{ "type": "bundle", "id": "bundle--59ac43b3-d8a8-4fcf-9543-4a8f02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:52:03.000Z", "modified": "2017-12-18T10:52:03.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59ac43b3-d8a8-4fcf-9543-4a8f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:52:03.000Z", "modified": "2017-12-18T10:52:03.000Z", "name": "OSINT - Javascript malware hosted on US government site which launches powershell to connect to C2.", "published": "2017-12-18T10:53:26Z", "object_refs": [ "observed-data--59ac43e1-dff8-46a7-9514-4f4702de0b81", "url--59ac43e1-dff8-46a7-9514-4f4702de0b81", "indicator--59ac43f8-6c28-48c0-99e0-453402de0b81", "indicator--59ac4419-3df8-4eda-9312-421002de0b81", "indicator--59ac4419-4af4-416c-aa4f-4cb302de0b81", "observed-data--59ac4419-ddd0-47d5-a136-4ac002de0b81", "url--59ac4419-ddd0-47d5-a136-4ac002de0b81", "indicator--59ac444f-e13c-4f0d-9ff7-aa5c02de0b81", "observed-data--59ac4475-de90-483c-81a6-492502de0b81", "url--59ac4475-de90-483c-81a6-492502de0b81", "indicator--5a3781ac-e49c-4f47-a5c0-47a9950d210f", "observed-data--5a37820a-a000-466c-bff1-44e1950d210f", "url--5a37820a-a000-466c-bff1-44e1950d210f", "indicator--7bbbd45c-82a1-44f6-ab72-7fdf191b8148", "x-misp-object--8328c6e4-df62-4f8a-b9c4-309693e5d9f9", "indicator--5e701ff1-51b4-4e2b-aacd-421636d9c852", "x-misp-object--801bce9a-1810-4811-a6e0-b8338414db9d", "relationship--16643379-1120-4685-96d6-4982c06a55e8", "relationship--746bd353-8d29-4a61-8e8c-67259d67cd28" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "osint:source-type=\"pastie-website\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59ac43e1-dff8-46a7-9514-4f4702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:51:55.000Z", "modified": "2017-12-18T10:51:55.000Z", "first_observed": "2017-12-18T10:51:55Z", "last_observed": "2017-12-18T10:51:55Z", "number_observed": 1, "object_refs": [ "url--59ac43e1-dff8-46a7-9514-4f4702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"pastie-website\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59ac43e1-dff8-46a7-9514-4f4702de0b81", "value": "https://pastebin.com/0eAPV7Lc" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59ac43f8-6c28-48c0-99e0-453402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:51:55.000Z", "modified": "2017-12-18T10:51:55.000Z", "pattern": "[file:hashes.SHA256 = '1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T10:51:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59ac4419-3df8-4eda-9312-421002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:51:55.000Z", "modified": "2017-12-18T10:51:55.000Z", "description": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd", "pattern": "[file:hashes.SHA1 = '898e4131496d0ae8eb3fd2a742a30830be3989f6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T10:51:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59ac4419-4af4-416c-aa4f-4cb302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-09-03T18:04:09.000Z", "modified": "2017-09-03T18:04:09.000Z", "description": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd", "pattern": "[file:hashes.MD5 = 'c714ca63fc9fccce002941c171c07e4d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-09-03T18:04:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59ac4419-ddd0-47d5-a136-4ac002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:51:55.000Z", "modified": "2017-12-18T10:51:55.000Z", "first_observed": "2017-12-18T10:51:55Z", "last_observed": "2017-12-18T10:51:55Z", "number_observed": 1, "object_refs": [ "url--59ac4419-ddd0-47d5-a136-4ac002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59ac4419-ddd0-47d5-a136-4ac002de0b81", "value": "https://www.virustotal.com/file/1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd/analysis/1504118595/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59ac444f-e13c-4f0d-9ff7-aa5c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:51:55.000Z", "modified": "2017-12-18T10:51:55.000Z", "description": "Javascript malware hosted on US government site which launches powershell to connect to C2.", "pattern": "[url:value = 'http://dms.nwcg.gov/pipermail/ross-suggestion/attachments/20170304/9ee8a89e/attachment.zip']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T10:51:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59ac4475-de90-483c-81a6-492502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:51:55.000Z", "modified": "2017-12-18T10:51:55.000Z", "first_observed": "2017-12-18T10:51:55Z", "last_observed": "2017-12-18T10:51:55Z", "number_observed": 1, "object_refs": [ "url--59ac4475-de90-483c-81a6-492502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "admiralty-scale:source-reliability=\"f\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59ac4475-de90-483c-81a6-492502de0b81", "value": "https://blog.newskysecurity.com/us-government-site-unwittingly-hosting-malware-f1f4f11b6a1d" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3781ac-e49c-4f47-a5c0-47a9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T08:54:51.000Z", "modified": "2017-12-18T08:54:51.000Z", "description": "Cerber Ransomware", "pattern": "[file:hashes.SHA256 = '1f15415da53df8a8e0197aa7e17e594d24ea6d7fbe80fe3bb4a5cd41bc8f09f6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T08:54:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "workflow:todo=\"expansion\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a37820a-a000-466c-bff1-44e1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:51:55.000Z", "modified": "2017-12-18T10:51:55.000Z", "first_observed": "2017-12-18T10:51:55Z", "last_observed": "2017-12-18T10:51:55Z", "number_observed": 1, "object_refs": [ "url--5a37820a-a000-466c-bff1-44e1950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"pastie-website\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a37820a-a000-466c-bff1-44e1950d210f", "value": "https://pastebin.com/HAiqH0Wq" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7bbbd45c-82a1-44f6-ab72-7fdf191b8148", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:51:58.000Z", "modified": "2017-12-18T10:51:58.000Z", "pattern": "[file:hashes.MD5 = 'c714ca63fc9fccce002941c171c07e4d' AND file:hashes.SHA1 = '898e4131496d0ae8eb3fd2a742a30830be3989f6' AND file:hashes.SHA256 = '1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T10:51:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8328c6e4-df62-4f8a-b9c4-309693e5d9f9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:51:55.000Z", "modified": "2017-12-18T10:51:55.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd/analysis/1504922776/", "category": "External analysis", "comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd", "uuid": "5a379dcb-1d74-48e4-8937-48b002de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "36/60", "category": "Other", "comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd", "uuid": "5a379dcb-5f38-4007-a029-423d02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-09-09T02:06:16", "category": "Other", "comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd", "uuid": "5a379dcb-d190-49b0-adbe-42a502de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e701ff1-51b4-4e2b-aacd-421636d9c852", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:51:58.000Z", "modified": "2017-12-18T10:51:58.000Z", "pattern": "[file:hashes.MD5 = '61bcd1f3233b857be0aee9ceba6779f3' AND file:hashes.SHA1 = 'f996046fea268074d2edd430e628f23942d7b5b6' AND file:hashes.SHA256 = '1f15415da53df8a8e0197aa7e17e594d24ea6d7fbe80fe3bb4a5cd41bc8f09f6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T10:51:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--801bce9a-1810-4811-a6e0-b8338414db9d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:51:55.000Z", "modified": "2017-12-18T10:51:55.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/1f15415da53df8a8e0197aa7e17e594d24ea6d7fbe80fe3bb4a5cd41bc8f09f6/analysis/1504623436/", "category": "External analysis", "comment": "Cerber Ransomware", "uuid": "5a379dcb-2534-458c-b5be-40a602de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "51/64", "category": "Other", "comment": "Cerber Ransomware", "uuid": "5a379dcb-1b28-4489-b32e-4db702de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-09-05T14:57:16", "category": "Other", "comment": "Cerber Ransomware", "uuid": "5a379dcb-ab70-4d4e-8fba-4c1c02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--16643379-1120-4685-96d6-4982c06a55e8", "created": "2017-12-18T10:51:55.000Z", "modified": "2017-12-18T10:51:55.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--7bbbd45c-82a1-44f6-ab72-7fdf191b8148", "target_ref": "x-misp-object--8328c6e4-df62-4f8a-b9c4-309693e5d9f9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--746bd353-8d29-4a61-8e8c-67259d67cd28", "created": "2017-12-18T10:51:56.000Z", "modified": "2017-12-18T10:51:56.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5e701ff1-51b4-4e2b-aacd-421636d9c852", "target_ref": "x-misp-object--801bce9a-1810-4811-a6e0-b8338414db9d" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }