{ "type": "bundle", "id": "bundle--5a7238f2-7ea4-499a-89f6-450b02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-02T03:00:35.000Z", "modified": "2018-02-02T03:00:35.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5a7238f2-7ea4-499a-89f6-450b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-02T03:00:35.000Z", "modified": "2018-02-02T03:00:35.000Z", "name": "OSINT - Smominru Monero mining botnet making millions for operators", "published": "2018-02-16T08:54:29Z", "object_refs": [ "x-misp-attribute--5a723909-f0f0-4dfa-b8b7-44fe02de0b81", "observed-data--5a723916-3788-47c7-a70a-432502de0b81", "url--5a723916-3788-47c7-a70a-432502de0b81", "vulnerability--5a723935-bf74-4ea6-ba45-ee7702de0b81", "vulnerability--5a723955-5430-48e4-976e-465a02de0b81", "indicator--5a72399d-8ba0-4d8e-bd4a-4d4102de0b81", "indicator--5a72399d-0d98-4599-89c2-4c9e02de0b81", "indicator--5a72399e-cd14-491a-bb01-4cde02de0b81", "indicator--5a72399e-0cbc-46d1-8db9-4aad02de0b81", "indicator--5a72399f-5eec-49b8-9e5b-497102de0b81", "indicator--5a72399f-4114-48f0-bd34-4ce902de0b81", "indicator--5a7239a0-9fbc-4402-afa4-437302de0b81", "indicator--5a7239a0-9a04-48d4-854d-440602de0b81", "indicator--5a7239a0-1728-4a2c-b7a8-49ac02de0b81", "indicator--5a7239a1-3eb8-4e05-8a34-42f502de0b81", "indicator--5a7239a1-df5c-4a4f-9230-4cc102de0b81", "indicator--5a7239a2-b0c0-4de5-89c2-4aaa02de0b81", "indicator--5a7239a2-8e18-403a-b976-46cf02de0b81", "indicator--5a7239a2-72dc-4348-bb4f-499d02de0b81", "indicator--5a7239a3-1900-4d9f-91ae-482f02de0b81", "indicator--5a7239a3-66e4-4708-9a76-47a002de0b81", "indicator--5a7239a4-e710-43bf-98dd-490d02de0b81", "indicator--5a7239a4-4890-4892-a9db-40e102de0b81", "indicator--5a7239a5-9d44-4b30-a5a7-4baf02de0b81", "indicator--5a7239a5-224c-4629-bb56-4b8e02de0b81", "indicator--5a7239a5-8f14-4b49-85f3-4eb502de0b81", "indicator--5a7239a6-f020-4087-81a4-42fe02de0b81", "indicator--5a7239a6-861c-4d25-a9fd-4c0c02de0b81", "indicator--5a7239a7-2978-41cc-8885-428902de0b81", "indicator--5a7239a7-9454-42de-b5ae-481102de0b81", "indicator--5a723ae2-140c-452f-889f-4daa02de0b81", "indicator--5a723ae2-c428-440c-9be4-4bb102de0b81", "indicator--5a723ae3-8304-4789-91de-4b0b02de0b81", "indicator--5a723ae3-feb8-4011-993a-493e02de0b81", "indicator--5a723ae4-261c-4c19-b8cd-4cd602de0b81", "indicator--5a723ae4-1520-45c3-b378-412002de0b81", "indicator--5a723ae5-1970-44f3-bdbf-423e02de0b81", "indicator--5a723ae5-64bc-4529-86ee-420e02de0b81", "indicator--5a723b7b-b10c-4792-977a-411302de0b81", "indicator--5a723b7c-92ec-49fd-be05-47b102de0b81", "indicator--5a723b7c-f44c-442c-a15d-43f102de0b81", "indicator--5a723b7d-5ee4-4b59-aae7-409102de0b81", "indicator--5a723b7d-cf18-46da-b75d-42cb02de0b81", "indicator--5a723b7d-39fc-4346-b8dc-4d2202de0b81", "indicator--5a723b7e-8b04-4a40-862f-455402de0b81", "indicator--5a723b7e-eab4-493f-ba7b-4dbe02de0b81", "indicator--5a723b7f-97d8-449f-8ed6-489b02de0b81", "x-misp-object--5a7239fe-2ec0-4295-a0f1-ee7702de0b81", "x-misp-object--5a723a43-35dc-43c6-aebc-448102de0b81", "x-misp-object--5a723a78-fa6c-4f56-b48b-41ff02de0b81", "indicator--5a72dd50-62b4-49c8-ba81-b1ce950d210f", "indicator--5a72e14f-c2c4-4a5b-b3b9-5bec950d210f", "indicator--5a72e1ea-ce94-495a-ab42-7a86950d210f", "indicator--5a72e248-e0fc-4718-8b49-8f0b950d210f", "indicator--5a72e2d4-d378-4bfe-89bc-b1e2950d210f", "indicator--5a72e33c-e520-40ad-991f-b1fb950d210f", "indicator--5a72e4eb-bb78-4f19-ae51-b1db950d210f", "indicator--5a72e941-384c-4ed5-8bb4-4b0a950d210f", "indicator--5a72eb79-1514-4dc9-87d4-4763950d210f", "indicator--5a72ecdc-ad08-41d6-b1cc-8f0b950d210f", "indicator--5a72ed40-73e4-40d3-b0c0-b1fb950d210f", "indicator--5a72ed5c-1854-41db-ac03-5bf2950d210f", "indicator--5a72ed74-9234-4129-81bb-47f3950d210f", "indicator--5a72edaa-8670-4ea1-a903-4e28950d210f", "indicator--5a72ee09-c0b0-48d0-9a90-4d69950d210f", "indicator--5a72ee50-f530-4793-8783-6767950d210f", "indicator--5a72ee73-9cc0-4425-b60a-4260950d210f", "indicator--5a72ee8d-cc5c-48e6-b05a-5bee950d210f", "indicator--5a72eea1-0f08-4da7-a5a1-b1db950d210f", "indicator--1e2fd26e-d1ec-406d-bb1b-b4d72f61d52f", "x-misp-object--0b7e3026-09c1-4f49-af9a-07f5ceb0592b", "indicator--b538582a-ca89-45a4-895c-35d517c9b279", "x-misp-object--a804d5b1-7ca5-406d-9a56-e06577b0629d", "indicator--c7f56e48-5ca3-4ab4-8a44-d508a7c3f1b5", "x-misp-object--857bce07-e7e4-4cfb-a435-fbb587cf250a", "indicator--994aa712-e77a-411f-bec0-cf4b547a61a1", "x-misp-object--28763b93-461a-4389-8100-45731b4fcb27", "indicator--fae35839-05f9-4c5d-86f2-0694b89e6be3", "x-misp-object--38c84b61-e001-46f6-a99c-172c5e4e5d67", "indicator--959bcddc-d26f-44f7-9a79-07df0acb6a95", "x-misp-object--33bb45b6-d3bd-4cc1-bec6-84cb666c0c0d", "indicator--eb0f9ec8-b388-422a-99dc-5d7a32e340b3", "x-misp-object--c38c22d3-60e6-4336-94d4-f9772f9e56fe", "indicator--055ccd02-bd02-4e47-9fd1-1e668f23f024", "x-misp-object--1718834e-3131-4711-92e4-4fd9e25abcb7", "relationship--d8fe5254-34fb-4294-9447-44401cde4664", "relationship--a09763d1-fd98-4a8b-ae62-a1c27e4719b2", "relationship--11b37d88-b83b-4d52-be31-7f1223107d89", "relationship--a1cd31f6-c970-4da5-8616-2fe9d5e28a72", "relationship--3421f691-0ef7-4429-a6ed-b2c40c83d88e", "relationship--b94ca44a-2ea0-429b-a8bf-ff45ae762ece", "relationship--0e64fec5-4913-4132-909f-b8d1c3cfcb37", "relationship--13016046-0c18-4b34-ae2a-ccd1d2ae83d1" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a723909-f0f0-4dfa-b8b7-44fe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:01.000Z", "modified": "2018-02-01T12:41:01.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Even with recent volatility in the price of most cryptocurrencies, especially Bitcoin, interest among mainstream users and the media remains high. At the same time, Bitcoin alternatives like Monero and Ethereum continue their overall upward trend in value (Figure 1), putting them squarely in the crosshairs of threat actors looking for quick profits and anonymous transactions. Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cybercriminals are stealing them, demanding ransomware payments in them, and harnessing other computers to mine them for free. Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which had earned millions of dollars for its operators." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a723916-3788-47c7-a70a-432502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:02.000Z", "modified": "2018-02-01T12:41:02.000Z", "first_observed": "2018-02-01T12:41:02Z", "last_observed": "2018-02-01T12:41:02Z", "number_observed": 1, "object_refs": [ "url--5a723916-3788-47c7-a70a-432502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a723916-3788-47c7-a70a-432502de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators" }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5a723935-bf74-4ea6-ba45-ee7702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:02.000Z", "modified": "2018-02-01T12:41:02.000Z", "name": "CVE-2017-0144", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-0144" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5a723955-5430-48e4-976e-465a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:03.000Z", "modified": "2018-02-01T12:41:03.000Z", "name": "CVE-2017-0176", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-0176" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72399d-8ba0-4d8e-bd4a-4d4102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:03.000Z", "modified": "2018-02-01T12:41:03.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '148.153.34.114']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72399d-0d98-4599-89c2-4c9e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:04.000Z", "modified": "2018-02-01T12:41:04.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.81.70']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72399e-cd14-491a-bb01-4cde02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:04.000Z", "modified": "2018-02-01T12:41:04.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.31.14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72399e-0cbc-46d1-8db9-4aad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:05.000Z", "modified": "2018-02-01T12:41:05.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.28.58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72399f-5eec-49b8-9e5b-497102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:05.000Z", "modified": "2018-02-01T12:41:05.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '164.52.12.110']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72399f-4114-48f0-bd34-4ce902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:06.000Z", "modified": "2018-02-01T12:41:06.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '148.153.24.98']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a0-9fbc-4402-afa4-437302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:06.000Z", "modified": "2018-02-01T12:41:06.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '164.52.13.58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a0-9a04-48d4-854d-440602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:06.000Z", "modified": "2018-02-01T12:41:06.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '148.153.38.78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a0-1728-4a2c-b7a8-49ac02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:07.000Z", "modified": "2018-02-01T12:41:07.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.22.58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a1-3eb8-4e05-8a34-42f502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:07.000Z", "modified": "2018-02-01T12:41:07.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.241.229.122']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a1-df5c-4a4f-9230-4cc102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:08.000Z", "modified": "2018-02-01T12:41:08.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '148.153.39.186']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a2-b0c0-4de5-89c2-4aaa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:08.000Z", "modified": "2018-02-01T12:41:08.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '148.153.14.246']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a2-8e18-403a-b976-46cf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:09.000Z", "modified": "2018-02-01T12:41:09.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.31.110']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a2-72dc-4348-bb4f-499d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:09.000Z", "modified": "2018-02-01T12:41:09.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.27.198']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a3-1900-4d9f-91ae-482f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:10.000Z", "modified": "2018-02-01T12:41:10.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '164.52.25.106']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a3-66e4-4708-9a76-47a002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:10.000Z", "modified": "2018-02-01T12:41:10.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '164.52.1.46']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a4-e710-43bf-98dd-490d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:11.000Z", "modified": "2018-02-01T12:41:11.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '148.153.36.34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a4-4890-4892-a9db-40e102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:11.000Z", "modified": "2018-02-01T12:41:11.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.21.186']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a5-9d44-4b30-a5a7-4baf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:12.000Z", "modified": "2018-02-01T12:41:12.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '164.52.12.162']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a5-224c-4629-bb56-4b8e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:12.000Z", "modified": "2018-02-01T12:41:12.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '148.153.24.106']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a5-8f14-4b49-85f3-4eb502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:13.000Z", "modified": "2018-02-01T12:41:13.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '148.153.44.46']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a6-f020-4087-81a4-42fe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:13.000Z", "modified": "2018-02-01T12:41:13.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '164.52.11.222']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a6-861c-4d25-a9fd-4c0c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:14.000Z", "modified": "2018-02-01T12:41:14.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.29.6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a7-2978-41cc-8885-428902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:14.000Z", "modified": "2018-02-01T12:41:14.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '148.153.8.86']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a7239a7-9454-42de-b5ae-481102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:14.000Z", "modified": "2018-02-01T12:41:14.000Z", "description": "Attacking IP (via EB)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '164.52.1.14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723ae2-140c-452f-889f-4daa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:53:38.000Z", "modified": "2018-01-31T21:53:38.000Z", "description": "ups.rar", "pattern": "[file:hashes.SHA256 = 'da3b2e4da23aae505bf991cb68833d01d0c5b75645d246dfa9b6e403be1798c8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:53:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723ae2-c428-440c-9be4-4bb102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:53:38.000Z", "modified": "2018-01-31T21:53:38.000Z", "description": "EternalBlue dropped", "pattern": "[file:hashes.SHA256 = '8ceb370e5f32dd732809c827f8eda38cc9b746d40adea3dca33b8c27ee38eb6f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:53:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723ae3-8304-4789-91de-4b0b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:53:39.000Z", "modified": "2018-01-31T21:53:39.000Z", "description": "EternalBlue dropped", "pattern": "[file:hashes.SHA256 = '5e15c97546a19759a8397e51e98a2d8168e6e27aff4dc518220459ed3184e4e2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:53:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723ae3-feb8-4011-993a-493e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:53:39.000Z", "modified": "2018-01-31T21:53:39.000Z", "description": "64.rar", "pattern": "[file:hashes.SHA256 = '2e3f534bd6b7d1cf18dc727820124faed92fb28f1d4626c9658587b9b3c09509']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:53:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723ae4-261c-4c19-b8cd-4cd602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:53:40.000Z", "modified": "2018-01-31T21:53:40.000Z", "description": "0107.rar (Smominru - Coin Miner)", "pattern": "[file:hashes.SHA256 = 'b7f8b5cb8fc7bd5c14105fde118f5ac7a808e590e52f16c70128b4bd28aa4b5a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:53:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723ae4-1520-45c3-b378-412002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:53:40.000Z", "modified": "2018-01-31T21:53:40.000Z", "description": "0121.rar (Smominru Coin Miner)", "pattern": "[file:hashes.SHA256 = '32e0712ff24e5f9ab8ee682a53514c501486f0836ef24125503335d86bd10a4e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:53:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723ae5-1970-44f3-bdbf-423e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:53:41.000Z", "modified": "2018-01-31T21:53:41.000Z", "description": "0126.rar (Smominru Coin Miner)", "pattern": "[file:hashes.SHA256 = '3b1824b41f3853376e21153d9125781dbb57b820d8a9a6cc037f82ea87f50973']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:53:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723ae5-64bc-4529-86ee-420e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:53:41.000Z", "modified": "2018-01-31T21:53:41.000Z", "description": "0114.rar (Smominru - Coin Miner)", "pattern": "[file:hashes.SHA256 = 'f1c36aebdcd92a04fd689d31944e5388e7e9b9421063ec4c98804ac7a04e6b0d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:53:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723b7b-b10c-4792-977a-411302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:56:11.000Z", "modified": "2018-01-31T21:56:11.000Z", "description": "Smominru C&C (Binary Server)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '209.58.186.145']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:56:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723b7c-92ec-49fd-be05-47b102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:56:12.000Z", "modified": "2018-01-31T21:56:12.000Z", "description": "Smominru C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.95.29.8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:56:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723b7c-f44c-442c-a15d-43f102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:56:12.000Z", "modified": "2018-01-31T21:56:12.000Z", "description": "Smominru C&C (WMI call)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.58.140.194']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:56:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723b7d-5ee4-4b59-aae7-409102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:56:12.000Z", "modified": "2018-01-31T21:56:12.000Z", "description": "Smominru C&C (binary server)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '170.178.171.162']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:56:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723b7d-cf18-46da-b75d-42cb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:56:13.000Z", "modified": "2018-01-31T21:56:13.000Z", "description": "Smominru C&C (WMI call) Sinkholed domain", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.95.30.26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:56:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723b7d-39fc-4346-b8dc-4d2202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:56:13.000Z", "modified": "2018-01-31T21:56:13.000Z", "description": "Smominru binary server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '68.64.166.82']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:56:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723b7e-8b04-4a40-862f-455402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:56:14.000Z", "modified": "2018-01-31T21:56:14.000Z", "description": "Smominru binary server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.255.79.151']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:56:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723b7e-eab4-493f-ba7b-4dbe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:15.000Z", "modified": "2018-02-01T12:41:15.000Z", "description": "Smominru C&C", "pattern": "[file:name = 'down.my0709.xyz']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a723b7f-97d8-449f-8ed6-489b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:56:15.000Z", "modified": "2018-01-31T21:56:15.000Z", "description": "Smominru C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.148.80.194']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-31T21:56:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5a7239fe-2ec0-4295-a0f1-ee7702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:49:50.000Z", "modified": "2018-01-31T21:49:50.000Z", "labels": [ "misp:name=\"coin-address\"", "misp:meta-category=\"financial\"" ], "x_misp_attributes": [ { "type": "btc", "object_relation": "address", "value": "43Lm9q14s7GhMLpUsiXY3MH6G67Sn81B5DqmN46u8WnBXNvJmC6FwH3ZMwAmkEB1nHSrujgthFPQeQCFPCwwE7m7TpspYBd", "category": "Financial fraud", "to_ids": true, "uuid": "5a7239ff-8b94-41dd-91e0-ee7702de0b81" }, { "type": "text", "object_relation": "symbol", "value": "XMR", "category": "Other", "uuid": "5a7239ff-9bcc-43f2-8e1f-ee7702de0b81" }, { "type": "text", "object_relation": "text", "value": "used after 2018-01-14", "category": "Other", "uuid": "5a723a00-2378-4cb9-8c44-ee7702de0b81" } ], "x_misp_meta_category": "financial", "x_misp_name": "coin-address" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5a723a43-35dc-43c6-aebc-448102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:50:59.000Z", "modified": "2018-01-31T21:50:59.000Z", "labels": [ "misp:name=\"coin-address\"", "misp:meta-category=\"financial\"" ], "x_misp_attributes": [ { "type": "btc", "object_relation": "address", "value": "47Tscy1QuJn1fxHiBRjWFtgHmvqkW71YZCQL33LeunfH4rsGEHx5UGTPdfXNJtMMATMz8bmaykGVuDFGWP3KyufBSdzxBb2", "category": "Financial fraud", "to_ids": true, "uuid": "5a723a44-1f80-459f-ab1f-4f7b02de0b81" }, { "type": "text", "object_relation": "symbol", "value": "XMR", "category": "Other", "uuid": "5a723a44-3498-4397-9114-49b602de0b81" }, { "type": "text", "object_relation": "text", "value": "used from before 2017/05 till 2017/09\r\n\r\n \r\n\r\nMined 2000 Monero", "category": "Other", "uuid": "5a723a45-3cb4-4b1b-80a1-4d6102de0b81" } ], "x_misp_meta_category": "financial", "x_misp_name": "coin-address" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5a723a78-fa6c-4f56-b48b-41ff02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-31T21:51:52.000Z", "modified": "2018-01-31T21:51:52.000Z", "labels": [ "misp:name=\"coin-address\"", "misp:meta-category=\"financial\"" ], "x_misp_attributes": [ { "type": "btc", "object_relation": "address", "value": "45bbP2muiJHD8Fd5tZyPAfC2RsajyEcsRVVMZ7Tm5qJjdTMprexz6yQ5DVQ1BbmjkMYm9nMid2QSbiGLvvfau7At5V18FzQ", "category": "Financial fraud", "to_ids": true, "uuid": "5a723a78-bfe8-4820-84b5-4a5602de0b81" }, { "type": "text", "object_relation": "symbol", "value": "XMR", "category": "Other", "uuid": "5a723a78-7cb8-482c-baf0-447e02de0b81" }, { "type": "text", "object_relation": "text", "value": "from 2017/09 till 2018-01-13\r\n\r\nMined around 6800 Monero", "category": "Other", "uuid": "5a723a79-95e4-426e-9a91-4ee402de0b81" } ], "x_misp_meta_category": "financial", "x_misp_name": "coin-address" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72dd50-62b4-49c8-ba81-b1ce950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T09:44:03.000Z", "modified": "2018-02-01T09:44:03.000Z", "description": "Smominru C&C", "pattern": "[domain-name:value = 'down.down0116.info' AND domain-name:resolves_to_refs[*].value = '198.148.80.194']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T09:44:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72e14f-c2c4-4a5b-b3b9-5bec950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T09:43:43.000Z", "modified": "2018-02-01T09:43:43.000Z", "description": "Smominru C&C (Binary Server)", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '209.58.186.145') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'down.oo000oo.club') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T09:43:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72e1ea-ce94-495a-ab42-7a86950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T09:46:18.000Z", "modified": "2018-02-01T09:46:18.000Z", "description": "Smominru C&C", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.95.29.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'www.cyg2016.xyz') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T09:46:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72e248-e0fc-4718-8b49-8f0b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T09:47:52.000Z", "modified": "2018-02-01T09:47:52.000Z", "description": "Smominru C&C (Binary Server)", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.95.29.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'down.mys2016.info') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T09:47:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72e2d4-d378-4bfe-89bc-b1e2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T09:50:12.000Z", "modified": "2018-02-01T09:50:12.000Z", "description": "Smominru C&C (WMI call)", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.58.140.194') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'wmi.mykings.top.info') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T09:50:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72e33c-e520-40ad-991f-b1fb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T09:51:56.000Z", "modified": "2018-02-01T09:51:56.000Z", "description": "Smominru C&C (WMI call)", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.58.140.194') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'wmi.oo000oo.club') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T09:51:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72e4eb-bb78-4f19-ae51-b1db950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T09:59:07.000Z", "modified": "2018-02-01T09:59:07.000Z", "description": "Smominru C&C", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.58.140.194') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'xmr.5b6b7b.ru') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T09:59:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72e941-384c-4ed5-8bb4-4b0a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:17:37.000Z", "modified": "2018-02-01T10:17:37.000Z", "description": "Smominru C&C (binary server)", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '170.178.171.162') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = '64.myxmr.pw') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:17:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72eb79-1514-4dc9-87d4-4763950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:27:05.000Z", "modified": "2018-02-01T10:27:05.000Z", "description": "Smominru C&C (WMI call) - Sinkholed domain", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.95.30.26') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'wmi.my0709.xyz') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72ecdc-ad08-41d6-b1cc-8f0b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:33:00.000Z", "modified": "2018-02-01T10:33:00.000Z", "description": "Smominru binary server", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '68.64.166.82') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'ftp.ruisgood.ru') AND network-traffic:dst_port = '21']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:33:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72ed40-73e4-40d3-b0c0-b1fb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:34:40.000Z", "modified": "2018-02-01T10:34:40.000Z", "description": "Smominru binary server", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '68.64.166.82') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'ftp.oo000oo.me') AND network-traffic:dst_port = '21']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:34:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72ed5c-1854-41db-ac03-5bf2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:35:08.000Z", "modified": "2018-02-01T10:35:08.000Z", "description": "Smominru binary server", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '68.64.166.82') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'ftp.ftp0118.info') AND network-traffic:dst_port = '21']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:35:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72ed74-9234-4129-81bb-47f3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:35:32.000Z", "modified": "2018-02-01T10:35:32.000Z", "description": "Smominru binary server", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.255.79.151') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'js.mys2016.info') AND network-traffic:dst_port = '280']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:35:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72edaa-8670-4ea1-a903-4e28950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:36:26.000Z", "modified": "2018-02-01T10:36:26.000Z", "description": "Smominru C&C (Binary Server)", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '170.178.171.162') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = '64.mymyxmra.ru') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:36:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72ee09-c0b0-48d0-9a90-4d69950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:38:01.000Z", "modified": "2018-02-01T10:38:01.000Z", "description": "Smominru C&C", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.58.140.194') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'xmr.xmr5b.ru') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:38:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72ee50-f530-4793-8783-6767950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:39:12.000Z", "modified": "2018-02-01T10:39:12.000Z", "description": "Smominru C&C", "pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'js.my0115.ru') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:39:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72ee73-9cc0-4425-b60a-4260950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:39:47.000Z", "modified": "2018-02-01T10:39:47.000Z", "description": "Smominru C&C (WMI call)", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.95.30.26') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'wmi.my0115.ru') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:39:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72ee8d-cc5c-48e6-b05a-5bee950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:40:13.000Z", "modified": "2018-02-01T10:40:13.000Z", "description": "Smominru C&C (Binary Server)", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.95.30.26') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'down.my0115.ru') AND network-traffic:dst_port = '8888']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:40:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a72eea1-0f08-4da7-a5a1-b1db950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T10:40:33.000Z", "modified": "2018-02-01T10:40:33.000Z", "description": "Smominru C&C", "pattern": "[domain-name:value = 'down.my0709.xyz' AND domain-name:resolves_to_refs[*].value = '103.95.30.26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T10:40:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e2fd26e-d1ec-406d-bb1b-b4d72f61d52f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:19.000Z", "modified": "2018-02-01T12:41:19.000Z", "pattern": "[file:hashes.MD5 = '1487e2b148f7a4869c212f78cb28d682' AND file:hashes.SHA1 = 'a56c110dcf859d83aa1fa5ad455e94539dfa8d12' AND file:hashes.SHA256 = '8ceb370e5f32dd732809c827f8eda38cc9b746d40adea3dca33b8c27ee38eb6f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--0b7e3026-09c1-4f49-af9a-07f5ceb0592b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:17.000Z", "modified": "2018-02-01T12:41:17.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/8ceb370e5f32dd732809c827f8eda38cc9b746d40adea3dca33b8c27ee38eb6f/analysis/1517456055/", "category": "External analysis", "comment": "EternalBlue dropped", "uuid": "5a730aed-3e50-42bb-927c-450902de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "45/65", "category": "Other", "comment": "EternalBlue dropped", "uuid": "5a730aee-fe60-4ff3-a8a3-428102de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-02-01T03:34:15", "category": "Other", "comment": "EternalBlue dropped", "uuid": "5a730aee-cf3c-4a4b-b699-434c02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b538582a-ca89-45a4-895c-35d517c9b279", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:22.000Z", "modified": "2018-02-01T12:41:22.000Z", "pattern": "[file:hashes.MD5 = 'ff604679b2e12040dea81f6ecffd5ea2' AND file:hashes.SHA1 = 'd789b6b33d739810cab2e3f5a55933dd16721823' AND file:hashes.SHA256 = 'b7f8b5cb8fc7bd5c14105fde118f5ac7a808e590e52f16c70128b4bd28aa4b5a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--a804d5b1-7ca5-406d-9a56-e06577b0629d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:20.000Z", "modified": "2018-02-01T12:41:20.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b7f8b5cb8fc7bd5c14105fde118f5ac7a808e590e52f16c70128b4bd28aa4b5a/analysis/1517457171/", "category": "External analysis", "comment": "0107.rar (Smominru - Coin Miner)", "uuid": "5a730af0-28d8-461f-8bc1-48eb02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "49/66", "category": "Other", "comment": "0107.rar (Smominru - Coin Miner)", "uuid": "5a730af1-ebd8-4440-a145-46e502de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-02-01T03:52:51", "category": "Other", "comment": "0107.rar (Smominru - Coin Miner)", "uuid": "5a730af1-2a48-4e30-b9dc-468602de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c7f56e48-5ca3-4ab4-8a44-d508a7c3f1b5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:25.000Z", "modified": "2018-02-01T12:41:25.000Z", "pattern": "[file:hashes.MD5 = '0224b573793d1780e3fec22739526c8f' AND file:hashes.SHA1 = '6ca9bc55382736c6fb173afb789318ee7067f206' AND file:hashes.SHA256 = '3b1824b41f3853376e21153d9125781dbb57b820d8a9a6cc037f82ea87f50973']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--857bce07-e7e4-4cfb-a435-fbb587cf250a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:23.000Z", "modified": "2018-02-01T12:41:23.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/3b1824b41f3853376e21153d9125781dbb57b820d8a9a6cc037f82ea87f50973/analysis/1517153840/", "category": "External analysis", "comment": "0126.rar (Smominru Coin Miner)", "uuid": "5a730af3-4578-439d-b113-485d02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "28/66", "category": "Other", "comment": "0126.rar (Smominru Coin Miner)", "uuid": "5a730af4-2254-4135-a0e4-4ed602de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-01-28T15:37:20", "category": "Other", "comment": "0126.rar (Smominru Coin Miner)", "uuid": "5a730af4-9a70-46ec-b537-492902de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--994aa712-e77a-411f-bec0-cf4b547a61a1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:28.000Z", "modified": "2018-02-01T12:41:28.000Z", "pattern": "[file:hashes.MD5 = '6ca24e8ae6988ee1187be72c777e7397' AND file:hashes.SHA1 = '53accdd58a67fe7bc7fbcaefa1e2b65c13aba9ff' AND file:hashes.SHA256 = '2e3f534bd6b7d1cf18dc727820124faed92fb28f1d4626c9658587b9b3c09509']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--28763b93-461a-4389-8100-45731b4fcb27", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:27.000Z", "modified": "2018-02-01T12:41:27.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/2e3f534bd6b7d1cf18dc727820124faed92fb28f1d4626c9658587b9b3c09509/analysis/1517457638/", "category": "External analysis", "comment": "64.rar", "uuid": "5a730af7-d48c-4b0b-be0c-452702de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/64", "category": "Other", "comment": "64.rar", "uuid": "5a730af7-12c8-4405-af2c-47c102de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-02-01T04:00:38", "category": "Other", "comment": "64.rar", "uuid": "5a730af8-d5c4-4360-b181-4c4002de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fae35839-05f9-4c5d-86f2-0694b89e6be3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:31.000Z", "modified": "2018-02-01T12:41:31.000Z", "pattern": "[file:hashes.MD5 = 'ebdc2be63b2fcb8fe22845c75850c9e6' AND file:hashes.SHA1 = 'c788a27c9f18f1e732e34e60a73b83ccdcfd9a29' AND file:hashes.SHA256 = '32e0712ff24e5f9ab8ee682a53514c501486f0836ef24125503335d86bd10a4e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--38c84b61-e001-46f6-a99c-172c5e4e5d67", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:30.000Z", "modified": "2018-02-01T12:41:30.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/32e0712ff24e5f9ab8ee682a53514c501486f0836ef24125503335d86bd10a4e/analysis/1517399898/", "category": "External analysis", "comment": "0121.rar (Smominru Coin Miner)", "uuid": "5a730afa-b5b4-4ef0-9030-4a5302de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "43/66", "category": "Other", "comment": "0121.rar (Smominru Coin Miner)", "uuid": "5a730afa-eb88-472e-9db8-491e02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-01-31T11:58:18", "category": "Other", "comment": "0121.rar (Smominru Coin Miner)", "uuid": "5a730afb-ff20-49ea-8d61-439d02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--959bcddc-d26f-44f7-9a79-07df0acb6a95", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:34.000Z", "modified": "2018-02-01T12:41:34.000Z", "pattern": "[file:hashes.MD5 = 'f63e34b172bc6c88c002a2d25c738ea9' AND file:hashes.SHA1 = '368ef0af957492ad0b55ce1351da1b44f67dbcb8' AND file:hashes.SHA256 = '5e15c97546a19759a8397e51e98a2d8168e6e27aff4dc518220459ed3184e4e2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--33bb45b6-d3bd-4cc1-bec6-84cb666c0c0d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:33.000Z", "modified": "2018-02-01T12:41:33.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/5e15c97546a19759a8397e51e98a2d8168e6e27aff4dc518220459ed3184e4e2/analysis/1517462947/", "category": "External analysis", "comment": "EternalBlue dropped", "uuid": "5a730afd-5ae4-4e1d-976f-4e1e02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "37/63", "category": "Other", "comment": "EternalBlue dropped", "uuid": "5a730afd-1514-4e7f-8862-49ae02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-02-01T05:29:07", "category": "Other", "comment": "EternalBlue dropped", "uuid": "5a730afe-2ad4-4d85-af66-4a4702de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--eb0f9ec8-b388-422a-99dc-5d7a32e340b3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:37.000Z", "modified": "2018-02-01T12:41:37.000Z", "pattern": "[file:hashes.MD5 = '822b8150022ba179560ac42384ff997e' AND file:hashes.SHA1 = 'b8a53e651be77914428f6a3cefc797041ff3df51' AND file:hashes.SHA256 = 'f1c36aebdcd92a04fd689d31944e5388e7e9b9421063ec4c98804ac7a04e6b0d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c38c22d3-60e6-4336-94d4-f9772f9e56fe", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:36.000Z", "modified": "2018-02-01T12:41:36.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/f1c36aebdcd92a04fd689d31944e5388e7e9b9421063ec4c98804ac7a04e6b0d/analysis/1517332171/", "category": "External analysis", "comment": "0114.rar (Smominru - Coin Miner)", "uuid": "5a730b00-d828-4158-99c6-4f4702de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "49/65", "category": "Other", "comment": "0114.rar (Smominru - Coin Miner)", "uuid": "5a730b00-cfac-4258-a9b1-4f4202de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-01-30T17:09:31", "category": "Other", "comment": "0114.rar (Smominru - Coin Miner)", "uuid": "5a730b01-39ac-4f84-93b3-498602de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--055ccd02-bd02-4e47-9fd1-1e668f23f024", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:40.000Z", "modified": "2018-02-01T12:41:40.000Z", "pattern": "[file:hashes.MD5 = '6b13994f83dad0d45764911a88564a7b' AND file:hashes.SHA1 = '0b5616228f6556b320ac0d2f586504538abb638e' AND file:hashes.SHA256 = 'da3b2e4da23aae505bf991cb68833d01d0c5b75645d246dfa9b6e403be1798c8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-01T12:41:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--1718834e-3131-4711-92e4-4fd9e25abcb7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-01T12:41:39.000Z", "modified": "2018-02-01T12:41:39.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/da3b2e4da23aae505bf991cb68833d01d0c5b75645d246dfa9b6e403be1798c8/analysis/1517457719/", "category": "External analysis", "comment": "ups.rar", "uuid": "5a730b03-589c-47de-a519-4d8702de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "49/64", "category": "Other", "comment": "ups.rar", "uuid": "5a730b03-0afc-42a7-a1b0-48e002de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-02-01T04:01:59", "category": "Other", "comment": "ups.rar", "uuid": "5a730b04-ae70-4fab-b15f-48c602de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d8fe5254-34fb-4294-9447-44401cde4664", "created": "2018-02-16T08:54:28.000Z", "modified": "2018-02-16T08:54:28.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--1e2fd26e-d1ec-406d-bb1b-b4d72f61d52f", "target_ref": "x-misp-object--0b7e3026-09c1-4f49-af9a-07f5ceb0592b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a09763d1-fd98-4a8b-ae62-a1c27e4719b2", "created": "2018-02-16T08:54:28.000Z", "modified": "2018-02-16T08:54:28.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b538582a-ca89-45a4-895c-35d517c9b279", "target_ref": "x-misp-object--a804d5b1-7ca5-406d-9a56-e06577b0629d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--11b37d88-b83b-4d52-be31-7f1223107d89", "created": "2018-02-16T08:54:28.000Z", "modified": "2018-02-16T08:54:28.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--c7f56e48-5ca3-4ab4-8a44-d508a7c3f1b5", "target_ref": "x-misp-object--857bce07-e7e4-4cfb-a435-fbb587cf250a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a1cd31f6-c970-4da5-8616-2fe9d5e28a72", "created": "2018-02-16T08:54:28.000Z", "modified": "2018-02-16T08:54:28.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--994aa712-e77a-411f-bec0-cf4b547a61a1", "target_ref": "x-misp-object--28763b93-461a-4389-8100-45731b4fcb27" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3421f691-0ef7-4429-a6ed-b2c40c83d88e", "created": "2018-02-16T08:54:28.000Z", "modified": "2018-02-16T08:54:28.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--fae35839-05f9-4c5d-86f2-0694b89e6be3", "target_ref": "x-misp-object--38c84b61-e001-46f6-a99c-172c5e4e5d67" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b94ca44a-2ea0-429b-a8bf-ff45ae762ece", "created": "2018-02-16T08:54:28.000Z", "modified": "2018-02-16T08:54:28.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--959bcddc-d26f-44f7-9a79-07df0acb6a95", "target_ref": "x-misp-object--33bb45b6-d3bd-4cc1-bec6-84cb666c0c0d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0e64fec5-4913-4132-909f-b8d1c3cfcb37", "created": "2018-02-16T08:54:28.000Z", "modified": "2018-02-16T08:54:28.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--eb0f9ec8-b388-422a-99dc-5d7a32e340b3", "target_ref": "x-misp-object--c38c22d3-60e6-4336-94d4-f9772f9e56fe" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--13016046-0c18-4b34-ae2a-ccd1d2ae83d1", "created": "2018-02-16T08:54:29.000Z", "modified": "2018-02-16T08:54:29.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--055ccd02-bd02-4e47-9fd1-1e668f23f024", "target_ref": "x-misp-object--1718834e-3131-4711-92e4-4fd9e25abcb7" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }