{ "type": "bundle", "id": "bundle--5bf290ce-2df0-4d91-9e62-4cb6950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T14:32:21.000Z", "modified": "2018-11-19T14:32:21.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5bf290ce-2df0-4d91-9e62-4cb6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T14:32:21.000Z", "modified": "2018-11-19T14:32:21.000Z", "name": "OSINT - OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government", "context": "suspicious-activity", "object_refs": [ "observed-data--5bf29192-07b0-4f32-bce6-4bca950d210f", "url--5bf29192-07b0-4f32-bce6-4bca950d210f", "indicator--5bf2b90a-aba0-4bb8-a5ca-4f70950d210f", "indicator--5bf29643-27dc-452c-91bc-4c4a950d210f", "indicator--5bf29a92-4e88-4432-a67c-4b84950d210f", "indicator--5bf29c1e-4304-40db-bb46-46d3950d210f", "indicator--5bf29d8f-e558-4af1-a0f3-4653950d210f", "indicator--5bf29da3-deec-4a6a-9967-408a950d210f", "indicator--1ad2e243-0418-419a-8300-12ac17adb5f0", "x-misp-object--48845792-c31e-45a2-ba4b-f60e29e7d371", "indicator--5ce1579d-18af-4c70-8a05-238a5a7e25bd", "x-misp-object--11df404f-cd09-4341-9779-b38b73e4d580", "indicator--6ce66cdf-6c35-4d67-9978-1876aa656790", "x-misp-object--e6c24ac2-3816-483f-8ca6-7cfdfb17f64f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"", "malware_classification:malware-category=\"Trojan\"", "workflow:todo=\"add-missing-misp-galaxy-cluster-values\"", "misp-galaxy:threat-actor=\"OilRig\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig - G0049\"", "misp-galaxy:mitre-intrusion-set=\"OilRig\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5bf29192-07b0-4f32-bce6-4bca950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T10:34:17.000Z", "modified": "2018-11-19T10:34:17.000Z", "first_observed": "2018-11-19T10:34:17Z", "last_observed": "2018-11-19T10:34:17Z", "number_observed": 1, "object_refs": [ "url--5bf29192-07b0-4f32-bce6-4bca950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5bf29192-07b0-4f32-bce6-4bca950d210f", "value": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf2b90a-aba0-4bb8-a5ca-4f70950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T13:34:21.000Z", "modified": "2018-11-19T13:34:21.000Z", "description": "BONDUPDATER C2", "pattern": "[domain-name:value = 'withyourface.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-19T13:34:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf29643-27dc-452c-91bc-4c4a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T13:35:36.000Z", "modified": "2018-11-19T13:35:36.000Z", "description": "BONDUPDATER Dropper Docs\r\ncontains a macro that attempted to install a new version of the BONDUPDATER Trojan\r\n", "pattern": "[file:hashes.SHA256 = '7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00' AND file:name = 'N56.15.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-19T13:35:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf29a92-4e88-4432-a67c-4b84950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T13:35:58.000Z", "modified": "2018-11-19T13:35:58.000Z", "description": "BONDUPDATER Dropper Docs", "pattern": "[file:hashes.SHA256 = 'c0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322' AND file:name = 'AppPool.vbs' AND file:parent_directory_ref.path = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool' AND file:x_misp_state = 'Malicious' AND file:x_misp_fullpath = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool\\\\AppPool.vbs']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-19T13:35:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf29c1e-4304-40db-bb46-46d3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T13:36:28.000Z", "modified": "2018-11-19T13:36:28.000Z", "description": "BONDUPDATER Dropper Docs", "pattern": "[file:hashes.SHA256 = 'd5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7' AND file:name = 'AppPool.ps1' AND file:parent_directory_ref.path = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool\\\\' AND file:x_misp_state = 'Malicious' AND file:x_misp_fullpath = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool\\\\AppPool.ps1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-19T13:36:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf29d8f-e558-4af1-a0f3-4653950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T11:25:03.000Z", "modified": "2018-11-19T11:25:03.000Z", "pattern": "[file:name = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool\\\\lock' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-19T11:25:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf29da3-deec-4a6a-9967-408a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T11:25:23.000Z", "modified": "2018-11-19T11:25:23.000Z", "pattern": "[file:name = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool\\\\quid' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-19T11:25:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1ad2e243-0418-419a-8300-12ac17adb5f0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T14:26:24.000Z", "modified": "2018-11-19T14:26:24.000Z", "pattern": "[file:hashes.MD5 = '52b6e1ef0d079f4c2572705156365c06' AND file:hashes.SHA1 = '5732b44851ec10f16c8e1201af3bec455f724961' AND file:hashes.SHA256 = '7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-19T14:26:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--48845792-c31e-45a2-ba4b-f60e29e7d371", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T14:26:26.000Z", "modified": "2018-11-19T14:26:26.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-29 01:55:45", "category": "Other", "uuid": "37fd897a-6742-48b4-bc55-8ec2ab7d4119" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00/analysis/1540778145/", "category": "External analysis", "uuid": "e88f35c0-a05d-44ef-80a8-99d2a29980b4" }, { "type": "text", "object_relation": "detection-ratio", "value": "39/58", "category": "Other", "uuid": "f2c56cfe-2278-4d43-acec-2b77dc5af11c" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ce1579d-18af-4c70-8a05-238a5a7e25bd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T14:26:27.000Z", "modified": "2018-11-19T14:26:27.000Z", "pattern": "[file:hashes.MD5 = '88a3636fbae365ac19d7fb68c2cc2fef' AND file:hashes.SHA1 = '64e1751562347134e17a7e1985a8765085302f93' AND file:hashes.SHA256 = 'c0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-19T14:26:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--11df404f-cd09-4341-9779-b38b73e4d580", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T14:26:29.000Z", "modified": "2018-11-19T14:26:29.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-17 23:42:45", "category": "Other", "uuid": "d3581511-855c-43c3-858c-4d5f3f489e8b" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/c0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322/analysis/1539819765/", "category": "External analysis", "uuid": "f7081c18-1de8-4365-bdf8-6dd8a3af9c51" }, { "type": "text", "object_relation": "detection-ratio", "value": "26/56", "category": "Other", "uuid": "afb88b5f-d777-4892-941d-9a853f4a2cc6" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6ce66cdf-6c35-4d67-9978-1876aa656790", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T14:26:30.000Z", "modified": "2018-11-19T14:26:30.000Z", "pattern": "[file:hashes.MD5 = '8c4fa86dcc2fd00933b70cbf239f0636' AND file:hashes.SHA1 = '204855fa620bf1f8b2a781e1e8ecfda4d411ca77' AND file:hashes.SHA256 = 'd5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-19T14:26:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e6c24ac2-3816-483f-8ca6-7cfdfb17f64f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-19T14:26:31.000Z", "modified": "2018-11-19T14:26:31.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-16 23:36:19", "category": "Other", "uuid": "9b3fe04c-f077-40e2-ac6e-0318207570d7" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7/analysis/1539732979/", "category": "External analysis", "uuid": "31c239f5-61f1-44aa-b098-96391ce6eafa" }, { "type": "text", "object_relation": "detection-ratio", "value": "24/57", "category": "Other", "uuid": "8fab6ce4-d439-4d29-9307-def6e20c980e" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }