75be18a3fe0033a9ebdb8f4af81c94e03581d19b5b4373e74e41283fd2615f/summary) virustotal.com/gui/file/4a75b\u2026", "category": "Other", "uuid": "5ce24bd7-9f24-48d2-b699-4e4f950d210f" }, { "type": "text", "object_relation": "type", "value": "Twitter", "category": "Other", "uuid": "5ce24bd7-b958-42cc-98e8-4e90950d210f" }, { "type": "url", "object_relation": "url", "value": "https://mobile.twitter.com/r3c0nst/status/1129641730813366274", "category": "Network activity", "to_ids": true, "uuid": "5ce24bd7-f854-404d-8cbf-45b5950d210f" }, { "type": "url", "object_relation": "link", "value": "https://t.co/ZSAQ5vmLko?amp=1", "category": "Network activity", "to_ids": true, "uuid": "5ce24bd7-d450-4e07-86af-44d2950d210f" }, { "type": "url", "object_relation": "link", "value": "https://www.virustotal.com/gui/file/4a75be18a3fe0033a9ebdb8f4af81c94e03581d19b5b4373e74e41283fd2615f/summary", "category": "Network activity", "to_ids": true, "uuid": "5ce24bd7-5f0c-4b9f-b88a-4be6950d210f" }, { "type": "datetime", "object_relation": "creation-date", "value": "May 18, 2019 8:55 AM", "category": "Other", "uuid": "5ce24bd7-768c-4257-9aac-4173950d210f" }, { "type": "text", "object_relation": "username", "value": "r3c0nst", "category": "Other", "uuid": "5ce24bd7-c840-4e40-ae93-46d7950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "microblog" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5ce24d6e-33cc-4003-a107-23aa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-20T06:47:10.000Z", "modified": "2019-05-20T06:47:10.000Z", "labels": [ "misp:name=\"microblog\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "post", "value": "Another Sample, same origin -> (link: https://www.virustotal.com/gui/file/7dde7f6da73c44cb19cf12e5e9174c2b8b2635e380aff5b89a045204803488a6/summary) virustotal.com/gui/file/7dde7\u2026", "category": "Other", "uuid": "5ce24d6e-e85c-43bf-adbe-23aa950d210f" }, { "type": "text", "object_relation": "type", "value": "Twitter", "category": "Other", "uuid": "5ce24d6e-d528-408f-b777-23aa950d210f" }, { "type": "url", "object_relation": "url", "value": "https://mobile.twitter.com/r3c0nst/status/1129651569006383104", "category": "Network activity", "to_ids": true, "uuid": "5ce24d6e-3fb8-4347-8ef8-23aa950d210f" }, { "type": "url", "object_relation": "link", "value": "https://t.co/DCidfeiD8X?amp=1", "category": "Network activity", "to_ids": true, "uuid": "5ce24d6e-67fc-49ee-8428-23aa950d210f" }, { "type": "url", "object_relation": "link", "value": "https://www.virustotal.com/gui/file/7dde7f6da73c44cb19cf12e5e9174c2b8b2635e380aff5b89a045204803488a6/summary", "category": "Network activity", "to_ids": true, "uuid": "5ce24d6e-7b68-4a59-ac22-23aa950d210f" }, { "type": "datetime", "object_relation": "creation-date", "value": "May 18, 2019 9:34 AM", "category": "Other", "uuid": "5ce24d6e-5c54-4370-90ca-23aa950d210f" }, { "type": "text", "object_relation": "username", "value": "r3c0nst", "category": "Other", "uuid": "5ce24d6e-83d0-45d2-b22d-23aa950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "microblog" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ce24f13-93d0-498d-9257-6a67950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-20T06:59:01.000Z", "modified": "2019-05-20T06:59:01.000Z", "pattern": "[file:hashes.MD5 = 'c76d7cd7beac5573158b22a37fde1b5f' AND file:hashes.SHA1 = '93b54b23a28101a1d874f55d0cadb570c34abed1' AND file:hashes.SHA256 = '4a75be18a3fe0033a9ebdb8f4af81c94e03581d19b5b4373e74e41283fd2615f' AND file:hashes.SSDEEP = '384:ibfcYkg5ypJg5yHSYkg5yk9JYkg5yoWbfcYkg5yH9yckg5yo6Sd/gm0uAJ0KA1+m:ehgH+oqgkAJ0KAMt8j' AND file:hashes.AUTHENTIHASH = 'b2e12a5c44e7e01965c971de559933cb95d64bbac245531fe7d057610b49b6c1' AND file:name = 'USBLOGGER.exe' AND file:size = '15360' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-20T06:59:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ce24f57-d3e4-49a1-94ac-6c8f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-20T06:58:34.000Z", "modified": "2019-05-20T06:58:34.000Z", "pattern": "[file:hashes.MD5 = '731ab0f17372aea499046b9719e22c4e' AND file:hashes.SHA1 = '392023259d2aa32db16641d536b95f5d91a26276' AND file:hashes.SHA256 = '7dde7f6da73c44cb19cf12e5e9174c2b8b2635e380aff5b89a045204803488a6' AND file:hashes.SSDEEP = '384:rbfcYkg5yZJg5yZSYkg5y09JYkg5yoWbfcYkg5yW9yckg5yo60fqzN0uqC6jv1+a:xxuHuoBzyzbqC6DMts' AND file:hashes.AUTHENTIHASH = '74b65983fb079fd441233dcb3a46d51338292ab1cbec692e170234a43446b433' AND file:name = 'USBLOGGERzz.exe' AND file:size = '15360' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-20T06:58:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }