{ "type": "bundle", "id": "bundle--587fc1b5-fd10-42e7-8184-637702de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:33:59.000Z", "modified": "2017-01-18T19:33:59.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--587fc1b5-fd10-42e7-8184-637702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:33:59.000Z", "modified": "2017-01-18T19:33:59.000Z", "name": "OSINT - New Mac backdoor using antiquated code", "published": "2017-01-18T19:35:00Z", "object_refs": [ "x-misp-attribute--587fc232-0348-4488-a667-45b502de0b81", "observed-data--587fc240-a794-46ce-ac59-4b0a02de0b81", "url--587fc240-a794-46ce-ac59-4b0a02de0b81", "indicator--587fc25c-5fe0-40f7-84df-638002de0b81", "indicator--587fc25d-0a48-44dc-a196-638002de0b81", "indicator--587fc272-e8ac-4372-83b6-4b2402de0b81", "indicator--587fc273-ecb8-47bc-ba0d-4aa102de0b81", "indicator--587fc2a4-29fc-4bd5-bf7a-637a02de0b81", "indicator--587fc2c0-2688-4d0a-8264-637f02de0b81", "indicator--587fc2e0-9bec-4f9e-ade8-b06d02de0b81", "indicator--587fc2e1-bcbc-4de8-a6d6-b06d02de0b81", "x-misp-attribute--587fc2fd-7a88-4b6d-afb0-b06b02de0b81", "indicator--587fc327-b678-4803-b15f-b06d02de0b81", "indicator--587fc327-ffb8-420f-9174-b06d02de0b81", "observed-data--587fc328-feec-43dc-800c-b06d02de0b81", "url--587fc328-feec-43dc-800c-b06d02de0b81", "indicator--587fc329-9298-4b1c-ac87-b06d02de0b81", "indicator--587fc32a-4528-458c-91a0-b06d02de0b81", "observed-data--587fc32a-60a0-48d1-89d1-b06d02de0b81", "url--587fc32a-60a0-48d1-89d1-b06d02de0b81", "indicator--587fc32b-fcdc-4cec-b22d-b06d02de0b81", "indicator--587fc32c-27ec-4800-bc47-b06d02de0b81", "observed-data--587fc32d-132c-4c51-9085-b06d02de0b81", "url--587fc32d-132c-4c51-9085-b06d02de0b81", "indicator--587fc32d-c1e0-4edb-8e5d-b06d02de0b81", "indicator--587fc32e-7b7c-4acc-a7d4-b06d02de0b81", "observed-data--587fc32f-b3c8-442a-9cda-b06d02de0b81", "url--587fc32f-b3c8-442a-9cda-b06d02de0b81", "indicator--587fc330-7248-49ef-ae67-b06d02de0b81", "indicator--587fc330-2b6c-4b22-bc05-b06d02de0b81", "observed-data--587fc331-05c4-482c-ad41-b06d02de0b81", "url--587fc331-05c4-482c-ad41-b06d02de0b81", "indicator--587fc332-6d4c-4786-a7d2-b06d02de0b81", "indicator--587fc332-1ae4-4394-8893-b06d02de0b81", "observed-data--587fc333-f574-41dc-9c50-b06d02de0b81", "url--587fc333-f574-41dc-9c50-b06d02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "ms-caro-malware:malware-platform=\"MacOS_X\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--587fc232-0348-4488-a667-45b502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:29:54.000Z", "modified": "2017-01-18T19:29:54.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac. This led to the discovery of a piece of malware unlike anything I\u00e2\u20ac\u2122ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--587fc240-a794-46ce-ac59-4b0a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:30:08.000Z", "modified": "2017-01-18T19:30:08.000Z", "first_observed": "2017-01-18T19:30:08Z", "last_observed": "2017-01-18T19:30:08Z", "number_observed": 1, "object_refs": [ "url--587fc240-a794-46ce-ac59-4b0a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--587fc240-a794-46ce-ac59-4b0a02de0b81", "value": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc25c-5fe0-40f7-84df-638002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:30:36.000Z", "modified": "2017-01-18T19:30:36.000Z", "description": "~/.client", "pattern": "[file:hashes.SHA256 = 'ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:30:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc25d-0a48-44dc-a196-638002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:30:37.000Z", "modified": "2017-01-18T19:30:37.000Z", "description": "~/Library/LaunchAgents/com.client.client.plist", "pattern": "[file:hashes.SHA256 = '83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:30:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc272-e8ac-4372-83b6-4b2402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:30:58.000Z", "modified": "2017-01-18T19:30:58.000Z", "description": "The perl script, among other things, communicates with the following command and control (C&C) servers:", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '99.153.29.240']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:30:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc273-ecb8-47bc-ba0d-4aa102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:30:59.000Z", "modified": "2017-01-18T19:30:59.000Z", "description": "The perl script, among other things, communicates with the following command and control (C&C) servers:", "pattern": "[domain-name:value = 'eidk.hopto.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:30:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc2a4-29fc-4bd5-bf7a-637a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:31:48.000Z", "modified": "2017-01-18T19:31:48.000Z", "description": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network", "pattern": "[file:hashes.SHA256 = 'bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:31:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc2c0-2688-4d0a-8264-637f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:32:16.000Z", "modified": "2017-01-18T19:32:16.000Z", "description": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d,", "pattern": "[file:hashes.SHA256 = 'b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:32:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc2e0-9bec-4f9e-ade8-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:32:48.000Z", "modified": "2017-01-18T19:32:48.000Z", "description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names.", "pattern": "[file:hashes.SHA256 = '94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:32:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc2e1-bcbc-4de8-a6d6-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:32:49.000Z", "modified": "2017-01-18T19:32:49.000Z", "description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names.", "pattern": "[file:hashes.SHA256 = '694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:32:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--587fc2fd-7a88-4b6d-afb0-b06b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:33:17.000Z", "modified": "2017-01-18T19:33:17.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "OSX.Backdoor.Quimitchin" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc327-b678-4803-b15f-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:33:59.000Z", "modified": "2017-01-18T19:33:59.000Z", "description": "~/.client - Xchecked via VT: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044", "pattern": "[file:hashes.SHA1 = '18957d7549b4e296fcaeb122ff241d9799804fa3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:33:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc327-ffb8-420f-9174-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:33:59.000Z", "modified": "2017-01-18T19:33:59.000Z", "description": "~/.client - Xchecked via VT: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044", "pattern": "[file:hashes.MD5 = 'e4744b9f927dc8048a19dca15590660c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:33:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--587fc328-feec-43dc-800c-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:00.000Z", "modified": "2017-01-18T19:34:00.000Z", "first_observed": "2017-01-18T19:34:00Z", "last_observed": "2017-01-18T19:34:00Z", "number_observed": 1, "object_refs": [ "url--587fc328-feec-43dc-800c-b06d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--587fc328-feec-43dc-800c-b06d02de0b81", "value": "https://www.virustotal.com/file/ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044/analysis/1484569121/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc329-9298-4b1c-ac87-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:01.000Z", "modified": "2017-01-18T19:34:01.000Z", "description": "~/Library/LaunchAgents/com.client.client.plist - Xchecked via VT: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3", "pattern": "[file:hashes.SHA1 = 'cd42b88569faa946a4b9d6f7408b958dcbcf7554']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:34:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc32a-4528-458c-91a0-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:02.000Z", "modified": "2017-01-18T19:34:02.000Z", "description": "~/Library/LaunchAgents/com.client.client.plist - Xchecked via VT: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3", "pattern": "[file:hashes.MD5 = '9d9cca200dd0e5f9d59225131d5269b0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:34:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--587fc32a-60a0-48d1-89d1-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:02.000Z", "modified": "2017-01-18T19:34:02.000Z", "first_observed": "2017-01-18T19:34:02Z", "last_observed": "2017-01-18T19:34:02Z", "number_observed": 1, "object_refs": [ "url--587fc32a-60a0-48d1-89d1-b06d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--587fc32a-60a0-48d1-89d1-b06d02de0b81", "value": "https://www.virustotal.com/file/83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3/analysis/1484177653/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc32b-fcdc-4cec-b22d-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:03.000Z", "modified": "2017-01-18T19:34:03.000Z", "description": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55", "pattern": "[file:hashes.SHA1 = '66e520e18accd92abb4722a6cd6a285981ac5bd1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:34:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc32c-27ec-4800-bc47-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:04.000Z", "modified": "2017-01-18T19:34:04.000Z", "description": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55", "pattern": "[file:hashes.MD5 = '7bb4f5d962a5b3bb18db9ce08c0b6cbf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:34:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--587fc32d-132c-4c51-9085-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:05.000Z", "modified": "2017-01-18T19:34:05.000Z", "first_observed": "2017-01-18T19:34:05Z", "last_observed": "2017-01-18T19:34:05Z", "number_observed": 1, "object_refs": [ "url--587fc32d-132c-4c51-9085-b06d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--587fc32d-132c-4c51-9085-b06d02de0b81", "value": "https://www.virustotal.com/file/bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55/analysis/1484082473/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc32d-c1e0-4edb-8e5d-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:05.000Z", "modified": "2017-01-18T19:34:05.000Z", "description": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0", "pattern": "[file:hashes.SHA1 = '3c4904832392e70e415b0520d45ff7a1c93c2c4e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:34:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc32e-7b7c-4acc-a7d4-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:06.000Z", "modified": "2017-01-18T19:34:06.000Z", "description": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0", "pattern": "[file:hashes.MD5 = 'f8e3c8e43593ecbd9b62f6e18c8d6474']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:34:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--587fc32f-b3c8-442a-9cda-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:07.000Z", "modified": "2017-01-18T19:34:07.000Z", "first_observed": "2017-01-18T19:34:07Z", "last_observed": "2017-01-18T19:34:07Z", "number_observed": 1, "object_refs": [ "url--587fc32f-b3c8-442a-9cda-b06d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--587fc32f-b3c8-442a-9cda-b06d02de0b81", "value": "https://www.virustotal.com/file/b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0/analysis/1484326500/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc330-7248-49ef-ae67-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:08.000Z", "modified": "2017-01-18T19:34:08.000Z", "description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647", "pattern": "[file:hashes.SHA1 = '03ab5fdb40db260dbc35aadba202e920e57eb348']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:34:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc330-2b6c-4b22-bc05-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:08.000Z", "modified": "2017-01-18T19:34:08.000Z", "description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647", "pattern": "[file:hashes.MD5 = '3adf6025eb710f2bf1918ee2f116153d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:34:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--587fc331-05c4-482c-ad41-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:09.000Z", "modified": "2017-01-18T19:34:09.000Z", "first_observed": "2017-01-18T19:34:09Z", "last_observed": "2017-01-18T19:34:09Z", "number_observed": 1, "object_refs": [ "url--587fc331-05c4-482c-ad41-b06d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--587fc331-05c4-482c-ad41-b06d02de0b81", "value": "https://www.virustotal.com/file/94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647/analysis/1484177008/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc332-6d4c-4786-a7d2-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:10.000Z", "modified": "2017-01-18T19:34:10.000Z", "description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26", "pattern": "[file:hashes.SHA1 = '1e493ebde7fa77d5ae503aa7758fac87d11da116']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:34:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587fc332-1ae4-4394-8893-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:10.000Z", "modified": "2017-01-18T19:34:10.000Z", "description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26", "pattern": "[file:hashes.MD5 = 'd4a14a1516d5ec9452a29de24ba85d0e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-18T19:34:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--587fc333-f574-41dc-9c50-b06d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-18T19:34:11.000Z", "modified": "2017-01-18T19:34:11.000Z", "first_observed": "2017-01-18T19:34:11Z", "last_observed": "2017-01-18T19:34:11Z", "number_observed": 1, "object_refs": [ "url--587fc333-f574-41dc-9c50-b06d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--587fc333-f574-41dc-9c50-b06d02de0b81", "value": "https://www.virustotal.com/file/694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26/analysis/1484177158/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }