{ "type": "bundle", "id": "bundle--5cc92e5a-c624-4343-8352-40fd02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-01T07:01:15.000Z", "modified": "2019-05-01T07:01:15.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5cc92e5a-c624-4343-8352-40fd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-01T07:01:15.000Z", "modified": "2019-05-01T07:01:15.000Z", "name": "OSINT - Kernel Mode Malicious Loader", "published": "2019-05-01T07:01:24Z", "object_refs": [ "indicator--5cc92e69-74a8-4690-90f4-482d02de0b81", "indicator--5cc92e8a-6df8-4361-ab1b-4d4002de0b81", "indicator--5cc92e8a-a568-4e06-8c35-42c102de0b81", "observed-data--5cc92fa3-f1cc-46c7-9084-48c902de0b81", "url--5cc92fa3-f1cc-46c7-9084-48c902de0b81", "indicator--5cc9443b-9b54-4abf-a421-1ba002de0b81", "indicator--5cc92fee-df1c-4c88-837f-4d7a02de0b81", "indicator--837ee41b-cf9d-4b16-8de6-383694cf6f5c", "x-misp-object--cd55b14c-14bc-4c8c-86e5-170d7444012a", "relationship--eabcff6b-a49f-4afc-a8b7-0aa505645182" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc92e69-74a8-4690-90f4-482d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-01T05:28:09.000Z", "modified": "2019-05-01T05:28:09.000Z", "pattern": "[url:value = 'http://45.227.252.54']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-01T05:28:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc92e8a-6df8-4361-ab1b-4d4002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-01T05:28:42.000Z", "modified": "2019-05-01T05:28:42.000Z", "description": "first stage", "pattern": "[file:hashes.SHA1 = '9cfced68abe4f2c0dc5c42f47652592077c26fd6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-01T05:28:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc92e8a-a568-4e06-8c35-42c102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-01T05:28:42.000Z", "modified": "2019-05-01T05:28:42.000Z", "description": "unpacked stage", "pattern": "[file:hashes.SHA1 = 'e1111022deeeed0389ff01ebb02489c45fa2f71a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-01T05:28:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cc92fa3-f1cc-46c7-9084-48c902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-01T05:33:23.000Z", "modified": "2019-05-01T05:33:23.000Z", "first_observed": "2019-05-01T05:33:23Z", "last_observed": "2019-05-01T05:33:23Z", "number_observed": 1, "object_refs": [ "url--5cc92fa3-f1cc-46c7-9084-48c902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cc92fa3-f1cc-46c7-9084-48c902de0b81", "value": "https://twitter.com/PRODAFT/status/1123241137710555136" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc9443b-9b54-4abf-a421-1ba002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-01T07:01:15.000Z", "modified": "2019-05-01T07:01:15.000Z", "description": "C2", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.227.252.54']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-01T07:01:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc92fee-df1c-4c88-837f-4d7a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-01T05:34:38.000Z", "modified": "2019-05-01T05:34:38.000Z", "description": "Malicious kernel mode loader", "pattern": "[file:hashes.SHA1 = '73f346da7642fae92677a71b01bfcd460f8604bc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-01T05:34:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--837ee41b-cf9d-4b16-8de6-383694cf6f5c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-01T05:42:46.000Z", "modified": "2019-05-01T05:42:46.000Z", "pattern": "[file:hashes.MD5 = '3ae249513649876a34c60e04f385e156' AND file:hashes.SHA1 = '9cfced68abe4f2c0dc5c42f47652592077c26fd6' AND file:hashes.SHA256 = '1284962d30eabb8e47261414350c01ec04555800a3866f4e6cf1e20816e25a2e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-01T05:42:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--cd55b14c-14bc-4c8c-86e5-170d7444012a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-01T05:42:47.000Z", "modified": "2019-05-01T05:42:47.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-02-23T10:47:04", "category": "Other", "comment": "first stage", "uuid": "09a8c2c4-491f-4dab-b9ba-2d669878f830" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/1284962d30eabb8e47261414350c01ec04555800a3866f4e6cf1e20816e25a2e/analysis/1550918824/", "category": "Payload delivery", "comment": "first stage", "uuid": "d63e7483-709b-4a33-9799-1109f24b823d" }, { "type": "text", "object_relation": "detection-ratio", "value": "33/66", "category": "Payload delivery", "comment": "first stage", "uuid": "0f752f01-5f37-4c8a-8ad8-56622bfe8a6a" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--eabcff6b-a49f-4afc-a8b7-0aa505645182", "created": "2019-05-01T05:42:47.000Z", "modified": "2019-05-01T05:42:47.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--837ee41b-cf9d-4b16-8de6-383694cf6f5c", "target_ref": "x-misp-object--cd55b14c-14bc-4c8c-86e5-170d7444012a" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }