{ "type": "bundle", "id": "bundle--5cc023e7-9c7c-418e-b908-4d46950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T11:21:10.000Z", "modified": "2019-04-24T11:21:10.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5cc023e7-9c7c-418e-b908-4d46950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T11:21:10.000Z", "modified": "2019-04-24T11:21:10.000Z", "name": "OSINT - DNSpionage brings out the Karkoff", "published": "2019-04-24T11:21:35Z", "object_refs": [ "observed-data--5cc023f7-8650-4b3b-b631-4d52950d210f", "url--5cc023f7-8650-4b3b-b631-4d52950d210f", "x-misp-attribute--5cc0240c-fb80-4eb2-99bb-4040950d210f", "indicator--5cc0242b-2ba8-419f-8d14-42e7950d210f", "indicator--5cc0242b-e1cc-4aec-a163-471f950d210f", "indicator--5cc0242b-1ac0-448a-a3c9-45ff950d210f", "indicator--5cc0242b-d758-44d4-9614-4759950d210f", "indicator--5cc02456-7350-4263-bbc9-4205950d210f", "indicator--5cc02456-7a84-49a2-b073-4ea8950d210f", "indicator--5cc02456-b618-4f07-9281-4404950d210f", "observed-data--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9", "network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9", "ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9", "observed-data--5cc024b9-0c94-42a4-820b-1bc4e387cbd9", "network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9", "ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9", "indicator--5cc02a7b-08f8-493b-b253-247f950d210f", "indicator--5cc02ab1-70b0-446f-8b28-2497950d210f", "indicator--3148bbb8-f76e-4556-b973-3dea9cf89820", "x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61", "indicator--6393b267-5ff7-4204-85cf-709530bc110d", "x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e", "indicator--52ca9602-5ef6-4de3-b528-058d33844ea3", "x-misp-object--993871f0-b786-4813-9811-7f60eb385014", "indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a", "x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6", "indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e", "x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3", "relationship--73fcb3f5-691c-442f-9e17-2fd5186da9fc", "relationship--c3cf3012-6920-4377-b07b-f2510c007685", "relationship--db38c2eb-ff4e-4656-a75f-4a2aa89ecc89", "relationship--814f00a8-3c59-4c67-8cda-93ead748e2d2", "relationship--fadc5312-552d-4498-93ae-c75ed8e35958" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:malpedia=\"DNSpionage\"", "misp-galaxy:threat-actor=\"DNSpionage\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:tool=\"Karkoff\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cc023f7-8650-4b3b-b631-4d52950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T08:53:11.000Z", "modified": "2019-04-24T08:53:11.000Z", "first_observed": "2019-04-24T08:53:11Z", "last_observed": "2019-04-24T08:53:11Z", "number_observed": 1, "object_refs": [ "url--5cc023f7-8650-4b3b-b631-4d52950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cc023f7-8650-4b3b-b631-4d52950d210f", "value": "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5cc0240c-fb80-4eb2-99bb-4040950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T08:53:32.000Z", "modified": "2019-04-24T08:53:32.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "In November 2018, Cisco Talos discovered an attack campaign, called DNSpionage, in which threat actors created a new remote administrative tool that supports HTTP and DNS communication with the attackers' command and control(C2). Since then, there have been several other public reports of additional DNSpionage attacks, and in January, the U.S. Department of Homeland Security issued an alert warning users about this threat activity.\r\n\r\nIn addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February, we discovered some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, we also discovered the actors using a new malware, which we are calling \"Karkoff.\"\r\n\r\nThis post will cover the aforementioned DNSpionage updates, the discovery of the Karkoff malware and an analysis of the recent Oilrig malware toolset leak \u00e2\u20ac\u201d and how it could be connected to these two attacks." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc0242b-2ba8-419f-8d14-42e7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T08:54:03.000Z", "modified": "2019-04-24T08:54:03.000Z", "description": "Karkoff sample", "pattern": "[file:hashes.SHA256 = '5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T08:54:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc0242b-e1cc-4aec-a163-471f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T08:54:03.000Z", "modified": "2019-04-24T08:54:03.000Z", "description": "Karkoff sample", "pattern": "[file:hashes.SHA256 = '6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T08:54:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc0242b-1ac0-448a-a3c9-45ff950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T08:54:03.000Z", "modified": "2019-04-24T08:54:03.000Z", "description": "Karkoff sample", "pattern": "[file:hashes.SHA256 = 'b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T08:54:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc0242b-d758-44d4-9614-4759950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T08:54:03.000Z", "modified": "2019-04-24T08:54:03.000Z", "description": "Karkoff sample", "pattern": "[file:hashes.SHA256 = 'cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T08:54:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc02456-7350-4263-bbc9-4205950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T08:54:46.000Z", "modified": "2019-04-24T08:54:46.000Z", "description": "C2 server", "pattern": "[domain-name:value = 'coldfart.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T08:54:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc02456-7a84-49a2-b073-4ea8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T08:54:46.000Z", "modified": "2019-04-24T08:54:46.000Z", "description": "C2 server", "pattern": "[domain-name:value = 'rimrun.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T08:54:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc02456-b618-4f07-9281-4404950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T08:54:46.000Z", "modified": "2019-04-24T08:54:46.000Z", "description": "C2 server", "pattern": "[domain-name:value = 'kuternull.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T08:54:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T08:56:10.000Z", "modified": "2019-04-24T08:56:10.000Z", "first_observed": "2019-04-24T08:56:10Z", "last_observed": "2019-04-24T08:56:10Z", "number_observed": 1, "object_refs": [ "network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9", "ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9", "src_ref": "ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9", "value": "108.62.141.247" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cc024b9-0c94-42a4-820b-1bc4e387cbd9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T08:56:25.000Z", "modified": "2019-04-24T08:56:25.000Z", "first_observed": "2019-04-24T08:56:25Z", "last_observed": "2019-04-24T08:56:25Z", "number_observed": 1, "object_refs": [ "network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9", "ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9", "src_ref": "ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9", "value": "74.118.138.192" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc02a7b-08f8-493b-b253-247f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:20:59.000Z", "modified": "2019-04-24T09:20:59.000Z", "description": "DNSpionage XLS document", "pattern": "[file:hashes.SHA256 = '2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T09:20:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc02ab1-70b0-446f-8b28-2497950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:21:53.000Z", "modified": "2019-04-24T09:21:53.000Z", "description": "DNSpionage", "pattern": "[file:hashes.SHA256 = 'e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T09:21:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3148bbb8-f76e-4556-b973-3dea9cf89820", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:22:50.000Z", "modified": "2019-04-24T09:22:50.000Z", "pattern": "[file:hashes.MD5 = 'a583430c9c504fb216c9f976401ecd13' AND file:hashes.SHA1 = 'cd3b6c517227ad356264ff076cf0ea106b67fc13' AND file:hashes.SHA256 = 'cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T09:22:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:22:51.000Z", "modified": "2019-04-24T09:22:51.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-24T08:58:49", "category": "Other", "comment": "Karkoff sample", "uuid": "cb98656d-453e-40aa-b337-e83a5c473a20" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5/analysis/1556096329/", "category": "Payload delivery", "comment": "Karkoff sample", "uuid": "28a8b196-6a06-44d6-962b-6efc4d4f3945" }, { "type": "text", "object_relation": "detection-ratio", "value": "38/71", "category": "Payload delivery", "comment": "Karkoff sample", "uuid": "b29d31d3-c624-4c4c-99cd-626101e0d47b" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6393b267-5ff7-4204-85cf-709530bc110d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:22:51.000Z", "modified": "2019-04-24T09:22:51.000Z", "pattern": "[file:hashes.MD5 = '530606b66bcd5a776f2cdecb34ee0fd1' AND file:hashes.SHA1 = '72ada4db1c70214e19eece2021669d95b94c0d4f' AND file:hashes.SHA256 = 'e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T09:22:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:22:51.000Z", "modified": "2019-04-24T09:22:51.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-24T09:05:37", "category": "Other", "comment": "DNSpionage", "uuid": "6e2a7b92-867b-4c11-8b30-b925221ce51a" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8/analysis/1556096737/", "category": "Payload delivery", "comment": "DNSpionage", "uuid": "9eda0fba-ebc8-494e-81a2-3c45135c591e" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/69", "category": "Payload delivery", "comment": "DNSpionage", "uuid": "ee3f4732-30c5-49fc-9b1d-a6a732cb4f42" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--52ca9602-5ef6-4de3-b528-058d33844ea3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:22:51.000Z", "modified": "2019-04-24T09:22:51.000Z", "pattern": "[file:hashes.MD5 = 'a37703a0d08996a5fc04db52b71b9bcd' AND file:hashes.SHA1 = '7c7e1179eb3cd9effa92f303dd5e45ba881db15d' AND file:hashes.SHA256 = '6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T09:22:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--993871f0-b786-4813-9811-7f60eb385014", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:22:51.000Z", "modified": "2019-04-24T09:22:51.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-24T07:39:13", "category": "Other", "comment": "Karkoff sample", "uuid": "a0e51f81-2cc5-438d-96d0-de19d5e93442" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11/analysis/1556091553/", "category": "Payload delivery", "comment": "Karkoff sample", "uuid": "ccb7b733-4e20-4840-9ee4-be4b8451f1e1" }, { "type": "text", "object_relation": "detection-ratio", "value": "39/66", "category": "Payload delivery", "comment": "Karkoff sample", "uuid": "c6600e9e-5bf0-402c-8666-df0823154fe9" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:22:51.000Z", "modified": "2019-04-24T09:22:51.000Z", "pattern": "[file:hashes.MD5 = '5733afe71bd0a32328d6ed9978260fa4' AND file:hashes.SHA1 = '5dbaaf4b338471ad58065fcdf335673977b2b261' AND file:hashes.SHA256 = '5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T09:22:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:22:51.000Z", "modified": "2019-04-24T09:22:51.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-24T07:39:16", "category": "Other", "comment": "Karkoff sample", "uuid": "287255d9-5d0f-49f7-afd9-256da7290db1" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c/analysis/1556091556/", "category": "Payload delivery", "comment": "Karkoff sample", "uuid": "d2ae94de-8869-48a0-bff0-acf3465c6a74" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/71", "category": "Payload delivery", "comment": "Karkoff sample", "uuid": "7c4854e3-0c44-4143-b133-8273c30bf122" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:22:51.000Z", "modified": "2019-04-24T09:22:51.000Z", "pattern": "[file:hashes.MD5 = '85a3a5f55fcbe63d2181cfa753f35fe1' AND file:hashes.SHA1 = 'd9844a1845446367822944464ba65965b1b70c4f' AND file:hashes.SHA256 = 'b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-24T09:22:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-24T09:22:51.000Z", "modified": "2019-04-24T09:22:51.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-24T07:39:18", "category": "Other", "comment": "Karkoff sample", "uuid": "4ab8fa22-de5b-4d45-b328-a28f6ca4bc4f" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04/analysis/1556091558/", "category": "Payload delivery", "comment": "Karkoff sample", "uuid": "2490a445-4913-49ad-9366-9cecf26b7505" }, { "type": "text", "object_relation": "detection-ratio", "value": "41/65", "category": "Payload delivery", "comment": "Karkoff sample", "uuid": "3d31e031-8726-4941-a004-143375bd7aa0" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--73fcb3f5-691c-442f-9e17-2fd5186da9fc", "created": "2019-04-24T09:22:51.000Z", "modified": "2019-04-24T09:22:51.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--3148bbb8-f76e-4556-b973-3dea9cf89820", "target_ref": "x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c3cf3012-6920-4377-b07b-f2510c007685", "created": "2019-04-24T09:22:52.000Z", "modified": "2019-04-24T09:22:52.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--6393b267-5ff7-4204-85cf-709530bc110d", "target_ref": "x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--db38c2eb-ff4e-4656-a75f-4a2aa89ecc89", "created": "2019-04-24T09:22:52.000Z", "modified": "2019-04-24T09:22:52.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--52ca9602-5ef6-4de3-b528-058d33844ea3", "target_ref": "x-misp-object--993871f0-b786-4813-9811-7f60eb385014" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--814f00a8-3c59-4c67-8cda-93ead748e2d2", "created": "2019-04-24T09:22:52.000Z", "modified": "2019-04-24T09:22:52.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a", "target_ref": "x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fadc5312-552d-4498-93ae-c75ed8e35958", "created": "2019-04-24T09:22:52.000Z", "modified": "2019-04-24T09:22:52.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e", "target_ref": "x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }