{ "type": "bundle", "id": "bundle--59722019-3260-4062-bec5-4eea950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59722019-3260-4062-bec5-4eea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "name": "OSINT - Linux.Bew: un backdoor para el minado de Bitcoin", "published": "2017-07-21T15:45:08Z", "object_refs": [ "observed-data--59722024-b7ec-415d-a9d6-4032950d210f", "url--59722024-b7ec-415d-a9d6-4032950d210f", "x-misp-attribute--59722036-ecec-4b53-a575-40ce950d210f", "indicator--5972204b-2690-47f3-b113-4dc3950d210f", "indicator--59722068-7e70-418e-b27b-cf65950d210f", "indicator--5972207d-12d4-4674-8603-49fe950d210f", "indicator--5972207d-b374-4e26-b02b-4100950d210f", "indicator--59722091-daf0-4356-ac59-46a7950d210f", "indicator--597220a8-2828-4a80-8910-4076950d210f", "x-misp-attribute--597220ce-d71c-4ec0-b402-41d0950d210f", "indicator--597220eb-0b04-447b-9d6a-471002de0b81", "indicator--597220eb-f6a0-4b53-8948-400802de0b81", "observed-data--597220eb-8224-4341-9cf0-495d02de0b81", "url--597220eb-8224-4341-9cf0-495d02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59722024-b7ec-415d-a9d6-4032950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "first_observed": "2017-07-21T15:42:35Z", "last_observed": "2017-07-21T15:42:35Z", "number_observed": 1, "object_refs": [ "url--59722024-b7ec-415d-a9d6-4032950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59722024-b7ec-415d-a9d6-4032950d210f", "value": "https://www.securityartwork.es/2017/07/21/linux-bew-backdoor-minado-bitcoin/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59722036-ecec-4b53-a575-40ce950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "En el siguiente art\u00c3\u00adculo vamos a analizar una muestra del binario catalogado por varias firmas antivirus como Linux.Bew. (Virustotal), malware de tipo ELF del cual hemos detectado actividad durante este \u00c3\u00baltimo mes." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5972204b-2690-47f3-b113-4dc3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "pattern": "[file:hashes.SHA256 = '80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-21T15:42:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59722068-7e70-418e-b27b-cf65950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "pattern": "[file:name = '/root/.config/kdeinit4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-21T15:42:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5972207d-12d4-4674-8603-49fe950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "pattern": "[domain-name:value = 'hfir.u230.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-21T15:42:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5972207d-b374-4e26-b02b-4100950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.211.49.214']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-21T15:42:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59722091-daf0-4356-ac59-46a7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "description": "tcp/443", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.58.49.98']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-21T15:42:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--597220a8-2828-4a80-8910-4076950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "pattern": "[rule LinuxBew: MALW\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Linux.Bew Backdoor\"\r\n\t\tauthor = \"Joan Soriano / @w0lfvan\"\r\n\t\tdate = \"2017-07-10\"\r\n\t\tversion = \"1.0\"\r\n\t\tMD5 = \"27d857e12b9be5d43f935b8cc86eaabf\"\r\n\t\tSHA256 = \"80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06\"\r\n\tstrings:\r\n\t\t$a = \"src/secp256k1.c\"\r\n\t\t$b = \"hfir.u230.org\"\r\n\t\t$c = \u00e2\u20ac\u0153tempfile-x11session\u00e2\u20ac\u009d\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "valid_from": "2017-07-21T15:42:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--597220ce-d71c-4ec0-b402-41d0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "Linux.Bew" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--597220eb-0b04-447b-9d6a-471002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "description": "- Xchecked via VT: 80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06", "pattern": "[file:hashes.SHA1 = '4c614317fd1686f8c865c0a8d367c8e22b94087f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-21T15:42:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--597220eb-f6a0-4b53-8948-400802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "description": "- Xchecked via VT: 80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06", "pattern": "[file:hashes.MD5 = 'f42c73e5291392c4c39852670addd7f9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-21T15:42:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--597220eb-8224-4341-9cf0-495d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-21T15:42:35.000Z", "modified": "2017-07-21T15:42:35.000Z", "first_observed": "2017-07-21T15:42:35Z", "last_observed": "2017-07-21T15:42:35Z", "number_observed": 1, "object_refs": [ "url--597220eb-8224-4341-9cf0-495d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--597220eb-8224-4341-9cf0-495d02de0b81", "value": "https://www.virustotal.com/file/80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06/analysis/1499436533/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }