{ "type": "bundle", "id": "bundle--593fae82-db94-4c16-b623-42d9950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-15T14:13:32.000Z", "modified": "2017-06-15T14:13:32.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--593fae82-db94-4c16-b623-42d9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-15T14:13:32.000Z", "modified": "2017-06-15T14:13:32.000Z", "name": "OSINT - CRASHOVERRIDE Analyzing the Threat to Electric Grid Operations", "context": "suspicious-activity", "object_refs": [ "x-misp-attribute--593fb528-8dd0-46f6-8593-44e7950d210f", "observed-data--593fb0fa-c9ec-4df2-8cfc-4aa802de0b81", "url--593fb0fa-c9ec-4df2-8cfc-4aa802de0b81", "indicator--593fb0fa-aab8-4283-abb0-4aa802de0b81", "indicator--593fb0f9-6978-4081-9c12-45c502de0b81", "observed-data--593fb0f9-7008-4064-86a8-4ae802de0b81", "url--593fb0f9-7008-4064-86a8-4ae802de0b81", "indicator--593fb0f9-57f8-40b8-a4fb-41b202de0b81", "indicator--593fb0f8-0b84-4af5-a9ae-4ef002de0b81", "observed-data--593fb0f8-3900-43b4-91d7-4a7402de0b81", "url--593fb0f8-3900-43b4-91d7-4a7402de0b81", "indicator--593fb0f7-c2d8-469e-a937-442002de0b81", "indicator--593fb0f7-87bc-4fd3-aa72-444c02de0b81", "observed-data--593fb0f6-198c-47b8-826c-4ec702de0b81", "url--593fb0f6-198c-47b8-826c-4ec702de0b81", "indicator--593fb0f6-9618-4a55-94e9-4da102de0b81", "indicator--593fb0f5-b50c-48dd-9a57-40d302de0b81", "observed-data--593fb0f5-7408-4484-93d6-489d02de0b81", "url--593fb0f5-7408-4484-93d6-489d02de0b81", "indicator--593fb0f4-59f4-470c-a940-4eb902de0b81", "indicator--593fb0f4-4bac-4acb-97e4-42bd02de0b81", "observed-data--593fb0f3-bcbc-4b9a-9ee7-473302de0b81", "url--593fb0f3-bcbc-4b9a-9ee7-473302de0b81", "indicator--593fb0f3-4e3c-4b78-ace3-40e202de0b81", "indicator--593fb0f3-a9d8-4e80-be95-440d02de0b81", "observed-data--593fb0f2-222c-4437-b07b-4fac02de0b81", "url--593fb0f2-222c-4437-b07b-4fac02de0b81", "indicator--593fb0f2-880c-4d69-9b07-43d102de0b81", "indicator--593fb0f1-8078-4a19-bbea-42bf02de0b81", "observed-data--593fb0f1-46d4-4df8-a3a9-4bb802de0b81", "url--593fb0f1-46d4-4df8-a3a9-4bb802de0b81", "indicator--593fb0f0-608c-4933-be94-4ec802de0b81", "indicator--593fb0f0-c63c-41f8-abfa-432902de0b81", "observed-data--593fb0ef-a1a8-4580-850d-420e02de0b81", "url--593fb0ef-a1a8-4580-850d-420e02de0b81", "indicator--593fb0ef-a250-4723-bb6b-43d902de0b81", "indicator--593fb0ee-fba4-4b44-a0d4-42d002de0b81", "indicator--593fb0c2-fd20-473e-8fef-4da3950d210f", "observed-data--593fb09c-9074-41fa-9a45-42ac950d210f", "url--593fb09c-9074-41fa-9a45-42ac950d210f", "indicator--593fb08b-32c4-4ca6-a7cb-463c950d210f", "indicator--593fb08a-b44c-4388-9d65-43ad950d210f", "indicator--593fb08a-ccf4-4a3f-b036-40ba950d210f", "indicator--593fb089-ae9c-45b6-8d6b-41f2950d210f", "indicator--593fb089-1e98-4309-9ebf-4a46950d210f", "indicator--593fb089-c74c-43c3-8813-4d88950d210f", "indicator--593fb088-4578-4c5f-9ec8-4952950d210f", "observed-data--593fb087-03e8-4d74-a6f7-49b5950d210f", "network-traffic--593fb087-03e8-4d74-a6f7-49b5950d210f", "ipv4-addr--593fb087-03e8-4d74-a6f7-49b5950d210f", "indicator--593fb087-0f4c-4a43-b6f1-4dbf950d210f", "observed-data--593fb086-8e30-4c1e-a3ce-4a23950d210f", "network-traffic--593fb086-8e30-4c1e-a3ce-4a23950d210f", "ipv4-addr--593fb086-8e30-4c1e-a3ce-4a23950d210f", "indicator--593fb086-b88c-425e-946d-41c0950d210f", "indicator--593fb085-7334-4cde-b4ee-4bf3950d210f", "observed-data--593fb085-2d7c-4a1d-af7a-4b1f950d210f", "network-traffic--593fb085-2d7c-4a1d-af7a-4b1f950d210f", "ipv4-addr--593fb085-2d7c-4a1d-af7a-4b1f950d210f", "observed-data--593fb084-1164-4a83-b3a2-476d950d210f", "network-traffic--593fb084-1164-4a83-b3a2-476d950d210f", "ipv4-addr--593fb084-1164-4a83-b3a2-476d950d210f", "indicator--593fb084-a26c-412b-8c5e-439b950d210f", "observed-data--593fb083-d114-411f-b654-4985950d210f", "windows-registry-key--593fb083-d114-411f-b654-4985950d210f", "observed-data--593fb083-f0a4-494a-bfef-4461950d210f", "network-traffic--593fb083-f0a4-494a-bfef-4461950d210f", "ipv4-addr--593fb083-f0a4-494a-bfef-4461950d210f", "observed-data--593fb082-322c-4da0-9bbf-436d950d210f", "network-traffic--593fb082-322c-4da0-9bbf-436d950d210f", "ipv4-addr--593fb082-322c-4da0-9bbf-436d950d210f", "observed-data--593fb082-e264-4a31-8662-47a6950d210f", "network-traffic--593fb082-e264-4a31-8662-47a6950d210f", "ipv4-addr--593fb082-e264-4a31-8662-47a6950d210f", "observed-data--593fb082-d0fc-4e80-ad70-4ab8950d210f", "windows-registry-key--593fb082-d0fc-4e80-ad70-4ab8950d210f", "x-misp-attribute--593faec0-43fc-4d9b-a04d-43d3950d210f", "observed-data--593fae91-fa4c-470f-9b47-4fc8950d210f", "url--593fae91-fa4c-470f-9b47-4fc8950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "admiralty-scale:information-credibility=\"6\"", "circl:topic=\"industry\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--593fb528-8dd0-46f6-8593-44e7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:49:28.000Z", "modified": "2017-06-13T09:49:28.000Z", "labels": [ "misp:type=\"user-agent\"", "misp:category=\"Network activity\"" ], "x_misp_category": "Network activity", "x_misp_type": "user-agent", "x_misp_value": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb0fa-c9ec-4df2-8cfc-4aa802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:38.000Z", "modified": "2017-06-13T09:31:38.000Z", "first_observed": "2017-06-13T09:31:38Z", "last_observed": "2017-06-13T09:31:38Z", "number_observed": 1, "object_refs": [ "url--593fb0fa-c9ec-4df2-8cfc-4aa802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--593fb0fa-c9ec-4df2-8cfc-4aa802de0b81", "value": "https://www.virustotal.com/file/893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f/analysis/1497333819/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0fa-aab8-4283-abb0-4aa802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:38.000Z", "modified": "2017-06-13T09:31:38.000Z", "description": "Custom-built port scanner. ,Stage 2: Develop,Recon - Xchecked via VT: b335163e6eb854df5e08e85026b2c3518891eda8", "pattern": "[file:hashes.MD5 = '497de9d388d23bf8ae7230d80652af69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f9-6978-4081-9c12-45c502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:37.000Z", "modified": "2017-06-13T09:31:37.000Z", "description": "Custom-built port scanner. ,Stage 2: Develop,Recon - Xchecked via VT: b335163e6eb854df5e08e85026b2c3518891eda8", "pattern": "[file:hashes.SHA256 = '893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb0f9-7008-4064-86a8-4ae802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:37.000Z", "modified": "2017-06-13T09:31:37.000Z", "first_observed": "2017-06-13T09:31:37Z", "last_observed": "2017-06-13T09:31:37Z", "number_observed": 1, "object_refs": [ "url--593fb0f9-7008-4064-86a8-4ae802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--593fb0f9-7008-4064-86a8-4ae802de0b81", "value": "https://www.virustotal.com/file/ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910/analysis/1487157094/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f9-57f8-40b8-a4fb-41b202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:37.000Z", "modified": "2017-06-13T09:31:37.000Z", "description": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction - Xchecked via VT: b92149f046f00bb69de329b8457d32c24726ee00", "pattern": "[file:hashes.MD5 = '7a7ace486dbb046f588331a08e869d58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f8-0b84-4af5-a9ae-4ef002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:36.000Z", "modified": "2017-06-13T09:31:36.000Z", "description": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction - Xchecked via VT: b92149f046f00bb69de329b8457d32c24726ee00", "pattern": "[file:hashes.SHA256 = 'ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb0f8-3900-43b4-91d7-4a7402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:36.000Z", "modified": "2017-06-13T09:31:36.000Z", "first_observed": "2017-06-13T09:31:36Z", "last_observed": "2017-06-13T09:31:36Z", "number_observed": 1, "object_refs": [ "url--593fb0f8-3900-43b4-91d7-4a7402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--593fb0f8-3900-43b4-91d7-4a7402de0b81", "value": "https://www.virustotal.com/file/018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81/analysis/1497287042/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f7-c2d8-469e-a937-442002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:35.000Z", "modified": "2017-06-13T09:31:35.000Z", "description": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction - Xchecked via VT: 5a5fafbc3fec8d36fd57b075ebf34119ba3bff04", "pattern": "[file:hashes.MD5 = 'ab17f2b17c57b731cb930243589ab0cf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f7-87bc-4fd3-aa72-444c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:35.000Z", "modified": "2017-06-13T09:31:35.000Z", "description": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction - Xchecked via VT: 5a5fafbc3fec8d36fd57b075ebf34119ba3bff04", "pattern": "[file:hashes.SHA256 = '018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb0f6-198c-47b8-826c-4ec702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:34.000Z", "modified": "2017-06-13T09:31:34.000Z", "first_observed": "2017-06-13T09:31:34Z", "last_observed": "2017-06-13T09:31:34Z", "number_observed": 1, "object_refs": [ "url--593fb0f6-198c-47b8-826c-4ec702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--593fb0f6-198c-47b8-826c-4ec702de0b81", "value": "https://www.virustotal.com/file/7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad/analysis/1497333815/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f6-9618-4a55-94e9-4da102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:34.000Z", "modified": "2017-06-13T09:31:34.000Z", "description": "Module for 104 effect. Exports 'Crash' which is invoked by launcher. Functionality requires config file. ,Stage 2: Attack,Loss of Control - Xchecked via VT: 94488f214b165512d2fc0438a581f5c9e3bd4d4c", "pattern": "[file:hashes.MD5 = 'a193184e61e34e2bc36289deaafdec37']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f5-b50c-48dd-9a57-40d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:33.000Z", "modified": "2017-06-13T09:31:33.000Z", "description": "Module for 104 effect. Exports 'Crash' which is invoked by launcher. Functionality requires config file. ,Stage 2: Attack,Loss of Control - Xchecked via VT: 94488f214b165512d2fc0438a581f5c9e3bd4d4c", "pattern": "[file:hashes.SHA256 = '7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb0f5-7408-4484-93d6-489d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:33.000Z", "modified": "2017-06-13T09:31:33.000Z", "first_observed": "2017-06-13T09:31:33Z", "last_observed": "2017-06-13T09:31:33Z", "number_observed": 1, "object_refs": [ "url--593fb0f5-7408-4484-93d6-489d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--593fb0f5-7408-4484-93d6-489d02de0b81", "value": "https://www.virustotal.com/file/21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561/analysis/1497333825/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f4-59f4-470c-a940-4eb902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:32.000Z", "modified": "2017-06-13T09:31:32.000Z", "description": "\"Launcher for payload DLL. Takes input as three command line parameters \u2013 working directory, module, and config file.\",Stage 2: Attack,Loss of Control - Xchecked via VT: 79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a", "pattern": "[file:hashes.MD5 = 'f9005f8e9d9b854491eb2fbbd06a16e0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f4-4bac-4acb-97e4-42bd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:32.000Z", "modified": "2017-06-13T09:31:32.000Z", "description": "\"Launcher for payload DLL. Takes input as three command line parameters \u2013 working directory, module, and config file.\",Stage 2: Attack,Loss of Control - Xchecked via VT: 79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a", "pattern": "[file:hashes.SHA256 = '21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb0f3-bcbc-4b9a-9ee7-473302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-15T14:13:21.000Z", "modified": "2017-06-15T14:13:21.000Z", "first_observed": "2017-06-15T14:13:21Z", "last_observed": "2017-06-15T14:13:21Z", "number_observed": 1, "object_refs": [ "url--593fb0f3-bcbc-4b9a-9ee7-473302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--593fb0f3-bcbc-4b9a-9ee7-473302de0b81", "value": "https://www.virustotal.com/file/ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77/analysis/1497333833/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f3-4e3c-4b78-ace3-40e202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-15T14:12:44.000Z", "modified": "2017-06-15T14:12:44.000Z", "description": "Backdoor/RAT Proxy + HTTP CONNECT to 195.16.88.6:443 ,Phase2: C2,Remote Access - Xchecked via VT: 2cb8230281b86fa944d3043ae906016c8b5984d9", "pattern": "[file:hashes.MD5 = 'ff69615e3a8d7ddcdc4b7bf94d6c7ffb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-15T14:12:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f3-a9d8-4e80-be95-440d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-15T14:12:47.000Z", "modified": "2017-06-15T14:12:47.000Z", "description": "Backdoor/RAT Proxy + HTTP CONNECT to 195.16.88.6:443 ,Phase2: C2,Remote Access - Xchecked via VT: 2cb8230281b86fa944d3043ae906016c8b5984d9", "pattern": "[file:hashes.SHA256 = 'ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-15T14:12:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb0f2-222c-4437-b07b-4fac02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:30.000Z", "modified": "2017-06-13T09:31:30.000Z", "first_observed": "2017-06-13T09:31:30Z", "last_observed": "2017-06-13T09:31:30Z", "number_observed": 1, "object_refs": [ "url--593fb0f2-222c-4437-b07b-4fac02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--593fb0f2-222c-4437-b07b-4fac02de0b81", "value": "https://www.virustotal.com/file/3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571/analysis/1497333806/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f2-880c-4d69-9b07-43d102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:30.000Z", "modified": "2017-06-13T09:31:30.000Z", "description": "Backdoor/RAT Proxy + HTTP CONNECT to 93.115.27.57:443. ,Phase2: C2,Remote Access - Xchecked via VT: 8e39eca1e48240c01ee570631ae8f0c9a9637187", "pattern": "[file:hashes.MD5 = '11a67ff9ad6006bd44f08bcc125fb61e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f1-8078-4a19-bbea-42bf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:29.000Z", "modified": "2017-06-13T09:31:29.000Z", "description": "Backdoor/RAT Proxy + HTTP CONNECT to 93.115.27.57:443. ,Phase2: C2,Remote Access - Xchecked via VT: 8e39eca1e48240c01ee570631ae8f0c9a9637187", "pattern": "[file:hashes.SHA256 = '3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb0f1-46d4-4df8-a3a9-4bb802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:29.000Z", "modified": "2017-06-13T09:31:29.000Z", "first_observed": "2017-06-13T09:31:29Z", "last_observed": "2017-06-13T09:31:29Z", "number_observed": 1, "object_refs": [ "url--593fb0f1-46d4-4df8-a3a9-4bb802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--593fb0f1-46d4-4df8-a3a9-4bb802de0b81", "value": "https://www.virustotal.com/file/6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47/analysis/1497333810/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f0-608c-4933-be94-4ec802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:28.000Z", "modified": "2017-06-13T09:31:28.000Z", "description": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT.\",Phase2: C2,Remote Access - Xchecked via VT: cccce62996d578b984984426a024d9b250237533", "pattern": "[file:hashes.MD5 = 'fc4fe1b933183c4c613d34ffdb5fe758']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0f0-c63c-41f8-abfa-432902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:28.000Z", "modified": "2017-06-13T09:31:28.000Z", "description": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT.\",Phase2: C2,Remote Access - Xchecked via VT: cccce62996d578b984984426a024d9b250237533", "pattern": "[file:hashes.SHA256 = '6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb0ef-a1a8-4580-850d-420e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:27.000Z", "modified": "2017-06-13T09:31:27.000Z", "first_observed": "2017-06-13T09:31:27Z", "last_observed": "2017-06-13T09:31:27Z", "number_observed": 1, "object_refs": [ "url--593fb0ef-a1a8-4580-850d-420e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--593fb0ef-a1a8-4580-850d-420e02de0b81", "value": "https://www.virustotal.com/file/37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4/analysis/1497333801/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0ef-a250-4723-bb6b-43d902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:27.000Z", "modified": "2017-06-13T09:31:27.000Z", "description": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT. \",Phase2: C2,Remote Access - Xchecked via VT: f6c21f8189ced6ae150f9ef2e82a3a57843b587d", "pattern": "[file:hashes.MD5 = 'f67b65b9346ee75a26f491b70bf6091b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0ee-fba4-4b44-a0d4-42d002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:26.000Z", "modified": "2017-06-13T09:31:26.000Z", "description": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT. \",Phase2: C2,Remote Access - Xchecked via VT: f6c21f8189ced6ae150f9ef2e82a3a57843b587d", "pattern": "[file:hashes.SHA256 = '37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb0c2-fd20-473e-8fef-4da3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "pattern": "[import \"pe\"\r\nimport \"hash\"\r\n\r\nrule dragos_crashoverride_exporting_dlls\r\n{\r\n\tmeta:\r\n\t\tdescription = \"CRASHOVERRIDE v1 Suspicious Export\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\r\n\tcondition:\r\n\t\tpe.exports(\"Crash\") & pe.characteristics\r\n}\r\n\r\nrule dragos_crashoverride_suspcious\r\n{\r\nmeta:\r\n\tdescription = \"CRASHOVERRIDE v1 Wiper\"\r\n\tauthor = \"Dragos Inc\"\r\n\r\n\tstrings:\r\n\t\t$s0 = \"SYS_BASCON.COM\" fullword nocase wide\r\n\t\t$s1 = \".pcmp\" fullword nocase wide\r\n\t\t$s2 = \".pcmi\" fullword nocase wide\r\n\t\t$s3 = \".pcmt\" fullword nocase wide\r\n\t\t$s4 = \".cin\" fullword nocase wide\r\n\r\n\tcondition:\r\n\t\tpe.exports(\"Crash\") and any of ($s*)\r\n}\r\n\r\n\r\nrule dragos_crashoverride_name_search {\r\n\tmeta:\r\n\t\tdescription = \"CRASHOVERRIDE v1 Suspicious Strings and Export\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\r\n\tstrings:\r\n\t\t$s0 = \"101.dll\" fullword nocase wide\r\n\t\t$s1 = \"Crash101.dll\" fullword nocase wide\r\n\t\t$s2 = \"104.dll\" fullword nocase wide\r\n\t\t$s3 = \"Crash104.dll\" fullword nocase wide\r\n\t\t$s4 = \"61850.dll\" fullword nocase wide\r\n\t\t$s5 = \"Crash61850.dll\" fullword nocase wide\r\n\t\t$s6 = \"OPCClientDemo.dll\" fullword nocase wide\r\n\t\t$s7 = \"OPC\" fullword nocase wide\r\n\t\t$s8 = \"CrashOPCClientDemo.dll\" fullword nocase wide\r\n\t\t$s9 = \"D2MultiCommService.exe\" fullword nocase wide\r\n\t\t$s10 = \"CrashD2MultiCommService.exe\" fullword nocase wide\r\n\t\t$s11 = \"61850.exe\" fullword nocase wide\r\n\t\t$s12 = \"OPC.exe\" fullword nocase wide\r\n\t\t$s13 = \"haslo.exe\" fullword nocase wide\r\n\t\t$s14 = \"haslo.dat\" fullword nocase wide\r\n\r\n\tcondition:\r\n\t\tany of ($s*) and pe.exports(\"Crash\")\r\n}\r\n\r\nrule dragos_crashoverride_hashes {\r\n\r\n meta:\r\n description = \"CRASHOVERRIDE Malware Hashes\"\r\n author = \"Dragos Inc\"\r\n\r\n condition:\r\n filesize < 1MB and\r\n hash.sha1(0, filesize) == \"f6c21f8189ced6ae150f9ef2e82a3a57843b587d\" or\r\n hash.sha1(0, filesize) == \"cccce62996d578b984984426a024d9b250237533\" or\r\n hash.sha1(0, filesize) == \"8e39eca1e48240c01ee570631ae8f0c9a9637187\" or\r\n hash.sha1(0, filesize) == \"2cb8230281b86fa944d3043ae906016c8b5984d9\" or\r\n hash.sha1(0, filesize) == \"79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a\" or\r\n hash.sha1(0, filesize) == \"94488f214b165512d2fc0438a581f5c9e3bd4d4c\" or\r\n hash.sha1(0, filesize) == \"5a5fafbc3fec8d36fd57b075ebf34119ba3bff04\" or\r\n hash.sha1(0, filesize) == \"b92149f046f00bb69de329b8457d32c24726ee00\" or\r\n hash.sha1(0, filesize) == \"b335163e6eb854df5e08e85026b2c3518891eda8\"\r\n}\r\n\r\nrule dragos_crashoverride_moduleStrings {\r\n\r\n\tmeta:\r\n\t\tdescription = \"IEC-104 Interaction Module Program Strings\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\r\n\tstrings:\r\n\t\t$s1 = \"IEC-104 client: ip=%s; port=%s; ASDU=%u\" nocase wide ascii\r\n\t\t$s2 = \" MSTR ->> SLV\" nocase wide ascii\r\n\t\t$s3 = \" MSTR <<- SLV\" nocase wide ascii\r\n\t\t$s4 = \"Unknown APDU format !!!\" nocase wide ascii\r\n\t\t$s5 = \"iec104.log\" nocase wide ascii\r\n\r\n\tcondition:\r\n\t\tany of ($s*)\r\n}\r\n\r\nrule crashoverride_configReader\r\n{\r\n\tmeta:\r\n\t\tdescription = \"CRASHOVERRIDE v1 Config File Parsing\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\t\r\n\tstrings:\r\n\t\t$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }\r\n\t\t$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }\r\n\t\t$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }\r\n\t\t$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }\r\n\t\t\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule crashoverride_weirdMutex\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Blank mutex creation assoicated with CRASHOVERRIDE\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\tstrings:\r\n\t\t$s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }\r\n\t\t$s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}\r\n\t\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule crashoverride_serviceStomper\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Identify service hollowing and persistence setting\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\t\r\n\tstrings:\r\n\t\t$s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }\r\n\t\t$s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }\r\n\t\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule crashoverride_wiperModuleRegistry\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Registry Wiper functionality assoicated with CRASHOVERRIDE\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\t\r\n\tstrings:\r\n\t\t$s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }\r\n\t\t$s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }\r\n\t\t$s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }\r\n\t\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule crashoverride_wiperFileManipulation\r\n{\r\n\tmeta:\r\n\t\tdescription = \"File manipulation actions associated with CRASHOVERRIDE wiper\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\t\r\n\tstrings:\r\n\t\t$s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }\r\n\t\t$s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }\r\n\t\t\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "valid_from": "2017-06-13T09:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb09c-9074-41fa-9a45-42ac950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "first_observed": "2017-06-13T09:31:14Z", "last_observed": "2017-06-13T09:31:14Z", "number_observed": 1, "object_refs": [ "url--593fb09c-9074-41fa-9a45-42ac950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--593fb09c-9074-41fa-9a45-42ac950d210f", "value": "https://raw.githubusercontent.com/dragosinc/CRASHOVERRIDE/master/CRASHOVERRIDE%20IOC%202016-06-12.csv" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb08b-32c4-4ca6-a7cb-463c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "description": "IEC-61850 enumeration and address manipulation,Stage 2: Attack,Loss of Control", "pattern": "[file:hashes.SHA1 = 'ecf6adf20a7137a84a1b319ccaa97cb0809a8454']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb08a-b44c-4388-9d65-43ad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "description": "OPC Data Access protocol enumeration of servers and addresses ,Stage 2: Attack,Loss of Control", "pattern": "[file:hashes.SHA1 = '7fac2eddf22ff692e1b4e7f99910e5dbb51295e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb08a-ccf4-4a3f-b036-40ba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "description": "Custom-built port scanner. ,Stage 2: Develop,Recon", "pattern": "[file:hashes.SHA1 = 'b335163e6eb854df5e08e85026b2c3518891eda8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb089-ae9c-45b6-8d6b-41f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "description": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction", "pattern": "[file:hashes.SHA1 = 'b92149f046f00bb69de329b8457d32c24726ee00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb089-1e98-4309-9ebf-4a46950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "description": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction", "pattern": "[file:hashes.SHA1 = '5a5fafbc3fec8d36fd57b075ebf34119ba3bff04']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb089-c74c-43c3-8813-4d88950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "description": "Module for 104 effect. Exports 'Crash' which is invoked by launcher. Functionality requires config file. ,Stage 2: Attack,Loss of Control", "pattern": "[file:hashes.SHA1 = '94488f214b165512d2fc0438a581f5c9e3bd4d4c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb088-4578-4c5f-9ec8-4952950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "description": "\"Launcher for payload DLL. Takes input as three command line parameters \u2013 working directory, module, and config file.\",Stage 2: Attack,Loss of Control", "pattern": "[file:hashes.SHA1 = '79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb087-03e8-4d74-a6f7-49b5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-15T14:13:00.000Z", "modified": "2017-06-15T14:13:00.000Z", "first_observed": "2017-06-15T14:13:00Z", "last_observed": "2017-06-15T14:13:00Z", "number_observed": 1, "object_refs": [ "network-traffic--593fb087-03e8-4d74-a6f7-49b5950d210f", "ipv4-addr--593fb087-03e8-4d74-a6f7-49b5950d210f" ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--593fb087-03e8-4d74-a6f7-49b5950d210f", "dst_ref": "ipv4-addr--593fb087-03e8-4d74-a6f7-49b5950d210f", "dst_port": 443, "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--593fb087-03e8-4d74-a6f7-49b5950d210f", "value": "195.16.88.6" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb087-0f4c-4a43-b6f1-4dbf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-15T14:13:32.000Z", "modified": "2017-06-15T14:13:32.000Z", "description": "Backdoor/RAT Proxy + HTTP CONNECT to 195.16.88.6:443 ,Phase2: C2,Remote Access", "pattern": "[file:hashes.SHA1 = '2cb8230281b86fa944d3043ae906016c8b5984d9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-15T14:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb086-8e30-4c1e-a3ce-4a23950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "first_observed": "2017-06-13T09:31:14Z", "last_observed": "2017-06-13T09:31:14Z", "number_observed": 1, "object_refs": [ "network-traffic--593fb086-8e30-4c1e-a3ce-4a23950d210f", "ipv4-addr--593fb086-8e30-4c1e-a3ce-4a23950d210f" ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--593fb086-8e30-4c1e-a3ce-4a23950d210f", "dst_ref": "ipv4-addr--593fb086-8e30-4c1e-a3ce-4a23950d210f", "dst_port": 443, "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--593fb086-8e30-4c1e-a3ce-4a23950d210f", "value": "93.115.27.57" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb086-b88c-425e-946d-41c0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "description": "Backdoor/RAT Proxy + HTTP CONNECT to 93.115.27.57:443. ,Phase2: C2,Remote Access", "pattern": "[file:hashes.SHA1 = '8e39eca1e48240c01ee570631ae8f0c9a9637187']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb085-7334-4cde-b4ee-4bf3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "description": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT.\",Phase2: C2,Remote Access", "pattern": "[file:hashes.SHA1 = 'cccce62996d578b984984426a024d9b250237533']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb085-2d7c-4a1d-af7a-4b1f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "first_observed": "2017-06-13T09:31:14Z", "last_observed": "2017-06-13T09:31:14Z", "number_observed": 1, "object_refs": [ "network-traffic--593fb085-2d7c-4a1d-af7a-4b1f950d210f", "ipv4-addr--593fb085-2d7c-4a1d-af7a-4b1f950d210f" ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--593fb085-2d7c-4a1d-af7a-4b1f950d210f", "dst_ref": "ipv4-addr--593fb085-2d7c-4a1d-af7a-4b1f950d210f", "dst_port": 443, "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--593fb085-2d7c-4a1d-af7a-4b1f950d210f", "value": "5.39.218.152" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb084-1164-4a83-b3a2-476d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "first_observed": "2017-06-13T09:31:14Z", "last_observed": "2017-06-13T09:31:14Z", "number_observed": 1, "object_refs": [ "network-traffic--593fb084-1164-4a83-b3a2-476d950d210f", "ipv4-addr--593fb084-1164-4a83-b3a2-476d950d210f" ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--593fb084-1164-4a83-b3a2-476d950d210f", "dst_ref": "ipv4-addr--593fb084-1164-4a83-b3a2-476d950d210f", "dst_port": 3128, "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--593fb084-1164-4a83-b3a2-476d950d210f", "value": "10.15.1.69" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--593fb084-a26c-412b-8c5e-439b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "description": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT. \",Phase2: C2,Remote Access", "pattern": "[file:hashes.SHA1 = 'f6c21f8189ced6ae150f9ef2e82a3a57843b587d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-13T09:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb083-d114-411f-b654-4985950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "first_observed": "2017-06-13T09:31:14Z", "last_observed": "2017-06-13T09:31:14Z", "number_observed": 1, "object_refs": [ "windows-registry-key--593fb083-d114-411f-b654-4985950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--593fb083-d114-411f-b654-4985950d210f", "key": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\\\ImagePath" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb083-f0a4-494a-bfef-4461950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "first_observed": "2017-06-13T09:31:14Z", "last_observed": "2017-06-13T09:31:14Z", "number_observed": 1, "object_refs": [ "network-traffic--593fb083-f0a4-494a-bfef-4461950d210f", "ipv4-addr--593fb083-f0a4-494a-bfef-4461950d210f" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--593fb083-f0a4-494a-bfef-4461950d210f", "dst_ref": "ipv4-addr--593fb083-f0a4-494a-bfef-4461950d210f", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--593fb083-f0a4-494a-bfef-4461950d210f", "value": "5.39.218.152" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb082-322c-4da0-9bbf-436d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "first_observed": "2017-06-13T09:31:14Z", "last_observed": "2017-06-13T09:31:14Z", "number_observed": 1, "object_refs": [ "network-traffic--593fb082-322c-4da0-9bbf-436d950d210f", "ipv4-addr--593fb082-322c-4da0-9bbf-436d950d210f" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--593fb082-322c-4da0-9bbf-436d950d210f", "dst_ref": "ipv4-addr--593fb082-322c-4da0-9bbf-436d950d210f", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--593fb082-322c-4da0-9bbf-436d950d210f", "value": "93.115.27.57" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb082-e264-4a31-8662-47a6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-15T13:37:02.000Z", "modified": "2017-06-15T13:37:02.000Z", "first_observed": "2017-06-15T13:37:02Z", "last_observed": "2017-06-15T13:37:02Z", "number_observed": 1, "object_refs": [ "network-traffic--593fb082-e264-4a31-8662-47a6950d210f", "ipv4-addr--593fb082-e264-4a31-8662-47a6950d210f" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--593fb082-e264-4a31-8662-47a6950d210f", "dst_ref": "ipv4-addr--593fb082-e264-4a31-8662-47a6950d210f", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--593fb082-e264-4a31-8662-47a6950d210f", "value": "195.16.88.6" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fb082-d0fc-4e80-ad70-4ab8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "first_observed": "2017-06-13T09:31:14Z", "last_observed": "2017-06-13T09:31:14Z", "number_observed": 1, "object_refs": [ "windows-registry-key--593fb082-d0fc-4e80-ad70-4ab8950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--593fb082-d0fc-4e80-ad70-4ab8950d210f", "key": "User>\\imapi" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--593faec0-43fc-4d9b-a04d-43d3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"technical-report\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Executive Summary\r\nDragos, Inc. was notified by the Slovakian anti-virus firm ESET of an ICS tailored\r\nmalware on June 8th, 2017. The Dragos team was able to use this notification to find\r\nsamples of the malware, identify new functionality and impact scenarios, and confirm\r\nthat this was the malware employed in the December 17th, 2016 cyber-attack\r\non the Kiev, Ukraine transmission substation which resulted in electric grid operations\r\nimpact. This report serves as an industry report to inform the electric sector\r\nand security community of the potential implications of this malware and the appropriate details to have a nuanced discussion." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--593fae91-fa4c-470f-9b47-4fc8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-13T09:31:14.000Z", "modified": "2017-06-13T09:31:14.000Z", "first_observed": "2017-06-13T09:31:14Z", "last_observed": "2017-06-13T09:31:14Z", "number_observed": 1, "object_refs": [ "url--593fae91-fa4c-470f-9b47-4fc8950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"technical-report\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--593fae91-fa4c-470f-9b47-4fc8950d210f", "value": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }