{ "type": "bundle", "id": "bundle--5d78a50e-ba3c-40b3-a5c1-4fb1950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T09:15:00.000Z", "modified": "2019-09-11T09:15:00.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5d78a50e-ba3c-40b3-a5c1-4fb1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T09:15:00.000Z", "modified": "2019-09-11T09:15:00.000Z", "name": "OSINT - ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group", "published": "2019-09-11T12:17:21Z", "object_refs": [ "observed-data--5d78a9c4-1108-4eb4-aca8-e76e950d210f", "url--5d78a9c4-1108-4eb4-aca8-e76e950d210f", "x-misp-attribute--5d78a9db-1b4c-4f0b-8e96-8aaa950d210f", "indicator--5d78acb4-ae5c-468f-8570-e7f0950d210f", "indicator--5d78acb4-8a10-4a25-9981-e7f0950d210f", "indicator--5d78acb4-91d4-4a43-b367-e7f0950d210f", "indicator--5d78acb4-fed4-4e1a-9239-e7f0950d210f", "indicator--5d78acb4-1f6c-43db-9dc0-e7f0950d210f", "indicator--5d78acde-9514-4e9d-968b-c52e950d210f", "indicator--5d78acde-80f8-4127-81c8-c52e950d210f", "indicator--5d78acde-69bc-4b16-935d-c52e950d210f", "indicator--5d78acde-d94c-48a4-9770-c52e950d210f", "x-misp-attribute--5d78ba7f-97f0-4ba7-8062-95e4950d210f", "observed-data--5d78bb45-783c-456e-a632-4105e387cbd9", "network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9", "ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9", "observed-data--5d78bb45-5550-4792-81df-43b1e387cbd9", "network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9", "ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9", "observed-data--5d78bb46-8dbc-41cf-971d-431de387cbd9", "network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9", "ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9", "x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f", "x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f", "x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f", "x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f", "x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f", "x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f", "x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f", "observed-data--5d78aee4-c290-488a-a73c-e7f0950d210f", "user-account--5d78aee4-c290-488a-a73c-e7f0950d210f", "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f", "relationship--679d31c0-3d2a-4a06-9303-5ea034e12952", "relationship--cf83b1b2-71c7-40ad-80a8-bae8eb3177a2", "relationship--3df6b2d1-291e-4024-a2b3-793c2b6d14c9", "relationship--ab8f79c1-cfd0-4a1c-b0a2-0e75f0145698", "relationship--688f6ec2-e421-4045-ae62-3d6562fccb32", "relationship--fb514130-2cb8-4149-9713-c5d5799defdd", "relationship--f086401b-5204-462c-a658-4995da219fcb" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon - G0038\"", "misp-galaxy:mitre-intrusion-set=\"Stealth Falcon\"", "misp-galaxy:mitre-intrusion-set=\"Stealth Falcon - G0038\"", "misp-galaxy:threat-actor=\"Stealth Falcon\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:mitre-attack-pattern=\"BITS Jobs - T1197\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"BITS Jobs - T1197\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d78a9c4-1108-4eb4-aca8-e76e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:01:08.000Z", "modified": "2019-09-11T08:01:08.000Z", "first_observed": "2019-09-11T08:01:08Z", "last_observed": "2019-09-11T08:01:08Z", "number_observed": 1, "object_refs": [ "url--5d78a9c4-1108-4eb4-aca8-e76e950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5d78a9c4-1108-4eb4-aca8-e76e950d210f", "value": "https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5d78a9db-1b4c-4f0b-8e96-8aaa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:01:31.000Z", "modified": "2019-09-11T08:01:31.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. It has been tracked by the Citizen Lab, a non-profit organization focusing on security and human rights, which published an analysis of a particular cyberattack in 2016. In January of 2019, Reuters published an investigative report into Project Raven, an initiative allegedly employing former NSA operatives and aiming at the same types of targets as Stealth Falcon." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d78acb4-ae5c-468f-8570-e7f0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:13:40.000Z", "modified": "2019-09-11T08:13:40.000Z", "description": "C&C", "pattern": "[domain-name:value = 'footballtimes.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-11T08:13:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d78acb4-8a10-4a25-9981-e7f0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:13:40.000Z", "modified": "2019-09-11T08:13:40.000Z", "description": "C&C", "pattern": "[domain-name:value = 'vegetableportfolio.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-11T08:13:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d78acb4-91d4-4a43-b367-e7f0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:13:40.000Z", "modified": "2019-09-11T08:13:40.000Z", "description": "C&C", "pattern": "[domain-name:value = 'windowsearchcache.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-11T08:13:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d78acb4-fed4-4e1a-9239-e7f0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:13:40.000Z", "modified": "2019-09-11T08:13:40.000Z", "description": "C&C", "pattern": "[domain-name:value = 'electricalweb.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-11T08:13:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d78acb4-1f6c-43db-9dc0-e7f0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:13:40.000Z", "modified": "2019-09-11T08:13:40.000Z", "description": "C&C", "pattern": "[domain-name:value = 'upnpdiscover.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-11T08:13:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d78acde-9514-4e9d-968b-c52e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:14:22.000Z", "modified": "2019-09-11T08:14:22.000Z", "description": "malware as detected by ESET", "pattern": "[file:hashes.SHA1 = '31b54aebdaf5fbc73a66ac41ccb35943cc9b7f72']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-11T08:14:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d78acde-80f8-4127-81c8-c52e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:14:22.000Z", "modified": "2019-09-11T08:14:22.000Z", "description": "malware as detected by ESET", "pattern": "[file:hashes.SHA1 = '50973a3fc57d70c7911f7a952356188b9939e56b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-11T08:14:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d78acde-69bc-4b16-935d-c52e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:14:22.000Z", "modified": "2019-09-11T08:14:22.000Z", "description": "malware as detected by ESET", "pattern": "[file:hashes.SHA1 = '244eb62b9ac30934098ca4204447440d6fc4e259']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-11T08:14:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d78acde-d94c-48a4-9770-c52e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:14:22.000Z", "modified": "2019-09-11T08:14:22.000Z", "description": "malware as detected by ESET", "pattern": "[file:hashes.SHA1 = '5c8f83cc4ff57e7c67925df4d9daabe5d0cc07e2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-11T08:14:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5d78ba7f-97f0-4ba7-8062-95e4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T09:12:31.000Z", "modified": "2019-09-11T09:12:31.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "Win32/StealthFalcon" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d78bb45-783c-456e-a632-4105e387cbd9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T09:15:49.000Z", "modified": "2019-09-11T09:15:49.000Z", "first_observed": "2019-09-11T09:15:49Z", "last_observed": "2019-09-11T09:15:49Z", "number_observed": 1, "object_refs": [ "network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9", "ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5d78bb45-783c-456e-a632-4105e387cbd9", "src_ref": "ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5d78bb45-783c-456e-a632-4105e387cbd9", "value": "185.227.82.19" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d78bb45-5550-4792-81df-43b1e387cbd9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T09:15:49.000Z", "modified": "2019-09-11T09:15:49.000Z", "first_observed": "2019-09-11T09:15:49Z", "last_observed": "2019-09-11T09:15:49Z", "number_observed": 1, "object_refs": [ "network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9", "ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5d78bb45-5550-4792-81df-43b1e387cbd9", "src_ref": "ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5d78bb45-5550-4792-81df-43b1e387cbd9", "value": "46.183.219.85" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d78bb46-8dbc-41cf-971d-431de387cbd9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T09:15:50.000Z", "modified": "2019-09-11T09:15:50.000Z", "first_observed": "2019-09-11T09:15:50Z", "last_observed": "2019-09-11T09:15:50Z", "number_observed": 1, "object_refs": [ "network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9", "ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5d78bb46-8dbc-41cf-971d-431de387cbd9", "src_ref": "ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5d78bb46-8dbc-41cf-971d-431de387cbd9", "value": "193.105.134.75" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:06:01.000Z", "modified": "2019-09-11T08:06:01.000Z", "labels": [ "misp:name=\"command-line\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "Uninstall itself", "category": "Other", "uuid": "5d78aae9-9994-4be3-90b5-4f4e950d210f" }, { "type": "text", "object_relation": "value", "value": "K", "category": "Other", "uuid": "5d78aaef-b248-4e75-a0eb-4453950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "command-line" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:07:56.000Z", "modified": "2019-09-11T08:07:56.000Z", "labels": [ "misp:name=\"command-line\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "Update configuration data", "category": "Other", "uuid": "5d78ab5c-a738-43f5-9441-8aa5950d210f" }, { "type": "text", "object_relation": "value", "value": "CFG", "category": "Other", "uuid": "5d78ab62-3fd8-49d7-9c2e-8aa5950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "command-line" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:15:13.000Z", "modified": "2019-09-11T08:15:13.000Z", "labels": [ "misp:name=\"command-line\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "Execute the specified application", "category": "Other", "uuid": "5d78ad11-5028-48f2-a2d7-e7f0950d210f" }, { "type": "text", "object_relation": "value", "value": "RC", "category": "Other", "uuid": "5d78ad11-deb8-4372-a92a-e7f0950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "command-line" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:15:34.000Z", "modified": "2019-09-11T08:15:34.000Z", "labels": [ "misp:name=\"command-line\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "Write downloaded data to file", "category": "Other", "uuid": "5d78ad26-9728-4f7e-b0d1-ca95950d210f" }, { "type": "text", "object_relation": "value", "value": "DL", "category": "Other", "uuid": "5d78ad26-84c0-4df6-884e-ca95950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "command-line" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:15:54.000Z", "modified": "2019-09-11T08:15:54.000Z", "labels": [ "misp:name=\"command-line\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "Prepare a file for exfiltration", "category": "Other", "uuid": "5d78ad3a-3c64-4abb-917a-8aa5950d210f" }, { "type": "text", "object_relation": "value", "value": "CF", "category": "Other", "uuid": "5d78ad3a-4e10-403d-8aac-8aa5950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "command-line" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:16:32.000Z", "modified": "2019-09-11T08:16:32.000Z", "labels": [ "misp:name=\"command-line\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "Not implemented/no operation", "category": "Other", "uuid": "5d78ad60-b23c-4624-9dbe-8aa9950d210f" }, { "type": "text", "object_relation": "value", "value": "CFWD", "category": "Other", "uuid": "5d78ad60-44bc-474a-b925-8aa9950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "command-line" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:17:49.000Z", "modified": "2019-09-11T08:17:49.000Z", "labels": [ "misp:name=\"command-line\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "Exfiltrate and delete files", "category": "Other", "uuid": "5d78adad-02d8-4d3d-8e80-8aaa950d210f" }, { "type": "text", "object_relation": "value", "value": "CFW", "category": "Other", "uuid": "5d78adad-0394-46aa-8539-8aaa950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "command-line" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d78aee4-c290-488a-a73c-e7f0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T08:23:00.000Z", "modified": "2019-09-11T08:23:00.000Z", "first_observed": "2019-09-11T08:23:00Z", "last_observed": "2019-09-11T08:23:00Z", "number_observed": 1, "object_refs": [ "user-account--5d78aee4-c290-488a-a73c-e7f0950d210f" ], "labels": [ "misp:name=\"credential\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"False\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--5d78aee4-c290-488a-a73c-e7f0950d210f", "credential": "258A4A9D139823F55D7B9DA1825D101107FBF88634A870DE9800580DAD556BA3", "x_misp_format": "clear-text", "x_misp_origin": "malware-analysis", "x_misp_password": [ "2519DB0FFEC604D6C9A655CF56B98EDCE10405DE36810BC3DCF125CDE30BA5A2", "3EDB6EA77CD0987668B360365D5F39FDCF6B366D0DEAC9ECE5ADC6FFD20227F6", "8DFFDE77A39F3AF46D0CE0B84A189DB25A2A0FEFD71A0CD0054D8E0D60AB08DE" ], "x_misp_text": "Note: Malware derives a second RC4 key by XORing each byte of the hardcoded key with 0x3D.", "x_misp_type": "encryption-key" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-11T09:12:00.000Z", "modified": "2019-09-11T09:12:00.000Z", "labels": [ "misp:name=\"command\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "description", "value": "Win32/StealthFalcon is a DLL file which, after execution, schedules itself as a task running on each user login. It only supports basic commands but displays a systematic approach to data collection, data exfiltration, employing further malicious tools, and updating its configuration.", "category": "Other", "uuid": "5d78b6f7-b7a4-49ac-9369-c534950d210f" }, { "type": "text", "object_relation": "trigger", "value": "Network", "category": "Other", "uuid": "5d78b6f7-17a8-4b54-8725-c534950d210f" }, { "type": "text", "object_relation": "location", "value": "Bundled", "category": "Other", "uuid": "5d78b6f7-be18-4e99-add1-c534950d210f" } ], "x_misp_comment": "Backdoor commands", "x_misp_meta_category": "misc", "x_misp_name": "command" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--679d31c0-3d2a-4a06-9303-5ea034e12952", "created": "2019-09-11T08:58:18.000Z", "modified": "2019-09-11T08:58:18.000Z", "relationship_type": "contains", "source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f", "target_ref": "x-misp-object--5d78aae9-e0fc-4efb-957e-4829950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cf83b1b2-71c7-40ad-80a8-bae8eb3177a2", "created": "2019-09-11T09:05:16.000Z", "modified": "2019-09-11T09:05:16.000Z", "relationship_type": "contains", "source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f", "target_ref": "x-misp-object--5d78ab5c-a620-4d62-b72b-8aa5950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3df6b2d1-291e-4024-a2b3-793c2b6d14c9", "created": "2019-09-11T09:05:28.000Z", "modified": "2019-09-11T09:05:28.000Z", "relationship_type": "contains", "source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f", "target_ref": "x-misp-object--5d78ad11-8e74-4fda-92f9-e7f0950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ab8f79c1-cfd0-4a1c-b0a2-0e75f0145698", "created": "2019-09-11T09:05:39.000Z", "modified": "2019-09-11T09:05:39.000Z", "relationship_type": "contains", "source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f", "target_ref": "x-misp-object--5d78ad26-4fbc-4e8e-a634-ca95950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--688f6ec2-e421-4045-ae62-3d6562fccb32", "created": "2019-09-11T09:06:37.000Z", "modified": "2019-09-11T09:06:37.000Z", "relationship_type": "contains", "source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f", "target_ref": "x-misp-object--5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fb514130-2cb8-4149-9713-c5d5799defdd", "created": "2019-09-11T09:06:49.000Z", "modified": "2019-09-11T09:06:49.000Z", "relationship_type": "contains", "source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f", "target_ref": "x-misp-object--5d78ad60-53c4-4617-b7c0-8aa9950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f086401b-5204-462c-a658-4995da219fcb", "created": "2019-09-11T09:07:11.000Z", "modified": "2019-09-11T09:07:11.000Z", "relationship_type": "contains", "source_ref": "x-misp-object--5d78b6f6-9ae4-4260-a284-c534950d210f", "target_ref": "x-misp-object--5d78adad-d90c-4b7f-b37c-8aaa950d210f" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }