{ "type": "bundle", "id": "bundle--5c4cb9a7-0454-42eb-8f63-383368f8e8cf", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2021-05-24T09:53:15.000Z", "modified": "2021-05-24T09:53:15.000Z", "name": "VK-Intel", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5c4cb9a7-0454-42eb-8f63-383368f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2021-05-24T09:53:15.000Z", "modified": "2021-05-24T09:53:15.000Z", "name": "2019-01-25: Lazarus Pakistan Toolkits", "published": "2021-05-26T09:09:05Z", "object_refs": [ "indicator--5c4cb9a7-3684-4f00-bff9-383368f8e8cf", "indicator--5c4cba32-e9e4-4bbf-8396-383068f8e8cf", "indicator--5c4cba32-070c-42ba-a0e0-383068f8e8cf", "indicator--5c4cba32-0238-4c6d-b8e2-383068f8e8cf", "indicator--5c4cba84-aed4-452e-8eb2-4e2768f8e8cf", "indicator--5c4cba84-c3c8-422c-a870-4e2768f8e8cf", "indicator--5c4cbbd2-1258-453f-b07d-383068f8e8cf", "observed-data--5c4d8bce-3e80-4dc4-9820-436102de0b81", "url--5c4d8bce-3e80-4dc4-9820-436102de0b81", "observed-data--5c4d8bf5-85c8-4424-a35f-4dd602de0b81", "url--5c4d8bf5-85c8-4424-a35f-4dd602de0b81", "indicator--49032699-f4cf-4808-a272-9ca316968a35", "x-misp-object--c3f88cfe-b795-4813-aaf3-3e8dcc5aceb6", "indicator--a45c3106-dec5-404d-acfc-8d00abde20c1", "x-misp-object--f8013005-dcd4-4c9f-9277-143df2440b9b", "indicator--88a6f7a4-9334-4ba6-af2d-93defaae48d4", "x-misp-object--de16e29f-b02f-4768-a6a2-18ea57310af0", "relationship--742cead4-7ba0-42bc-a21a-f1009a80be76", "relationship--a3ac93a7-ad82-4cb2-aa30-dd708f206ac1", "relationship--47281c43-074f-4706-bd2b-a40ee4063f6f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "Actor: Lazarus", "DPRK", "Malware: PowerRatankba,b", "PowerShell Installer", "Keylogger", "Country: Pakistan", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:threat-actor=\"Lazarus Group\"", "misp-galaxy:malpedia=\"PowerRatankba\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group\"", "misp-galaxy:malpedia=\"Lazarus\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group - G0032\"", "misp-galaxy:mitre-intrusion-set=\"Lazarus Group\"", "misp-galaxy:tool=\"PowerRatankba\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4cb9a7-3684-4f00-bff9-383368f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-26T19:48:55.000Z", "modified": "2019-01-26T19:48:55.000Z", "pattern": "[file:hashes.MD5 = 'c9ed87e9f99c631cda368f6f329ee27e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-26T19:48:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4cba32-e9e4-4bbf-8396-383068f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-26T19:51:14.000Z", "modified": "2019-01-26T19:51:14.000Z", "description": "Lazarus Tools", "pattern": "[file:hashes.MD5 = 'c9ed87e9f99c631cda368f6f329ee27e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-26T19:51:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4cba32-070c-42ba-a0e0-383068f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-26T19:51:14.000Z", "modified": "2019-01-26T19:51:14.000Z", "description": "Lazarus Tools", "pattern": "[file:hashes.MD5 = '5cc28f3f32e7274f13378a724a5ec33a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-26T19:51:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4cba32-0238-4c6d-b8e2-383068f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-26T19:51:14.000Z", "modified": "2019-01-26T19:51:14.000Z", "description": "Lazarus Tools", "pattern": "[file:hashes.MD5 = '2025d91c1cdd33db576b2c90ef4067c7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-26T19:51:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4cba84-aed4-452e-8eb2-4e2768f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-26T19:52:36.000Z", "modified": "2019-01-26T19:52:36.000Z", "description": "C2", "pattern": "[url:value = 'https://ecombox.store/tbl_add.php?action=cgetpsa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-26T19:52:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4cba84-c3c8-422c-a870-4e2768f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-26T19:52:36.000Z", "modified": "2019-01-26T19:52:36.000Z", "description": "C2", "pattern": "[url:value = 'https://ecombox.store/tbl_add.php?action=cgetrun']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-26T19:52:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4cbbd2-1258-453f-b07d-383068f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-27T10:46:29.000Z", "modified": "2019-01-27T10:46:29.000Z", "description": "Yara for Keylogger", "pattern": "[rule APT_Lazarus_Keylogger {\r\n meta:\r\n description = \"Detects possible Lazarus Keylogger\"\r\n author = \"@VK_Intel\"\r\n date = \"2019-01-25\"\r\n strings:\r\n\t$s0 = \"%s%s\" fullword ascii wide\r\n\t$s1 = \"[ENTER]\" fullword ascii wide \r\n\t$s2 = \"[EX]\" fullword ascii wide\r\n\t$s3 = \"%02d:%02d\" fullword ascii wide\r\n \r\n \r\n\t$dll0 = \"PSLogger.dll\" fullword ascii wide\r\n\t$dll1 = \"capture_x64.dll\" fullword ascii wide \r\n\t$exe = \"PSLogger.exe\" fullword ascii wide\r\n \r\n condition:\r\n\tuint16(0) == 0x5a4d and all of ($s*) and (1 of ($dll*) or $exe)\r\n }]", "pattern_type": "yara", "valid_from": "2019-01-27T10:46:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload delivery\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c4d8bce-3e80-4dc4-9820-436102de0b81", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-27T10:50:55.000Z", "modified": "2019-01-27T10:50:55.000Z", "first_observed": "2019-01-27T10:50:55Z", "last_observed": "2019-01-27T10:50:55Z", "number_observed": 1, "object_refs": [ "url--5c4d8bce-3e80-4dc4-9820-436102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "osint:certainty=\"75\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5c4d8bce-3e80-4dc4-9820-436102de0b81", "value": "https://github.com/k-vitali/apt_lazarus_toolkits/blob/master/2019-01-26.lazarus_pakistan_misp_vk.json" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c4d8bf5-85c8-4424-a35f-4dd602de0b81", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-27T10:50:54.000Z", "modified": "2019-01-27T10:50:54.000Z", "first_observed": "2019-01-27T10:50:54Z", "last_observed": "2019-01-27T10:50:54Z", "number_observed": 1, "object_refs": [ "url--5c4d8bf5-85c8-4424-a35f-4dd602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "osint:certainty=\"75\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5c4d8bf5-85c8-4424-a35f-4dd602de0b81", "value": "https://www.vkremez.com/2019/01/lets-learn-dissecting-lazarus.html" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--49032699-f4cf-4808-a272-9ca316968a35", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-27T10:47:15.000Z", "modified": "2019-01-27T10:47:15.000Z", "pattern": "[file:hashes.MD5 = 'c9ed87e9f99c631cda368f6f329ee27e' AND file:hashes.SHA1 = '943feef623db1143f4b9c957fee4c94753cfb6a5' AND file:hashes.SHA256 = '802efe9c41909354921009bd54be7dcf1ee14fcfaf62dacbcdaafbe051a711e3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-27T10:47:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c3f88cfe-b795-4813-aaf3-3e8dcc5aceb6", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-27T10:47:16.000Z", "modified": "2019-01-27T10:47:16.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-26T18:54:38", "category": "Other", "uuid": "7b3cc6f2-b07f-457e-b07b-d540d8411068" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/802efe9c41909354921009bd54be7dcf1ee14fcfaf62dacbcdaafbe051a711e3/analysis/1548528878/", "category": "External analysis", "uuid": "a0ecf930-b40e-4994-a828-67700f5f7c7e" }, { "type": "text", "object_relation": "detection-ratio", "value": "2/56", "category": "Other", "uuid": "44dca040-d0e5-4292-9239-670b5be27c9b" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a45c3106-dec5-404d-acfc-8d00abde20c1", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-27T10:47:16.000Z", "modified": "2019-01-27T10:47:16.000Z", "pattern": "[file:hashes.MD5 = '2025d91c1cdd33db576b2c90ef4067c7' AND file:hashes.SHA1 = 'ec80c302c91c6caf5343cfd3fabf43b0bbd067a5' AND file:hashes.SHA256 = 'bed916831e8c9babfb6d08644058a61e3547d621f847c081309f616aed06c2fe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-27T10:47:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f8013005-dcd4-4c9f-9277-143df2440b9b", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-27T10:47:16.000Z", "modified": "2019-01-27T10:47:16.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-25T21:10:16", "category": "Other", "uuid": "44f0d1c6-d716-4e81-9349-5d1f1de27808" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/bed916831e8c9babfb6d08644058a61e3547d621f847c081309f616aed06c2fe/analysis/1548450616/", "category": "External analysis", "uuid": "2e44c2c4-bb77-4f87-a9d0-5162e7ce0712" }, { "type": "text", "object_relation": "detection-ratio", "value": "3/68", "category": "Other", "uuid": "e80a9946-d609-4362-b9e4-ff861a117761" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--88a6f7a4-9334-4ba6-af2d-93defaae48d4", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-27T10:47:16.000Z", "modified": "2019-01-27T10:47:16.000Z", "pattern": "[file:hashes.MD5 = '5cc28f3f32e7274f13378a724a5ec33a' AND file:hashes.SHA1 = '32292b4e125287a6567e3879d53d0d8d82bcdf01' AND file:hashes.SHA256 = '18f0ad8c58558d6eb8129f32cbc2905d0b63822185506b7c3bca49d423d837c7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-27T10:47:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--de16e29f-b02f-4768-a6a2-18ea57310af0", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-27T10:47:16.000Z", "modified": "2019-01-27T10:47:16.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-26T22:25:46", "category": "Other", "uuid": "e37a032b-0abd-4860-a6fd-5e6a98537472" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/18f0ad8c58558d6eb8129f32cbc2905d0b63822185506b7c3bca49d423d837c7/analysis/1548541546/", "category": "External analysis", "uuid": "4c46bec8-3b2d-4494-a2de-12288573a536" }, { "type": "text", "object_relation": "detection-ratio", "value": "3/56", "category": "Other", "uuid": "ab18849e-cd56-4123-b59e-5086417c0d7f" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--742cead4-7ba0-42bc-a21a-f1009a80be76", "created": "2021-05-24T09:53:15.000Z", "modified": "2021-05-24T09:53:15.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--49032699-f4cf-4808-a272-9ca316968a35", "target_ref": "x-misp-object--c3f88cfe-b795-4813-aaf3-3e8dcc5aceb6" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a3ac93a7-ad82-4cb2-aa30-dd708f206ac1", "created": "2021-05-24T09:53:15.000Z", "modified": "2021-05-24T09:53:15.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--a45c3106-dec5-404d-acfc-8d00abde20c1", "target_ref": "x-misp-object--f8013005-dcd4-4c9f-9277-143df2440b9b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--47281c43-074f-4706-bd2b-a40ee4063f6f", "created": "2021-05-24T09:53:15.000Z", "modified": "2021-05-24T09:53:15.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--88a6f7a4-9334-4ba6-af2d-93defaae48d4", "target_ref": "x-misp-object--de16e29f-b02f-4768-a6a2-18ea57310af0" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }