{ "type": "bundle", "id": "bundle--5a3cbdf8-172c-4738-9b96-c31d950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-30T14:28:47.000Z", "modified": "2018-10-30T14:28:47.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5a3cbdf8-172c-4738-9b96-c31d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-30T14:28:47.000Z", "modified": "2018-10-30T14:28:47.000Z", "name": "OSINT - Digmine Cryptocurrency Miner Spreading via Facebook Messenger", "context": "suspicious-activity", "object_refs": [ "observed-data--5a3cbe23-e3fc-4f14-8aad-55ea950d210f", "url--5a3cbe23-e3fc-4f14-8aad-55ea950d210f", "x-misp-attribute--5a5cbdca-e130-4082-b292-44c2950d210f", "indicator--5a5cbf71-02d0-4661-94ac-48c4950d210f", "indicator--5a5cbf72-c6a8-4c3e-902e-40e3950d210f", "indicator--5a5cbf73-2cc8-4645-ab88-464f950d210f", "indicator--5a5cbf73-8c2c-4b1d-be95-40dd950d210f", "indicator--5a5cbf73-59d0-4ddb-a95d-4a41950d210f", "indicator--5a5cbf74-d9c4-4822-a6da-498a950d210f", "indicator--5a5cbf74-2274-4921-aa86-40ef950d210f", "indicator--5a5cbf75-d1c4-47b5-b69d-4f2e950d210f", "indicator--5a5cbf76-2460-4448-970d-4de2950d210f", "indicator--5a5cbf76-0f24-480e-a813-4d2e950d210f", "indicator--5a5cbf76-4d2c-4785-9161-430b950d210f", "indicator--5a5cbfe3-c574-4f96-978e-42b7950d210f", "indicator--5a5cbfe4-f630-44c2-9af1-4329950d210f", "indicator--5a5cbfe4-cd54-4c67-8652-4b98950d210f", "indicator--c9227520-0ad9-46ab-95c3-cbccbfca0d41", "x-misp-object--84ba4228-3be2-4c13-875f-52799e79680f", "indicator--96f46bd7-e112-46d4-b676-1bbb1d0065a4", "x-misp-object--e48a8058-0d5c-45fe-b3a3-5b1a52e928e6", "relationship--b6c71138-2449-48cc-a4e3-0fa6e14363f6", "relationship--d49610d2-77cb-4f3b-a6eb-b272accfa159" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:tool=\"Digmine\"", "dnc:malware-type=\"CoinMiner\"", "workflow:state=\"complete\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a3cbe23-e3fc-4f14-8aad-55ea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:54.000Z", "modified": "2018-02-09T14:01:54.000Z", "first_observed": "2018-02-09T14:01:54Z", "last_observed": "2018-02-09T14:01:54Z", "number_observed": 1, "object_refs": [ "url--5a3cbe23-e3fc-4f14-8aad-55ea950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a3cbe23-e3fc-4f14-8aad-55ea950d210f", "value": "http://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a5cbdca-e130-4082-b292-44c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:55.000Z", "modified": "2018-02-09T14:01:55.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "We found a new cryptocurrency-mining bot spreading through Facebook Messenger, which we first observed in South Korea. We named this Digmine based on the moniker (\ube44\ud2b8\ucf54\uc778 \ucc44\uad74\uae30 bot) it was referred to in a report of recent related incidents in South Korea. We\u2019ve also seen Digmine spreading in other regions such as Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. It\u2019s not far-off for Digmine to reach other countries given the way it propagates." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbf71-02d0-4661-94ac-48c4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:55.000Z", "modified": "2018-02-09T14:01:55.000Z", "description": "C&C", "pattern": "[domain-name:value = 'vijus.bid']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:01:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbf72-c6a8-4c3e-902e-40e3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:55.000Z", "modified": "2018-02-09T14:01:55.000Z", "description": "C&C", "pattern": "[domain-name:value = 'ozivu.bid']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:01:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbf73-2cc8-4645-ab88-464f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:56.000Z", "modified": "2018-02-09T14:01:56.000Z", "description": "C&C", "pattern": "[domain-name:value = 'thisdayfunnyday.space']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:01:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbf73-8c2c-4b1d-be95-40dd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:56.000Z", "modified": "2018-02-09T14:01:56.000Z", "description": "C&C", "pattern": "[domain-name:value = 'thisaworkstation.space']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:01:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbf73-59d0-4ddb-a95d-4a41950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:57.000Z", "modified": "2018-02-09T14:01:57.000Z", "description": "C&C", "pattern": "[domain-name:value = 'mybigthink.space']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:01:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbf74-d9c4-4822-a6da-498a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:57.000Z", "modified": "2018-02-09T14:01:57.000Z", "description": "C&C", "pattern": "[domain-name:value = 'mokuz.bid']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:01:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbf74-2274-4921-aa86-40ef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:57.000Z", "modified": "2018-02-09T14:01:57.000Z", "description": "C&C", "pattern": "[domain-name:value = 'pabus.bid']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:01:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbf75-d1c4-47b5-b69d-4f2e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:58.000Z", "modified": "2018-02-09T14:01:58.000Z", "description": "C&C", "pattern": "[domain-name:value = 'yezav.bid']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:01:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbf76-2460-4448-970d-4de2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:58.000Z", "modified": "2018-02-09T14:01:58.000Z", "description": "C&C", "pattern": "[domain-name:value = 'bigih.bid']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:01:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbf76-0f24-480e-a813-4d2e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:59.000Z", "modified": "2018-02-09T14:01:59.000Z", "description": "C&C", "pattern": "[domain-name:value = 'taraz.bid']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:01:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbf76-4d2c-4785-9161-430b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:01:59.000Z", "modified": "2018-02-09T14:01:59.000Z", "description": "C&C", "pattern": "[domain-name:value = 'megu.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:01:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbfe3-c574-4f96-978e-42b7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T14:51:15.000Z", "modified": "2018-01-15T14:51:15.000Z", "description": "detected as TROJ_DIGMINEIN.A", "pattern": "[file:hashes.SHA256 = 'beb7274d78c63aa44515fe6bbfd324f49ec2cc0b8650aeb2d6c8ab61a0ae9f1d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T14:51:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbfe4-f630-44c2-9af1-4329950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T14:51:16.000Z", "modified": "2018-01-15T14:51:16.000Z", "description": "detected as BREX_DIGMINEEX.A", "pattern": "[file:hashes.SHA256 = '5a5b8551a82c57b683f9bd8ba49aefeab3d7c9d299a2d2cb446816cd15d3b3e9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T14:51:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5cbfe4-cd54-4c67-8652-4b98950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T14:51:16.000Z", "modified": "2018-01-15T14:51:16.000Z", "description": "detected as TROJ_DIGMINE.A", "pattern": "[file:hashes.SHA256 = 'f7e0398ae1f5a2f48055cf712b08972a1b6eb14579333bf038d37ed862c55909']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T14:51:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c9227520-0ad9-46ab-95c3-cbccbfca0d41", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:02:03.000Z", "modified": "2018-02-09T14:02:03.000Z", "pattern": "[file:hashes.MD5 = 'd0857aba2c626d554c6982d2d2d4db8a' AND file:hashes.SHA1 = '772e3fab70b1c8339064d2a8b75413819d9e4a5d' AND file:hashes.SHA256 = 'beb7274d78c63aa44515fe6bbfd324f49ec2cc0b8650aeb2d6c8ab61a0ae9f1d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:02:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--84ba4228-3be2-4c13-875f-52799e79680f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:02:01.000Z", "modified": "2018-02-09T14:02:01.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/beb7274d78c63aa44515fe6bbfd324f49ec2cc0b8650aeb2d6c8ab61a0ae9f1d/analysis/1515510769/", "category": "External analysis", "comment": "detected as TROJ_DIGMINEIN.A", "uuid": "5a7da9d9-1868-4623-acc4-7f4202de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/67", "category": "Other", "comment": "detected as TROJ_DIGMINEIN.A", "uuid": "5a7da9da-8140-46c2-be5b-7f4202de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-01-09 15:12:49", "category": "Other", "comment": "detected as TROJ_DIGMINEIN.A", "uuid": "5a7da9da-16a0-438f-abe8-7f4202de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--96f46bd7-e112-46d4-b676-1bbb1d0065a4", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:02:05.000Z", "modified": "2018-02-09T14:02:05.000Z", "pattern": "[file:hashes.MD5 = '8f7ac245965e43d521bf6870ef3ff924' AND file:hashes.SHA1 = 'c5db86423e0f50a46daea2f3025fad7d9b7b0d1c' AND file:hashes.SHA256 = 'f7e0398ae1f5a2f48055cf712b08972a1b6eb14579333bf038d37ed862c55909']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:02:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e48a8058-0d5c-45fe-b3a3-5b1a52e928e6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:02:04.000Z", "modified": "2018-02-09T14:02:04.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/f7e0398ae1f5a2f48055cf712b08972a1b6eb14579333bf038d37ed862c55909/analysis/1515510846/", "category": "External analysis", "comment": "detected as TROJ_DIGMINE.A", "uuid": "5a7da9dc-fb64-4968-bff4-7f4202de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "45/67", "category": "Other", "comment": "detected as TROJ_DIGMINE.A", "uuid": "5a7da9dc-2c44-478f-90d7-7f4202de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-01-09 15:14:06", "category": "Other", "comment": "detected as TROJ_DIGMINE.A", "uuid": "5a7da9dd-d220-4017-b954-7f4202de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b6c71138-2449-48cc-a4e3-0fa6e14363f6", "created": "2018-02-16T08:56:38.000Z", "modified": "2018-02-16T08:56:38.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--c9227520-0ad9-46ab-95c3-cbccbfca0d41", "target_ref": "x-misp-object--84ba4228-3be2-4c13-875f-52799e79680f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d49610d2-77cb-4f3b-a6eb-b272accfa159", "created": "2018-02-16T08:56:38.000Z", "modified": "2018-02-16T08:56:38.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--96f46bd7-e112-46d4-b676-1bbb1d0065a4", "target_ref": "x-misp-object--e48a8058-0d5c-45fe-b3a3-5b1a52e928e6" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }