{ "type": "bundle", "id": "bundle--5b597959-6310-43e8-80b2-4d30950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:44.000Z", "modified": "2018-07-26T13:13:44.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5b597959-6310-43e8-80b2-4d30950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:44.000Z", "modified": "2018-07-26T13:13:44.000Z", "name": "OSINT - Kronos Reborn", "published": "2018-07-26T13:14:29Z", "object_refs": [ "x-misp-attribute--5b597e9e-b88c-4bc1-8f11-af6a950d210f", "observed-data--5b597ee4-7370-4258-88b5-b098950d210f", "url--5b597ee4-7370-4258-88b5-b098950d210f", "indicator--5b59c078-03e4-4a71-a48f-4503950d210f", "indicator--5b59c078-3b9c-4f25-9aeb-4691950d210f", "indicator--5b59c079-0180-477e-b041-457e950d210f", "indicator--5b59c079-cd18-4e05-a267-451f950d210f", "indicator--5b59c07a-1d28-454c-94ba-4f0f950d210f", "indicator--5b59c07a-8cd8-4b86-ad8e-4635950d210f", "indicator--5b59c07b-bb84-4c15-baa0-4135950d210f", "indicator--5b59c07b-09f8-4fdd-b9f2-41f3950d210f", "indicator--5b59c07c-c7fc-4ea5-9afe-4bd6950d210f", "indicator--5b59c07c-1cc4-453a-8c26-495a950d210f", "indicator--5b59c07d-f114-401d-af89-4f4e950d210f", "indicator--5b59c07d-22e0-48c4-8b04-4ec0950d210f", "indicator--5b59c07e-f9f4-4770-b1cc-428e950d210f", "indicator--5b59c07e-d050-4843-9c9a-4cba950d210f", "indicator--5b59c07f-d42c-469e-846a-4fa3950d210f", "indicator--5b59c07f-732c-4cb6-adb4-4d48950d210f", "indicator--5b59bea3-9a30-4e9f-b748-4239950d210f", "indicator--5b59beb5-0e9c-4f68-85f4-4a77950d210f", "indicator--5b59bef2-cdf8-40b2-8000-4298950d210f", "indicator--5b59bf0c-5950-4f90-9596-43da950d210f", "indicator--5b59bf19-3770-40b1-aa0e-4824950d210f", "indicator--5b59bf31-2514-482c-9f84-4a20950d210f", "indicator--5b59bf47-4fc4-44cc-b7bc-4967950d210f", "indicator--5b59c3d7-c760-41e4-9afd-40b7950d210f", "indicator--5b59c3e9-d500-4e86-9f7f-45f3950d210f", "indicator--716245aa-e298-4be6-a638-f2073e0af588", "x-misp-object--e3d7369a-27c2-41f0-96fc-d35aaa499890", "indicator--a2a94c03-111d-4ec9-a615-dfff35bc1a0d", "x-misp-object--823ec556-3163-4a3f-b1c2-a15ba60baee8", "indicator--fb02d0e7-a2f6-4398-8968-619c6a329054", "x-misp-object--5b3ad0ca-d0ae-4326-9bc1-889ddbafc549", "indicator--e935fea1-ffe1-40eb-ba18-16cc432874f8", "x-misp-object--df90c284-e467-445b-a51e-7837ec98db7a", "indicator--2238785f-23bd-467b-b588-484fba9e78f9", "x-misp-object--812d0386-43e0-4813-ac94-b8248cb565d5", "indicator--dccb7ee7-e104-44bf-8971-0e90e34d244d", "x-misp-object--8b19e923-dfa2-4dab-80ee-5a291ebe7b30", "indicator--02c92c9e-6ed0-4a26-8913-4cb0b61c6eb1", "x-misp-object--8c660602-2e65-4d92-82c1-9a70525e6c19", "relationship--b33ecb3f-bbf0-49e6-aeec-b81f8b077416", "relationship--d8a829fc-bcaa-45b9-931b-d0240c94b0bd", "relationship--adb11a99-2be5-4c6f-be7f-b5f3de4fbb04", "relationship--4de8f944-756b-42d9-a068-24a6a77f8d42", "relationship--3259f2dc-ecc9-48b2-8807-c826a95e14d9", "relationship--bff6d7c2-5b67-446f-ab7d-b6bddc2ebdab", "relationship--03d85238-2808-445e-9764-287523bec7ed" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "misp-galaxy:tool=\"Smoke Loader\"", "misp-galaxy:mitre-enterprise-attack-malware=\"Smoke Loader - S0226\"", "misp-galaxy:banker=\"Kronos\"", "ms-caro-malware-full:malware-family=\"Banker\"", "malware_classification:malware-category=\"Trojan\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5b597e9e-b88c-4bc1-8f11-af6a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:20:53.000Z", "modified": "2018-07-26T12:20:53.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "The Kronos banking Trojan was first discovered in 2014 and was a steady fixture in the threat landscape for a few years before largely disappearing. Now a new variant has appeared, with at least three distinct campaigns targeting Germany, Japan, and Poland respectively, to date.\r\n\r\nIn April 2018, the first samples of a new variant of the banking Trojan appeared in the wild. The most notable new feature is that the command and control (C&C) mechanism has been refactored to use the Tor anonymizing network. There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded \u00e2\u20ac\u0153Osiris\u00e2\u20ac\u009d and is being sold on underground markets. In this blog, we present information on the German, Japanese, and Polish campaigns as well as a fourth campaign that looks to be a work in progress and still being tested." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b597ee4-7370-4258-88b5-b098950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:20:46.000Z", "modified": "2018-07-26T12:20:46.000Z", "first_observed": "2018-07-26T12:20:46Z", "last_observed": "2018-07-26T12:20:46Z", "number_observed": 1, "object_refs": [ "url--5b597ee4-7370-4258-88b5-b098950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b597ee4-7370-4258-88b5-b098950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c078-03e4-4a71-a48f-4503950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:12.000Z", "modified": "2018-07-26T12:37:12.000Z", "description": "Mahnung_9415171.doc payload used in German campaign", "pattern": "[url:value = 'https://dkb-agbs.com/25062018.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c078-3b9c-4f25-9aeb-4691950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:12.000Z", "modified": "2018-07-26T12:37:12.000Z", "pattern": "[file:name = 'Mahnung_9415171.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c079-0180-477e-b041-457e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:13.000Z", "modified": "2018-07-26T12:37:13.000Z", "description": "Kronos C&C used in German campaign", "pattern": "[url:value = 'http://jhrppbnh4d674kzh.onion/kpanel/connect.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c079-cd18-4e05-a267-451f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:13.000Z", "modified": "2018-07-26T12:37:13.000Z", "description": "Webinject C&C used in the German campaign", "pattern": "[url:value = 'https://startupbulawayo.website/d03ohi2e3232/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07a-1d28-454c-94ba-4f0f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:14.000Z", "modified": "2018-07-26T12:37:14.000Z", "description": "Contains malicious redirect to RIG EK used in the Japan campaign", "pattern": "[url:value = 'http://envirodry.ca']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07a-8cd8-4b86-ad8e-4635950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:14.000Z", "modified": "2018-07-26T12:37:14.000Z", "description": "RIG EK used in the Japan campaign", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.23.54.158']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07b-bb84-4c15-baa0-4135950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:15.000Z", "modified": "2018-07-26T12:37:15.000Z", "description": "SmokeLoader C&C used in the Japan campaign", "pattern": "[url:value = 'http://lionoi.adygeya.su']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07b-09f8-4fdd-b9f2-41f3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:15.000Z", "modified": "2018-07-26T12:37:15.000Z", "description": "SmokeLoader C&C used in the Japan campaign", "pattern": "[url:value = 'http://milliaoin.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07c-c7fc-4ea5-9afe-4bd6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:16.000Z", "modified": "2018-07-26T12:37:16.000Z", "description": "New version of Kronos download link used in the Japan campaign", "pattern": "[url:value = 'http://fritsy83.website/Osiris.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07c-1cc4-453a-8c26-495a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:16.000Z", "modified": "2018-07-26T12:37:16.000Z", "description": "New version of Kronos download link used in the Japan campaign", "pattern": "[url:value = 'http://oo00mika84.website/Osiris_jmjp_auto2_noinj.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07d-f114-401d-af89-4f4e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:17.000Z", "modified": "2018-07-26T12:37:17.000Z", "description": "Kronos C&C used in the Japan campaign", "pattern": "[url:value = 'http://jmjp2l7yqgaj5xvv.onion/kpanel/connect.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07d-22e0-48c4-8b04-4ec0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:17.000Z", "modified": "2018-07-26T12:37:17.000Z", "description": "Webinject C&C used in the Japan campaign", "pattern": "[url:value = 'https://kioxixu.abkhazia.su/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07e-f9f4-4770-b1cc-428e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:18.000Z", "modified": "2018-07-26T12:37:18.000Z", "description": "New version of Kronos download link used in the Poland campaign", "pattern": "[url:value = 'http://mysit.space/123//v/0jLHzUW']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07e-d050-4843-9c9a-4cba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:18.000Z", "modified": "2018-07-26T12:37:18.000Z", "description": "Kronos C&C used in the Poland campaign", "pattern": "[url:value = 'http://suzfjfguuis326qw.onion/kpanel/connect.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07f-d42c-469e-846a-4fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:19.000Z", "modified": "2018-07-26T12:37:19.000Z", "description": "New version of Kronos download link used in \u00e2\u20ac\u0153Work in progress\u00e2\u20ac\u009d campaign", "pattern": "[url:value = 'http://gameboosts.net/app/Player_v1.02.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c07f-732c-4cb6-adb4-4d48950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:37:19.000Z", "modified": "2018-07-26T12:37:19.000Z", "description": "Kronos C&C used in \u00e2\u20ac\u0153Work in progress\u00e2\u20ac\u009d campaign", "pattern": "[url:value = 'http://mysmo35wlwhrkeez.onion/kpanel/connect.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:37:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59bea3-9a30-4e9f-b748-4239950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:29:23.000Z", "modified": "2018-07-26T12:29:23.000Z", "description": "used in German campaign", "pattern": "[file:hashes.SHA256 = 'bb308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d' AND file:name = 'Mahnung_9415171.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:29:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59beb5-0e9c-4f68-85f4-4a77950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:29:41.000Z", "modified": "2018-07-26T12:29:41.000Z", "description": "New version of Kronos used in German campaign", "pattern": "[file:hashes.SHA256 = '4af17e81e9badf3d03572e808e0a881f6c61969157052903cd68962b9e084177' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:29:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59bef2-cdf8-40b2-8000-4298950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:30:42.000Z", "modified": "2018-07-26T12:30:42.000Z", "description": "SmokeLoader used in the Japan campaign", "pattern": "[file:hashes.SHA256 = '3cc154a1ea3070d008c9210d31364246889a61b77ed92b733c5bf7f81e774c40' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:30:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59bf0c-5950-4f90-9596-43da950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:31:08.000Z", "modified": "2018-07-26T12:31:08.000Z", "description": "\u00e2\u20ac\u0153Faktura 2018.07.16.doc\u00e2\u20ac\u009d used in the Poland campaign", "pattern": "[file:hashes.SHA256 = '045acd6de0321223ff1f1c579c03ea47a6abd32b11d01874d1723b48525c9108' AND file:name = 'Faktura 2018.07.16.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:31:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59bf19-3770-40b1-aa0e-4824950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:31:21.000Z", "modified": "2018-07-26T12:31:21.000Z", "description": "New version of Kronos used in the Japan campaign", "pattern": "[file:hashes.SHA256 = '3eb389ea6d4882b0d4a613dba89a04f4c454448ff7a60a282986bdded6750741' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:31:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59bf31-2514-482c-9f84-4a20950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:31:45.000Z", "modified": "2018-07-26T12:31:45.000Z", "description": "New version of Kronos used in the Poland campaign", "pattern": "[file:hashes.SHA256 = 'e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:31:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59bf47-4fc4-44cc-b7bc-4967950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:32:07.000Z", "modified": "2018-07-26T12:32:07.000Z", "description": "New version of Kronos used in \u00e2\u20ac\u0153Work in progress\u00e2\u20ac\u009d campaign", "pattern": "[file:hashes.SHA256 = '93590cb4e88a5f779c5b062c9ade75f9a5239cd11b3deafb749346620c5e1218' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:32:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c3d7-c760-41e4-9afd-40b7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:51:35.000Z", "modified": "2018-07-26T12:51:35.000Z", "pattern": "[file:name = 'agb_9415166.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:51:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b59c3e9-d500-4e86-9f7f-45f3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T12:51:53.000Z", "modified": "2018-07-26T12:51:53.000Z", "pattern": "[file:name = 'Mahnung_9415167.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T12:51:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--716245aa-e298-4be6-a638-f2073e0af588", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:19.000Z", "modified": "2018-07-26T13:13:19.000Z", "pattern": "[file:hashes.MD5 = '0248465d9edd866d7d8929af1f9685b4' AND file:hashes.SHA1 = '00135cbca3057dced3f9b6305a5645b92ba4cc0f' AND file:hashes.SHA256 = '3cc154a1ea3070d008c9210d31364246889a61b77ed92b733c5bf7f81e774c40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T13:13:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e3d7369a-27c2-41f0-96fc-d35aaa499890", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:18.000Z", "modified": "2018-07-26T13:13:18.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-26T00:33:17", "category": "Other", "uuid": "51255631-b21f-4261-ada2-7ca685b3ed85" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/3cc154a1ea3070d008c9210d31364246889a61b77ed92b733c5bf7f81e774c40/analysis/1532565197/", "category": "External analysis", "uuid": "680b979e-19fc-4a05-b706-c9031fc50a65" }, { "type": "text", "object_relation": "detection-ratio", "value": "51/67", "category": "Other", "uuid": "ade9ad59-02f1-438b-87c2-7d19be304bb6" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a2a94c03-111d-4ec9-a615-dfff35bc1a0d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:22.000Z", "modified": "2018-07-26T13:13:22.000Z", "pattern": "[file:hashes.MD5 = 'a301ee7f1cdb9b1f71deda6c29bb0a32' AND file:hashes.SHA1 = '8d6bc587e3abfcfd6b4a771c85a8af90f528d2c7' AND file:hashes.SHA256 = '3eb389ea6d4882b0d4a613dba89a04f4c454448ff7a60a282986bdded6750741']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T13:13:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--823ec556-3163-4a3f-b1c2-a15ba60baee8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:20.000Z", "modified": "2018-07-26T13:13:20.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-26T00:37:33", "category": "Other", "uuid": "f224913c-b4e7-49e3-9834-f4faac6a3c75" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/3eb389ea6d4882b0d4a613dba89a04f4c454448ff7a60a282986bdded6750741/analysis/1532565453/", "category": "External analysis", "uuid": "4fa5dab3-b72e-4426-bea1-fb759d9aa71f" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/67", "category": "Other", "uuid": "b5e75892-ebc1-4a65-aa68-601fc9df3dcc" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fb02d0e7-a2f6-4398-8968-619c6a329054", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:24.000Z", "modified": "2018-07-26T13:13:24.000Z", "pattern": "[file:hashes.MD5 = 'b2ddd1a228db47234dad1fb164573d82' AND file:hashes.SHA1 = '7fd8631ab719eca44457630014674a95bc431b91' AND file:hashes.SHA256 = 'bb308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T13:13:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5b3ad0ca-d0ae-4326-9bc1-889ddbafc549", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:22.000Z", "modified": "2018-07-26T13:13:22.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-26T01:29:15", "category": "Other", "uuid": "dff34f97-1b1d-491b-865e-64884359e723" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/bb308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d/analysis/1532568555/", "category": "External analysis", "uuid": "3d44fe98-1dac-4ea3-b4d9-cd70307f0786" }, { "type": "text", "object_relation": "detection-ratio", "value": "35/60", "category": "Other", "uuid": "202c5da7-96a7-42b0-a002-f403095b9dcb" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e935fea1-ffe1-40eb-ba18-16cc432874f8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:26.000Z", "modified": "2018-07-26T13:13:26.000Z", "pattern": "[file:hashes.MD5 = 'd475c84d99c2bf461c294d75769b7707' AND file:hashes.SHA1 = 'aecaf84953641d835e7c754f559fc555169d8aec' AND file:hashes.SHA256 = '045acd6de0321223ff1f1c579c03ea47a6abd32b11d01874d1723b48525c9108']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T13:13:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--df90c284-e467-445b-a51e-7837ec98db7a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:25.000Z", "modified": "2018-07-26T13:13:25.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-26T00:38:31", "category": "Other", "uuid": "5678e189-dcf2-4434-8f88-9313120fd768" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/045acd6de0321223ff1f1c579c03ea47a6abd32b11d01874d1723b48525c9108/analysis/1532565511/", "category": "External analysis", "uuid": "b3f70f28-c3cd-41ef-88f6-36ce3cebe80c" }, { "type": "text", "object_relation": "detection-ratio", "value": "35/60", "category": "Other", "uuid": "77caf24b-6b28-4ed6-8d35-e773b7793f1d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2238785f-23bd-467b-b588-484fba9e78f9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:29.000Z", "modified": "2018-07-26T13:13:29.000Z", "pattern": "[file:hashes.MD5 = '5e6764534b3a1e4d3abacc4810b6985d' AND file:hashes.SHA1 = 'f10ad287f126f577f197070453812a7e88c2cc52' AND file:hashes.SHA256 = 'e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T13:13:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--812d0386-43e0-4813-ac94-b8248cb565d5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:27.000Z", "modified": "2018-07-26T13:13:27.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-26T09:13:49", "category": "Other", "uuid": "b1d7c0e1-f10b-43cb-ace4-1ce0276e6da5" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0/analysis/1532596429/", "category": "External analysis", "uuid": "63646768-523d-40d4-8ce0-4c25dd4bd7b6" }, { "type": "text", "object_relation": "detection-ratio", "value": "46/66", "category": "Other", "uuid": "69d98df9-22d5-4184-bec4-65ab26cb4def" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dccb7ee7-e104-44bf-8971-0e90e34d244d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:31.000Z", "modified": "2018-07-26T13:13:31.000Z", "pattern": "[file:hashes.MD5 = '820d3fb49af10fa714c4bdd5745d865b' AND file:hashes.SHA1 = '49b42b7ed9c3db0b1a4d45e37e4a6bc2b8079ff6' AND file:hashes.SHA256 = '93590cb4e88a5f779c5b062c9ade75f9a5239cd11b3deafb749346620c5e1218']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T13:13:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8b19e923-dfa2-4dab-80ee-5a291ebe7b30", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:30.000Z", "modified": "2018-07-26T13:13:30.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-26T10:11:06", "category": "Other", "uuid": "5fa195bf-7dd4-44d9-afe7-37503dd49378" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/93590cb4e88a5f779c5b062c9ade75f9a5239cd11b3deafb749346620c5e1218/analysis/1532599866/", "category": "External analysis", "uuid": "2f69c414-6dbe-4eed-90b1-2737b06676eb" }, { "type": "text", "object_relation": "detection-ratio", "value": "29/67", "category": "Other", "uuid": "702d3ac7-5146-4cc5-a11a-a4341696d973" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--02c92c9e-6ed0-4a26-8913-4cb0b61c6eb1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:34.000Z", "modified": "2018-07-26T13:13:34.000Z", "pattern": "[file:hashes.MD5 = '17903c3d83125a5fc3e3f77d8a775bfe' AND file:hashes.SHA1 = '91da487143d931e00e935245e698ea2a582871e4' AND file:hashes.SHA256 = '4af17e81e9badf3d03572e808e0a881f6c61969157052903cd68962b9e084177']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-26T13:13:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8c660602-2e65-4d92-82c1-9a70525e6c19", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T13:13:32.000Z", "modified": "2018-07-26T13:13:32.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-26T07:37:11", "category": "Other", "uuid": "34bd7968-4830-4d15-8875-ddd51c4c740f" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/4af17e81e9badf3d03572e808e0a881f6c61969157052903cd68962b9e084177/analysis/1532590631/", "category": "External analysis", "uuid": "fcaa4c90-8b64-40b0-89ec-57b498f2aa8b" }, { "type": "text", "object_relation": "detection-ratio", "value": "41/66", "category": "Other", "uuid": "f3ebb8a4-7d00-49ad-ae82-0d93cb2fd3e9" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b33ecb3f-bbf0-49e6-aeec-b81f8b077416", "created": "2018-07-26T13:13:33.000Z", "modified": "2018-07-26T13:13:33.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--716245aa-e298-4be6-a638-f2073e0af588", "target_ref": "x-misp-object--e3d7369a-27c2-41f0-96fc-d35aaa499890" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d8a829fc-bcaa-45b9-931b-d0240c94b0bd", "created": "2018-07-26T13:13:33.000Z", "modified": "2018-07-26T13:13:33.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--a2a94c03-111d-4ec9-a615-dfff35bc1a0d", "target_ref": "x-misp-object--823ec556-3163-4a3f-b1c2-a15ba60baee8" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--adb11a99-2be5-4c6f-be7f-b5f3de4fbb04", "created": "2018-07-26T13:13:33.000Z", "modified": "2018-07-26T13:13:33.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--fb02d0e7-a2f6-4398-8968-619c6a329054", "target_ref": "x-misp-object--5b3ad0ca-d0ae-4326-9bc1-889ddbafc549" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4de8f944-756b-42d9-a068-24a6a77f8d42", "created": "2018-07-26T13:13:33.000Z", "modified": "2018-07-26T13:13:33.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--e935fea1-ffe1-40eb-ba18-16cc432874f8", "target_ref": "x-misp-object--df90c284-e467-445b-a51e-7837ec98db7a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3259f2dc-ecc9-48b2-8807-c826a95e14d9", "created": "2018-07-26T13:13:33.000Z", "modified": "2018-07-26T13:13:33.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--2238785f-23bd-467b-b588-484fba9e78f9", "target_ref": "x-misp-object--812d0386-43e0-4813-ac94-b8248cb565d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bff6d7c2-5b67-446f-ab7d-b6bddc2ebdab", "created": "2018-07-26T13:13:33.000Z", "modified": "2018-07-26T13:13:33.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--dccb7ee7-e104-44bf-8971-0e90e34d244d", "target_ref": "x-misp-object--8b19e923-dfa2-4dab-80ee-5a291ebe7b30" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--03d85238-2808-445e-9764-287523bec7ed", "created": "2018-07-26T13:13:33.000Z", "modified": "2018-07-26T13:13:33.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--02c92c9e-6ed0-4a26-8913-4cb0b61c6eb1", "target_ref": "x-misp-object--8c660602-2e65-4d92-82c1-9a70525e6c19" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }