{ "type": "bundle", "id": "bundle--5df8df26-fe0e-4858-94a7-6cf71d9519c9", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:47:38.000Z", "modified": "2021-11-19T15:47:38.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5df8df26-fe0e-4858-94a7-6cf71d9519c9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:47:38.000Z", "modified": "2021-11-19T15:47:38.000Z", "name": "UEFI threats moving to the ESP: Introducing ESPecter bootkit", "published": "2021-11-19T15:49:17Z", "object_refs": [ "x-misp-attribute--2a49a854-10b5-4365-91e9-3f4a585eaf42", "x-misp-attribute--e4f416a2-85e2-43fd-a0d0-f282188e291e", "x-misp-attribute--0e1708e4-f25e-4ebe-acc7-e77dc5a906dd", "indicator--a74af413-79fa-4909-9c0e-5da293a89d14", "indicator--ddf93926-3645-4e64-8e21-e3cadcb42dbe", "indicator--4822dadc-6680-4b7b-948b-5eb0eecf329c", "indicator--cd507edf-d207-4fc8-ab5a-981f43ba2a51", "indicator--8ce804d8-0129-47b2-aadb-e794772944d9", "indicator--6f4ef921-6bf4-4692-bbad-e48ce05eb228", "indicator--c2f4e331-a13d-49b0-a01a-bc053da56769", "indicator--043a8bb1-1a42-4737-b72c-26c5701aa7f8", "x-misp-attribute--c3972c5b-f600-426b-8a03-2b82bad6fedb", "x-misp-attribute--053dfa99-3d2f-4498-ab6a-544bdd2f06f1", "x-misp-attribute--604f4489-cfe4-48b6-a71e-4115cc6e1686", "x-misp-attribute--a41f57f0-b112-4bac-be5d-d079b1ef3654", "x-misp-attribute--a727a6a4-d692-46a6-a471-ca8438b99206", "x-misp-attribute--6bb145ae-a23b-4186-98e6-4af2afe63a85", "x-misp-attribute--36eab666-2303-41b4-86db-d2d4630b1c4b", "x-misp-attribute--5daed22d-ca0c-49d0-af03-d71fc869467b", "x-misp-attribute--e7adc49c-33af-4fc7-9111-d8a7a5479dce", "x-misp-attribute--53a6c33c-ba99-4e25-9741-bac2877adfe0", "x-misp-attribute--387b69b7-6336-4b2f-aaf2-61ca43c12dbf", "x-misp-attribute--f134b566-0efa-4e8d-a0c2-983ab1a10951", "x-misp-attribute--f9fc7f74-52ed-4b13-aa18-cb696b3f71b2", "x-misp-attribute--f07e6d67-1608-4ecf-841a-beebc4d55450", "x-misp-attribute--81db953f-ae79-4e07-95cf-86c9aa5f315b", "indicator--3de8d0d9-4538-4295-86c4-4a8c2115d031", "indicator--a1e4283a-d00f-4c04-b605-19b4df73fa29", "indicator--d3624e94-1ce5-439d-800d-b14cde62ca8c", "indicator--7ed3898f-469c-4503-9ced-31ef0edc4598", "indicator--bdfbf198-91a4-4e34-87fa-20ffbcb938cb", "indicator--44ecfdbb-15ad-4da5-ae60-ae9e86a8fcbd", "indicator--7c8585c7-f16d-4160-b518-f64330929a65", "indicator--6e6295bb-4caa-4c86-9c3b-7982df4b1579", "indicator--8434d591-d6d9-4043-a68b-b7f7aa7632cb", "indicator--3a91a09d-baab-4f83-b313-f17e83e6225b", "indicator--8f23b33c-1f63-4a59-88d5-f1913185f8c2", "indicator--5076da52-2497-4dcd-b7eb-6b13bd387df5", "indicator--313ae7bc-b8cb-4fc6-b646-8379f9fb0917", "indicator--0ac2f3e6-37a7-4ad6-ab4b-b6d20c19e775", "indicator--8cb316d8-7c13-4d62-ae36-65336aaa80fb", "indicator--d24fb77d-e776-4d2b-9480-4c430733a2d9", "indicator--3bae573d-d93e-468a-8406-47b55de6e76f", "indicator--436005da-d100-4543-9329-6939546bcd98", "indicator--59c35d4e-4420-4266-992f-1aa58906e157", "indicator--2f941274-cb1e-4499-8407-1af90a163231", "indicator--0e48addd-4a98-4045-9725-3d43918787c9", "indicator--28c3fa40-019d-4de0-b203-eb3b4921cf08", "indicator--bf9c1674-2f1d-4a0c-8fa6-7efa805f8dd6", "indicator--e2c5cac5-a603-44ad-a47a-e4e11795d57b", "indicator--a88b2df4-d1c2-4ad3-8f92-bca70dca1cc5", "indicator--83cd3826-3f69-48e2-b91d-c319ecd366be", "indicator--5d3cc885-69a8-44b6-942d-76a205b5b9bf", "indicator--c3680318-bdc8-4e35-9722-7401eac56247", "indicator--92800ef6-15f8-48b7-90ea-e8a819affda4", "indicator--4897f3a4-3ae7-45e3-82a3-b14314cbfc29", "indicator--2fe0f668-8003-49d9-98e8-d5123f12a56d", "x-misp-object--00757583-07b5-44cf-aaf0-7e71aebf60ff", "x-misp-object--704e5969-5b1d-4325-b7fc-4a6d923bbda5", "indicator--a9021b55-afc0-437c-b972-3079eab113d1", "x-misp-object--7ef11d83-1085-4d24-910e-5f66372ed7ef", "indicator--31bcc06e-f214-4193-bd07-83a32e27ad7d", "x-misp-object--aad7d8b5-905e-4cf6-9e67-6182ce4de562", "indicator--e69670e4-f98d-4be6-953c-933b681d802b", "x-misp-object--3e418ab5-d67d-46cd-b630-f40b287784b7", "indicator--0ce970ae-28ab-457c-a377-d083e527e699", "x-misp-object--9c96483f-0733-4016-80cf-7e5a090da564", "indicator--b9b484e5-731d-432a-b5eb-6013142e1fb7", "x-misp-object--6587653a-065f-49f1-958a-83869a219db6", "relationship--ca348e51-30c1-4923-82bb-ddc89fcee104", "relationship--46daaa94-b8d3-47e3-a63d-e88464596d83", "relationship--fe8b5a11-1f96-476e-81c5-2118efa6c9e0", "relationship--f7e2d2e5-56ad-473d-88cd-50b0d94aad93", "relationship--44f0423e-6cb2-4fa8-ba37-f18d3f4443cd" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "misp-galaxy:mitre-attack-pattern=\"Pre-OS Boot - T1542\"", "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"", "misp-galaxy:mitre-attack-pattern=\"Dynamic-link Library Injection - T1055.001\"", "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "misp-galaxy:mitre-attack-pattern=\"Hidden File System - T1564.005\"", "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"", "misp-galaxy:mitre-attack-pattern=\"Rename System Utilities - T1036.003\"", "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "misp-galaxy:mitre-attack-pattern=\"Patch System Image - T1601.001\"", "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1406\"", "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "misp-galaxy:mitre-attack-pattern=\"Bootkit - T1542.003\"", "misp-galaxy:mitre-attack-pattern=\"Code Signing Policy Modification - T1553.006\"", "misp-galaxy:mitre-attack-pattern=\"Time Based Evasion - T1497.003\"", "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "misp-galaxy:mitre-attack-pattern=\"Application Window Discovery - T1010\"", "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1420\"", "misp-galaxy:mitre-attack-pattern=\"Peripheral Device Discovery - T1120\"", "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1424\"", "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1426\"", "misp-galaxy:mitre-attack-pattern=\"System Time Discovery - T1124\"", "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "misp-galaxy:mitre-attack-pattern=\"Data from Removable Media - T1025\"", "misp-galaxy:mitre-attack-pattern=\"Local Data Staging - T1074.001\"", "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\"", "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1513\"", "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "misp-galaxy:mitre-attack-pattern=\"Multi-Stage Channels - T1104\"", "misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"", "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"", "misp-galaxy:mitre-attack-pattern=\"Scheduled Transfer - T1029\"", "misp-galaxy:tool=\"ESPecter bootkit\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--2a49a854-10b5-4365-91e9-3f4a585eaf42", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-11T14:08:22.000Z", "modified": "2021-11-11T14:08:22.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "text", "x_misp_value": "EFI/Rootkit.ESPecter" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--e4f416a2-85e2-43fd-a0d0-f282188e291e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-11T14:08:22.000Z", "modified": "2021-11-11T14:08:22.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "text", "x_misp_value": "Win32/Rootkit.ESPecter" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--0e1708e4-f25e-4ebe-acc7-e77dc5a906dd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-11T14:08:22.000Z", "modified": "2021-11-11T14:08:22.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "text", "x_misp_value": "Win64/Rootkit.ESPecter" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a74af413-79fa-4909-9c0e-5da293a89d14", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-11T14:46:40.000Z", "modified": "2021-11-11T14:46:40.000Z", "description": "C&C from configurations", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '196.1.2.111']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-11T14:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ddf93926-3645-4e64-8e21-e3cadcb42dbe", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-11T14:46:40.000Z", "modified": "2021-11-11T14:46:40.000Z", "description": "C&C from configurations", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.212.69.175']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-11T14:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4822dadc-6680-4b7b-948b-5eb0eecf329c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-11T14:46:40.000Z", "modified": "2021-11-11T14:46:40.000Z", "description": "C&C from configurations", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '183.90.187.65']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-11T14:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cd507edf-d207-4fc8-ab5a-981f43ba2a51", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-11T14:46:40.000Z", "modified": "2021-11-11T14:46:40.000Z", "description": "C&C from configurations", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '61.178.79.69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-11T14:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8ce804d8-0129-47b2-aadb-e794772944d9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-11T14:46:40.000Z", "modified": "2021-11-11T14:46:40.000Z", "description": "C&C from configurations", "pattern": "[domain-name:value = 'swj02.gicp.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-11T14:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6f4ef921-6bf4-4692-bbad-e48ce05eb228", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-11T14:46:40.000Z", "modified": "2021-11-11T14:46:40.000Z", "description": "C&C from configurations", "pattern": "[domain-name:value = 'server.microsoftassistant.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-11T14:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c2f4e331-a13d-49b0-a01a-bc053da56769", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-11T14:46:40.000Z", "modified": "2021-11-11T14:46:40.000Z", "description": "C&C from configurations", "pattern": "[domain-name:value = 'yspark.justdied.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-11T14:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--043a8bb1-1a42-4737-b72c-26c5701aa7f8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-11T14:46:40.000Z", "modified": "2021-11-11T14:46:40.000Z", "description": "C&C from configurations", "pattern": "[domain-name:value = 'crystalnba.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-11T14:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--c3972c5b-f600-426b-8a03-2b82bad6fedb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T08:51:37.000Z", "modified": "2021-11-12T08:51:37.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Configuration file path", "x_misp_type": "text", "x_misp_value": "%windir%\\Temp\\syslog" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--053dfa99-3d2f-4498-ab6a-544bdd2f06f1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T09:46:13.000Z", "modified": "2021-11-12T09:46:13.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Base directory for the collected data (%BaseDir%)", "x_misp_type": "text", "x_misp_value": "%sysdir%\\Media\\NPCSJDLFSD" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--604f4489-cfe4-48b6-a71e-4115cc6e1686", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T09:46:13.000Z", "modified": "2021-11-12T09:46:13.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Base directory for the collected data (%BaseDir%)", "x_misp_type": "text", "x_misp_value": "%windir%\\Temp\\NPCSJDLFSD" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--a41f57f0-b112-4bac-be5d-d079b1ef3654", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:18:01.000Z", "modified": "2021-11-12T10:18:01.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Screenshots directory", "x_misp_type": "text", "x_misp_value": "%BaseDir%\\SSQWCVBER" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--a727a6a4-d692-46a6-a471-ca8438b99206", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:18:36.000Z", "modified": "2021-11-12T10:18:36.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Stolen documents directory", "x_misp_type": "text", "x_misp_value": "%BaseDir%\\UTXZCZXQ" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--6bb145ae-a23b-4186-98e6-4af2afe63a85", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:19:05.000Z", "modified": "2021-11-12T10:19:05.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Intercepted keyboard logs directory", "x_misp_type": "text", "x_misp_value": "%BaseDir%\\KLACVSWER" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--36eab666-2303-41b4-86db-d2d4630b1c4b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:19:35.000Z", "modified": "2021-11-12T10:19:35.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Encrypted user-mode payloads files", "x_misp_type": "text", "x_misp_value": "%windir%\\Temp\\dd_vcredist" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5daed22d-ca0c-49d0-af03-d71fc869467b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:19:35.000Z", "modified": "2021-11-12T10:19:35.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Encrypted user-mode payloads files", "x_misp_type": "text", "x_misp_value": "%windir%\\Temp\\memlog" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--e7adc49c-33af-4fc7-9111-d8a7a5479dce", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:19:35.000Z", "modified": "2021-11-12T10:19:35.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Encrypted user-mode payloads files", "x_misp_type": "text", "x_misp_value": "%windir%\\Temp\\vmmmlog" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--53a6c33c-ba99-4e25-9741-bac2877adfe0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:19:35.000Z", "modified": "2021-11-12T10:19:35.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Encrypted user-mode payloads files", "x_misp_type": "text", "x_misp_value": "%windir%\\Temp\\vmmmmlog" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--387b69b7-6336-4b2f-aaf2-61ca43c12dbf", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:19:59.000Z", "modified": "2021-11-12T10:19:59.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Decrypted user-mode payloads files", "x_misp_type": "text", "x_misp_value": "%windir%\\Temp\\vmmmlog.exe" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--f134b566-0efa-4e8d-a0c2-983ab1a10951", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:19:59.000Z", "modified": "2021-11-12T10:19:59.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Decrypted user-mode payloads files", "x_misp_type": "text", "x_misp_value": "%windir%\\Temp\\vmmmmlog.exe" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--f9fc7f74-52ed-4b13-aa18-cb696b3f71b2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:19:59.000Z", "modified": "2021-11-12T10:19:59.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Decrypted user-mode payloads files", "x_misp_type": "text", "x_misp_value": "\\SystemRoot\\System32\\Client.dll" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--f07e6d67-1608-4ecf-841a-beebc4d55450", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:19:59.000Z", "modified": "2021-11-12T10:19:59.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Decrypted user-mode payloads files", "x_misp_type": "text", "x_misp_value": "\\SystemRoot\\System32\\WinSys.dll" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--81db953f-ae79-4e07-95cf-86c9aa5f315b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:20:24.000Z", "modified": "2021-11-12T10:20:24.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "Backed up clean null.sys or beep.sys driver path", "x_misp_type": "text", "x_misp_value": "%windir%\\\\Help\\\\intel.chm" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3de8d0d9-4538-4295-86c4-4a8c2115d031", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:24:19.000Z", "modified": "2021-11-12T10:24:19.000Z", "pattern": "[file:hashes.SHA1 = '6b2ad6114029d60f7c40f306271669b3a69ea270' AND file:name = 'WinSys.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:24:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a1e4283a-d00f-4c04-b605-19b4df73fa29", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:24:01.000Z", "modified": "2021-11-12T10:24:01.000Z", "pattern": "[file:hashes.SHA1 = '0a97efa15a62e90d71f643b693b3dd3cf2657b9f' AND file:name = 'WinSys.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:24:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d3624e94-1ce5-439d-800d-b14cde62ca8c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:22:26.000Z", "modified": "2021-11-12T10:22:26.000Z", "pattern": "[file:hashes.SHA1 = '7f501aeb51ce3232a979ccf0e11278346f746d1f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:22:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7ed3898f-469c-4503-9ced-31ef0edc4598", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:23:44.000Z", "modified": "2021-11-12T10:23:44.000Z", "pattern": "[file:hashes.SHA1 = '81e6d19865647dc160861e2154d6903fc78c7dfb' AND file:name = 'WinSys.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:23:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bdfbf198-91a4-4e34-87fa-20ffbcb938cb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:22:48.000Z", "modified": "2021-11-12T10:22:48.000Z", "pattern": "[file:hashes.SHA1 = 'cae4b2c049542fd28667ca6e9afa440b3f0138f9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:22:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--44ecfdbb-15ad-4da5-ae60-ae9e86a8fcbd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:24:37.000Z", "modified": "2021-11-12T10:24:37.000Z", "pattern": "[file:hashes.SHA1 = '09f0f17aeccdef5cb1112bc9bef0fe4f828d6d3b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:24:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7c8585c7-f16d-4160-b518-f64330929a65", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:24:53.000Z", "modified": "2021-11-12T10:24:53.000Z", "pattern": "[file:hashes.SHA1 = '99dc33bedf4cb9bdbdf04cc60e1da55cfbeadc09']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:24:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6e6295bb-4caa-4c86-9c3b-7982df4b1579", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:25:14.000Z", "modified": "2021-11-12T10:25:14.000Z", "pattern": "[file:hashes.SHA1 = 'c06eeb1600cf4e8aac91730e00dd7c169738afde']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:25:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8434d591-d6d9-4043-a68b-b7f7aa7632cb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:25:25.000Z", "modified": "2021-11-12T10:25:25.000Z", "pattern": "[file:hashes.SHA1 = 'dcd42b04705b784ad62bb36e17305b6e6414f033']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:25:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3a91a09d-baab-4f83-b313-f17e83e6225b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:25:39.000Z", "modified": "2021-11-12T10:25:39.000Z", "pattern": "[file:hashes.SHA1 = '374d1a399ef44472ee088563d621df28221cbcce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:25:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8f23b33c-1f63-4a59-88d5-f1913185f8c2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:25:57.000Z", "modified": "2021-11-12T10:25:57.000Z", "pattern": "[file:hashes.SHA1 = '8ab33e432c8bee54ae759dfb5346d21387f26902']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:25:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5076da52-2497-4dcd-b7eb-6b13bd387df5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:26:14.000Z", "modified": "2021-11-12T10:26:14.000Z", "pattern": "[file:hashes.SHA1 = '656c263fa004bb3e6f3ee6ef6767d101869c7f7c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:26:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--313ae7bc-b8cb-4fc6-b646-8379f9fb0917", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T10:26:35.000Z", "modified": "2021-11-12T10:26:35.000Z", "pattern": "[file:hashes.SHA1 = '1d75bfb18ffc0b820cb36acf8707343fa6679863']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T10:26:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0ac2f3e6-37a7-4ad6-ab4b-b6d20c19e775", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:09:42.000Z", "modified": "2021-11-12T12:09:42.000Z", "pattern": "[file:hashes.SHA1 = '865f5b87b5f6fb75f3ec68ca05a21cc36446812f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:09:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8cb316d8-7c13-4d62-ae36-65336aaa80fb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:10:00.000Z", "modified": "2021-11-12T12:10:00.000Z", "pattern": "[file:hashes.SHA1 = '9f6df0a011748160b0c18fb2b44ebe9fa9d517e9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:10:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d24fb77d-e776-4d2b-9480-4c430733a2d9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:10:28.000Z", "modified": "2021-11-12T12:10:28.000Z", "pattern": "[file:hashes.SHA1 = '2c22ae243fdc08b84b38d9580900a9a9e3823acf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:10:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3bae573d-d93e-468a-8406-47b55de6e76f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:10:42.000Z", "modified": "2021-11-12T12:10:42.000Z", "pattern": "[file:hashes.SHA1 = 'abc03a234233c63330c744fda784385273af395b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:10:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--436005da-d100-4543-9329-6939546bcd98", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:12:44.000Z", "modified": "2021-11-12T12:12:44.000Z", "pattern": "[file:hashes.SHA1 = '7ad4442d3c02fa145bef9bf18c9464c3e4449224']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:12:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59c35d4e-4420-4266-992f-1aa58906e157", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:12:58.000Z", "modified": "2021-11-12T12:12:58.000Z", "pattern": "[file:hashes.SHA1 = 'a8b4fe8a421c86eae060bb8bf525ef1e1fc133b2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:12:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2f941274-cb1e-4499-8407-1af90a163231", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:13:23.000Z", "modified": "2021-11-12T12:13:23.000Z", "pattern": "[file:hashes.SHA1 = '08077d940f2b385fbd287d84edb58493136c8391']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:13:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0e48addd-4a98-4045-9725-3d43918787c9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:15:37.000Z", "modified": "2021-11-12T12:15:37.000Z", "pattern": "[file:hashes.SHA1 = '27ad0a8a88eab01e2b48ba19d2aaabf360ece5b8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:15:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--28c3fa40-019d-4de0-b203-eb3b4921cf08", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:16:48.000Z", "modified": "2021-11-12T12:16:48.000Z", "pattern": "[file:hashes.SHA1 = '3ac6f9458a4a1a16390379621fdd230c656fc444']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:16:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bf9c1674-2f1d-4a0c-8fa6-7efa805f8dd6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:17:32.000Z", "modified": "2021-11-12T12:17:32.000Z", "pattern": "[file:hashes.SHA1 = '37e49dbceb1354d508319548a7efbd149bfa0e8d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:17:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e2c5cac5-a603-44ad-a47a-e4e11795d57b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:17:50.000Z", "modified": "2021-11-12T12:17:50.000Z", "pattern": "[file:hashes.SHA1 = 'ca19347287fce93f2c675efdf88c8b0db4910929']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a88b2df4-d1c2-4ad3-8f92-bca70dca1cc5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:23:33.000Z", "modified": "2021-11-12T12:23:33.000Z", "pattern": "[file:hashes.SHA1 = 'c8c2c127ec6af87d96b058ff023b534f1237215c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:23:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--83cd3826-3f69-48e2-b91d-c319ecd366be", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:36:30.000Z", "modified": "2021-11-12T12:36:30.000Z", "pattern": "[file:hashes.SHA1 = 'c7fe86e5981b39927275873c3a386cb1d8c93a6b' AND file:name = 'WinSys.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:36:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d3cc885-69a8-44b6-942d-76a205b5b9bf", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:39:33.000Z", "modified": "2021-11-12T12:39:33.000Z", "pattern": "[file:hashes.SHA1 = '180b0e6a4a3334aaa4249b3d631695a31eb45d7a' AND file:name = 'WinSys.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:39:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c3680318-bdc8-4e35-9722-7401eac56247", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:40:03.000Z", "modified": "2021-11-12T12:40:03.000Z", "pattern": "[file:hashes.SHA1 = '030b97860ed5a3089c5e8efb8edd7cc359134124' AND file:name = 'WinSys.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:40:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--92800ef6-15f8-48b7-90ea-e8a819affda4", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T13:07:58.000Z", "modified": "2021-11-12T13:07:58.000Z", "pattern": "[file:hashes.SHA1 = '26f7757602000bcc3c18a887dbc7416ae43bf61a' AND file:name = 'WinSys.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T13:07:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4897f3a4-3ae7-45e3-82a3-b14314cbfc29", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T13:07:08.000Z", "modified": "2021-11-12T13:07:08.000Z", "pattern": "[file:hashes.SHA1 = 'abb410a4f863b101c218990664981914d14f1e58' AND file:name = 'WinSys.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T13:07:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2fe0f668-8003-49d9-98e8-d5123f12a56d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T12:36:04.000Z", "modified": "2021-11-12T12:36:04.000Z", "pattern": "[file:hashes.SHA1 = '0a8a388911a7a368fc1cf111fb26ba92a19fed3e' AND file:name = 'WinSys.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-12T12:36:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--00757583-07b5-44cf-aaf0-7e71aebf60ff", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-12T13:20:18.000Z", "modified": "2021-11-12T13:20:18.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/", "category": "External analysis", "uuid": "0421b6c2-5056-4448-9950-199a346cada2" }, { "type": "text", "object_relation": "summary", "value": "ESET researchers have analyzed a previously undocumented, real-world UEFI bootkit that persists on the EFI System Partition (ESP). The bootkit, which we\u2019ve named ESPecter, can bypass Windows Driver Signature Enforcement to load its own unsigned driver, which facilitates its espionage activities. Alongside Kaspersky\u2019s recent discovery of the unrelated FinSpy bootkit, it is now safe to say that real-world UEFI threats are no longer limited to SPI flash implants, as used by Lojax.", "category": "Other", "uuid": "6eb32b17-8975-4ca9-994f-21f4e10f2203" }, { "type": "text", "object_relation": "type", "value": "Online Article", "category": "Other", "uuid": "66228cc7-a06e-41fe-bc32-f278038eb512" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--704e5969-5b1d-4325-b7fc-4a6d923bbda5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T08:11:44.000Z", "modified": "2021-11-19T08:11:44.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://github.com/eset/malware-ioc/tree/master/especter", "category": "External analysis", "uuid": "d1c1cf4e-6d05-4e71-8e8f-fa03cf3a7ae8" }, { "type": "text", "object_relation": "type", "value": "Report", "category": "Other", "uuid": "b86f621a-6a55-4335-85b1-3d118630e883" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a9021b55-afc0-437c-b972-3079eab113d1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "pattern": "[file:hashes.MD5 = '6d1a47574ef7598017c13d64769cccfb' AND file:hashes.SHA1 = '1d75bfb18ffc0b820cb36acf8707343fa6679863' AND file:hashes.SHA256 = 'd61417d72a054d45ee33e395079e9d674f891a42ed0ec5357b5a8d91c69858a6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-19T15:31:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--7ef11d83-1085-4d24-910e-5f66372ed7ef", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-10-23T06:24:22+00:00", "category": "Other", "comment": "Legacy BIOS version installers", "uuid": "05c8364f-3b9f-43a2-bbfa-bc5ec545ceda" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/d61417d72a054d45ee33e395079e9d674f891a42ed0ec5357b5a8d91c69858a6/detection/f-d61417d72a054d45ee33e395079e9d674f891a42ed0ec5357b5a8d91c69858a6-1634970262", "category": "Payload delivery", "comment": "Legacy BIOS version installers", "uuid": "517a0bfc-2991-4230-8f32-53ae840b286d" }, { "type": "text", "object_relation": "detection-ratio", "value": "51/68", "category": "Payload delivery", "comment": "Legacy BIOS version installers", "uuid": "381a6904-7917-4045-abb1-d935df6f7bde" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--31bcc06e-f214-4193-bd07-83a32e27ad7d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "pattern": "[file:hashes.MD5 = '3846c93e3f937b2ba156d28943be1bc9' AND file:hashes.SHA1 = '2c22ae243fdc08b84b38d9580900a9a9e3823acf' AND file:hashes.SHA256 = '021ec918c30a65a9f93919cedf57e8c935df3e773e03b74704d14fabcab89c5b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-19T15:31:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--aad7d8b5-905e-4cf6-9e67-6182ce4de562", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-10-27T13:27:29+00:00", "category": "Other", "comment": "Legacy BIOS version installers", "uuid": "30970fd5-8c1f-400d-a782-c6fd7f440cf8" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/021ec918c30a65a9f93919cedf57e8c935df3e773e03b74704d14fabcab89c5b/detection/f-021ec918c30a65a9f93919cedf57e8c935df3e773e03b74704d14fabcab89c5b-1635341249", "category": "Payload delivery", "comment": "Legacy BIOS version installers", "uuid": "dea2c8bd-664a-4cfb-91dc-925ed568a53e" }, { "type": "text", "object_relation": "detection-ratio", "value": "57/68", "category": "Payload delivery", "comment": "Legacy BIOS version installers", "uuid": "fc178cf5-6ef6-4bf9-9647-bf9ad621c001" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e69670e4-f98d-4be6-953c-933b681d802b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "pattern": "[file:hashes.MD5 = '73ba4d13914f30dd8b36bc2fd561c0df' AND file:hashes.SHA1 = 'c7fe86e5981b39927275873c3a386cb1d8c93a6b' AND file:hashes.SHA256 = 'e2bb96b57fa337e3ee2f7d26b1710a80e89449c41c77ff58073cd386dbf83b63']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-19T15:31:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--3e418ab5-d67d-46cd-b630-f40b287784b7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-10-23T05:15:58+00:00", "category": "Other", "uuid": "42d04113-0f63-403b-a40e-bae622212d24" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/e2bb96b57fa337e3ee2f7d26b1710a80e89449c41c77ff58073cd386dbf83b63/detection/f-e2bb96b57fa337e3ee2f7d26b1710a80e89449c41c77ff58073cd386dbf83b63-1634966158", "category": "Payload delivery", "uuid": "96171dfc-6935-4a36-ac21-57f3bab010e4" }, { "type": "text", "object_relation": "detection-ratio", "value": "50/65", "category": "Payload delivery", "uuid": "3adb1480-8bc7-40cc-a306-c0a1f6ffd0ea" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0ce970ae-28ab-457c-a377-d083e527e699", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "pattern": "[file:hashes.MD5 = '2025cc89204d851a57c02a9fd441b619' AND file:hashes.SHA1 = '7f501aeb51ce3232a979ccf0e11278346f746d1f' AND file:hashes.SHA256 = '5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-19T15:31:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--9c96483f-0733-4016-80cf-7e5a090da564", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-10-27T13:33:01+00:00", "category": "Other", "comment": "Legacy BIOS version installers", "uuid": "32a4ae15-59c8-4768-b6fc-8beb9fbf0ce0" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a/detection/f-5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a-1635341581", "category": "Payload delivery", "comment": "Legacy BIOS version installers", "uuid": "f4b1d9c6-bb59-4700-8263-7855d059bdeb" }, { "type": "text", "object_relation": "detection-ratio", "value": "56/67", "category": "Payload delivery", "comment": "Legacy BIOS version installers", "uuid": "1d400c2b-d36d-4506-b05c-897f203ca794" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b9b484e5-731d-432a-b5eb-6013142e1fb7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "pattern": "[file:hashes.MD5 = '64e1aa6f5dca669ba51678157058d54b' AND file:hashes.SHA1 = '9f6df0a011748160b0c18fb2b44ebe9fa9d517e9' AND file:hashes.SHA256 = '6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-11-19T15:31:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6587653a-065f-49f1-958a-83869a219db6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-10-23T05:36:39+00:00", "category": "Other", "comment": "Legacy BIOS version installers", "uuid": "f97edadd-688f-4cfb-8fb2-b69a83e217f1" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286/detection/f-6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286-1634967399", "category": "Payload delivery", "comment": "Legacy BIOS version installers", "uuid": "3e1531f7-83ed-4473-b620-1096d22a40a6" }, { "type": "text", "object_relation": "detection-ratio", "value": "52/68", "category": "Payload delivery", "comment": "Legacy BIOS version installers", "uuid": "b5145342-6351-4be6-ac1b-b467ff01969d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ca348e51-30c1-4923-82bb-ddc89fcee104", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--a9021b55-afc0-437c-b972-3079eab113d1", "target_ref": "x-misp-object--7ef11d83-1085-4d24-910e-5f66372ed7ef" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--46daaa94-b8d3-47e3-a63d-e88464596d83", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--31bcc06e-f214-4193-bd07-83a32e27ad7d", "target_ref": "x-misp-object--aad7d8b5-905e-4cf6-9e67-6182ce4de562" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fe8b5a11-1f96-476e-81c5-2118efa6c9e0", "created": "2021-11-19T15:31:04.000Z", "modified": "2021-11-19T15:31:04.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--e69670e4-f98d-4be6-953c-933b681d802b", "target_ref": "x-misp-object--3e418ab5-d67d-46cd-b630-f40b287784b7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f7e2d2e5-56ad-473d-88cd-50b0d94aad93", "created": "2021-11-19T15:31:05.000Z", "modified": "2021-11-19T15:31:05.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--0ce970ae-28ab-457c-a377-d083e527e699", "target_ref": "x-misp-object--9c96483f-0733-4016-80cf-7e5a090da564" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--44f0423e-6cb2-4fa8-ba37-f18d3f4443cd", "created": "2021-11-19T15:31:05.000Z", "modified": "2021-11-19T15:31:05.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b9b484e5-731d-432a-b5eb-6013142e1fb7", "target_ref": "x-misp-object--6587653a-065f-49f1-958a-83869a219db6" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }