{ "type": "bundle", "id": "bundle--5e2a97e7-4bd4-41c4-8aaf-4262950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-26T06:57:06.000Z", "modified": "2020-02-26T06:57:06.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5e2a97e7-4bd4-41c4-8aaf-4262950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-26T06:57:06.000Z", "modified": "2020-02-26T06:57:06.000Z", "name": "OSINT - Iranian PupyRAT Bites Middle Eastern Organizations", "published": "2020-02-26T06:57:49Z", "object_refs": [ "indicator--5e3194f2-e0f0-432a-bc5d-aea2950d210f", "indicator--5e3194f4-98d0-4693-9695-aea2950d210f", "x-misp-object--5e2a9a69-4f24-4f73-983b-478b950d210f", "indicator--5e3187c7-9b64-4c78-b33f-1c2f950d210f", "indicator--5e318cb9-f1ac-4eac-a1b6-aea2950d210f", "indicator--5e318e40-4368-4040-bf75-4888950d210f", "indicator--5e318ece-eb38-430b-9235-2768950d210f", "indicator--5e3190e6-cdc4-4ef3-8ee6-d77d950d210f", "indicator--5e3193d9-9110-4de4-85c0-4844950d210f", "indicator--5e319643-2f90-4bf1-89f5-7f0b950d210f", "indicator--5e31969e-8ca8-462e-b114-7f1d950d210f", "indicator--5e3196dc-2b94-4648-97b0-d77c950d210f", "x-misp-object--e5e73bc0-efa0-484e-8086-0f3137f470e3", "x-misp-object--83aabfa5-efd1-401e-a84d-75ab6ab670f0", "x-misp-object--87cbd279-31f6-474e-92b7-6f1ca9c322c8", "x-misp-object--959f1fb7-4ad0-4407-82e1-0aa582296285", "relationship--29683ada-8a00-4574-a893-1d3f9342e3dd", "relationship--8e96a015-9ec7-474c-adf6-24b1134c5603", "relationship--782f05bb-cda3-4a1b-b759-62ea20ee12e8", "relationship--7520b0a7-a0d2-462e-affc-241c0fb15a93" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-enterprise-attack-tool=\"Pupy - S0192\"", "misp-galaxy:mitre-tool=\"Pupy - S0192\"", "misp-galaxy:tool=\"PupyRAT\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound - G0059\"", "misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\"", "misp-galaxy:threat-actor=\"Cleaver\"", "misp-galaxy:threat-actor=\"OilRig\"", "misp-galaxy:threat-actor=\"APT35\"", "ms-caro-malware:malware-type=\"RemoteAccess\"", "enisa:nefarious-activity-abuse=\"remote-access-tool\"", "veris:asset:variety=\"S - Remote access\"", "veris:action:misuse:vector=\"Remote access\"", "ms-caro-malware-full:malware-type=\"RemoteAccess\"", "CERT-XLM:malicious-code=\"spyware-rat\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e3194f2-e0f0-432a-bc5d-aea2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-01-29T14:21:38.000Z", "modified": "2020-01-29T14:21:38.000Z", "description": "Hosting PowerShell stages of PupyRAT download", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.59.46.154']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-01-29T14:21:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e3194f4-98d0-4693-9695-aea2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-01-29T14:21:40.000Z", "modified": "2020-01-29T14:21:40.000Z", "description": "PupyRAT command and control server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.107.62.39']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-01-29T14:21:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5e2a9a69-4f24-4f73-983b-478b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-01-24T07:53:47.000Z", "modified": "2020-01-24T07:53:47.000Z", "labels": [ "misp:name=\"microblog\"", "misp:meta-category=\"misc\"", "osint:source-type=\"technical-report\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "post", "value": "Thanks for reaching out @QW5kcmV3\r\n! Here is the report that mentions COBALT GYPSY use of the OST PupyRAT (https://secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations). Iran-nexus group overlaps are a fun challenge to deconstruct\u00e2\u20ac\u00a6Always appreciate the constructive feedback!\u00e2\u20ac\u00a6", "category": "Other", "uuid": "5e2a9a69-57e8-40b5-a0bb-4768950d210f" }, { "type": "text", "object_relation": "type", "value": "Twitter", "category": "Other", "uuid": "5e2aa05f-4cd0-4f9b-9d01-49de950d210f" }, { "type": "link", "object_relation": "link", "value": "https://mobile.twitter.com/maggintel/status/1220440024631644160", "category": "External analysis", "uuid": "5e2aa060-7c98-4c40-9641-4b5f950d210f" }, { "type": "link", "object_relation": "embedded-safe-link", "value": "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "category": "External analysis", "uuid": "5e2aa060-5a2c-4588-ba48-4f90950d210f" }, { "type": "link", "object_relation": "embedded-safe-link", "value": "https://t.co/NP4e8FXfKI?amp=1", "category": "External analysis", "uuid": "5e2aa060-8c70-4462-8ead-45bf950d210f" }, { "type": "text", "object_relation": "username-quoted", "value": "@QW5kcmV3", "category": "Other", "uuid": "5e2aa060-9c48-4326-96bd-4301950d210f" }, { "type": "text", "object_relation": "verified-username", "value": "Unverified", "category": "Other", "uuid": "5e2aa060-1864-4154-9d99-43e1950d210f" }, { "type": "text", "object_relation": "state", "value": "Informative", "category": "Other", "uuid": "5e2aa060-e708-4e1f-8e34-4e22950d210f" }, { "type": "text", "object_relation": "username", "value": "maggintel", "category": "Other", "uuid": "5e2aa060-e184-4c09-afb0-4b1d950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "microblog" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e3187c7-9b64-4c78-b33f-1c2f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-26T06:57:06.000Z", "modified": "2020-02-26T06:57:06.000Z", "description": "Associated organization : National Technology Group, a Saudi Arabian telecommunications company", "pattern": "[domain-name:value = 'ntg-sa.com' AND domain-name:value = 'ntg.com.sa' AND domain-name:resolves_to_refs[*].value = '45.32.186.33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-02-26T06:57:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e318cb9-f1ac-4eac-a1b6-aea2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-26T06:56:58.000Z", "modified": "2020-02-26T06:56:58.000Z", "description": "Associated organization : ITWorx, an Egyptian information technology services firm", "pattern": "[domain-name:value = 'itworx.com-ho.me' AND domain-name:value = 'itworx.com' AND domain-name:resolves_to_refs[*].value = '45.32.186.33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-02-26T06:56:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e318e40-4368-4040-bf75-4888950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-26T06:56:52.000Z", "modified": "2020-02-26T06:56:52.000Z", "description": "Associated organization : Saudi Ministry of Commerce", "pattern": "[domain-name:value = 'mci.com-ho.me' AND domain-name:value = 'mci.gov.sa' AND domain-name:resolves_to_refs[*].value = '45.32.186.33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-02-26T06:56:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e318ece-eb38-430b-9235-2768950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-26T06:56:45.000Z", "modified": "2020-02-26T06:56:45.000Z", "description": "Associated organization : Saudi Ministry of Health", "pattern": "[domain-name:value = 'moh.com-ho.me' AND domain-name:value = 'moh.gov.sa' AND domain-name:resolves_to_refs[*].value = '45.32.186.33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-02-26T06:56:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e3190e6-cdc4-4ef3-8ee6-d77d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-26T06:56:39.000Z", "modified": "2020-02-26T06:56:39.000Z", "description": "Associated organization : Saudi Ministry of Labor", "pattern": "[domain-name:value = 'mol.com-ho.me' AND domain-name:value = 'mol.gov.sa' AND domain-name:resolves_to_refs[*].value = '45.32.186.33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-02-26T06:56:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e3193d9-9110-4de4-85c0-4844950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-21T10:42:24.000Z", "modified": "2020-02-21T10:42:24.000Z", "description": "Ministry of Health lure (Health_insurance_registration.doc) delivering PupyRAT", "pattern": "[file:hashes.MD5 = '1b5e33e5a244d2d67d7a09c4ccf16e56' AND file:hashes.SHA1 = '934c51ff1ea00af2cb3b8465f0a3effcf759d866' AND file:hashes.SHA256 = '66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-02-21T10:42:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e319643-2f90-4bf1-89f5-7f0b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-21T10:42:25.000Z", "modified": "2020-02-21T10:42:25.000Z", "description": "PupyRAT (pupyx86.dll) ", "pattern": "[file:hashes.MD5 = '97cb7dc1395918c2f3018c109ab4ea5b' AND file:hashes.SHA1 = '3215021976b933ff76ce3436e828286e124e2527' AND file:hashes.SHA256 = '8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71' AND file:name = 'pupyx86.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-02-21T10:42:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e31969e-8ca8-462e-b114-7f1d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-21T10:42:25.000Z", "modified": "2020-02-21T10:42:25.000Z", "description": "Password-themed lure (Password_Policy.xlsm) delivering PupyRAT", "pattern": "[file:hashes.MD5 = '03ea9457bf71d51d8109e737158be888' AND file:hashes.SHA1 = 'd20168c523058c7a82f6d79ef63ea546c794e57b' AND file:hashes.SHA256 = '6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b' AND file:name = 'Password_Policy.xlsm']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-02-21T10:42:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e3196dc-2b94-4648-97b0-d77c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-21T10:42:25.000Z", "modified": "2020-02-21T10:42:25.000Z", "description": "Job-themed Word document lure (qhtma) delivering PupyRAT", "pattern": "[file:hashes.MD5 = '43fad2d62bc23ffdc6d301571135222c' AND file:hashes.SHA1 = '735f5d7ef0c5129f0574bec3cf3d6b06b052744a' AND file:hashes.SHA256 = 'e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-02-21T10:42:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e5e73bc0-efa0-484e-8086-0f3137f470e3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-21T10:42:25.000Z", "modified": "2020-02-21T10:42:25.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-10-06T12:32:49+00:00", "category": "Other", "uuid": "4efc3fca-4e47-41d4-9c53-6855fa268695" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71/analysis/1570365169/", "category": "Payload delivery", "uuid": "1c2fbc9e-ec53-4563-a2fa-cbc5382a3f1e" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/68", "category": "Payload delivery", "uuid": "2c9d6d4a-d21b-483d-8e06-5a477d379ecd" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--83aabfa5-efd1-401e-a84d-75ab6ab670f0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-21T10:42:48.000Z", "modified": "2020-02-21T10:42:48.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2020-01-27T06:52:25+00:00", "category": "Other", "uuid": "bb7e0f82-e140-4983-81f3-1f50292b574a" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b/analysis/1580107945/", "category": "Payload delivery", "uuid": "8c5c9af9-34a4-4495-b646-c40794eec2e9" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/61", "category": "Payload delivery", "uuid": "920edadd-fc71-4b17-8faa-66e75327811d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--87cbd279-31f6-474e-92b7-6f1ca9c322c8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-21T10:43:01.000Z", "modified": "2020-02-21T10:43:01.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2020-01-16T14:24:18+00:00", "category": "Other", "uuid": "20e4a0ed-3bd1-4690-a439-eada2cb6a90a" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b/analysis/1579184658/", "category": "Payload delivery", "uuid": "8eb1988e-1d7e-4c00-8988-fbccd32e52ef" }, { "type": "text", "object_relation": "detection-ratio", "value": "40/60", "category": "Payload delivery", "uuid": "3f0c1ac0-fb20-4ecd-922a-cf23a82fd177" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--959f1fb7-4ad0-4407-82e1-0aa582296285", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-02-21T10:43:01.000Z", "modified": "2020-02-21T10:43:01.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2020-01-15T20:35:20+00:00", "category": "Other", "uuid": "53ff6fff-365d-4afa-94dd-bac37560dba3" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6/analysis/1579120520/", "category": "Payload delivery", "uuid": "8148d76e-ac8e-4380-b1bb-0d233f81375c" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/59", "category": "Payload delivery", "uuid": "4eb9669c-778b-42fc-a507-99bbd567195d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--29683ada-8a00-4574-a893-1d3f9342e3dd", "created": "2020-02-21T10:43:01.000Z", "modified": "2020-02-21T10:43:01.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5e3193d9-9110-4de4-85c0-4844950d210f", "target_ref": "x-misp-object--83aabfa5-efd1-401e-a84d-75ab6ab670f0" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8e96a015-9ec7-474c-adf6-24b1134c5603", "created": "2020-02-21T10:43:01.000Z", "modified": "2020-02-21T10:43:01.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5e319643-2f90-4bf1-89f5-7f0b950d210f", "target_ref": "x-misp-object--e5e73bc0-efa0-484e-8086-0f3137f470e3" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--782f05bb-cda3-4a1b-b759-62ea20ee12e8", "created": "2020-02-21T10:43:01.000Z", "modified": "2020-02-21T10:43:01.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5e31969e-8ca8-462e-b114-7f1d950d210f", "target_ref": "x-misp-object--87cbd279-31f6-474e-92b7-6f1ca9c322c8" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7520b0a7-a0d2-462e-affc-241c0fb15a93", "created": "2020-02-21T10:43:01.000Z", "modified": "2020-02-21T10:43:01.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5e3196dc-2b94-4648-97b0-d77c950d210f", "target_ref": "x-misp-object--959f1fb7-4ad0-4407-82e1-0aa582296285" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }