{ "type": "bundle", "id": "bundle--588867a4-c470-4914-b854-d3f6950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T14:35:40.000Z", "modified": "2017-01-25T14:35:40.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--588867a4-c470-4914-b854-d3f6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T14:35:40.000Z", "modified": "2017-01-25T14:35:40.000Z", "name": "OSINT - Malicious SVG Files in the Wild", "published": "2017-01-25T14:35:54Z", "object_refs": [ "x-misp-attribute--58886c74-6c08-4ab2-8c2b-f8df950d210f", "observed-data--58886ccc-507c-4c7e-87b0-5b46950d210f", "url--58886ccc-507c-4c7e-87b0-5b46950d210f", "indicator--58886d0f-7a80-4188-9ca9-2fc5950d210f", "indicator--58886d10-9ca4-452d-a1e1-2fc5950d210f", "indicator--58886d30-90dc-4a21-8d14-f8e5950d210f", "indicator--5888b58a-9d84-49d9-9465-4e3f02de0b81", "indicator--5888b58b-0fc8-4aee-bc0f-430f02de0b81", "observed-data--5888b58b-879c-409a-8eaa-465b02de0b81", "url--5888b58b-879c-409a-8eaa-465b02de0b81", "indicator--5888b58c-eb80-46a8-8853-46a402de0b81", "indicator--5888b58d-c0c8-406b-b0d1-41ae02de0b81", "observed-data--5888b58e-0508-4f80-a64e-486102de0b81", "url--5888b58e-0508-4f80-a64e-486102de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "misp-galaxy:tool=\"Snifula\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58886c74-6c08-4ab2-8c2b-f8df950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T09:14:28.000Z", "modified": "2017-01-25T09:14:28.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "In November 2016, the Facebook messenger application was used to deliver malicious SVG files to people [1]. SVG files (or \"Scalable Vector Graphics\") are vector images that can be displayed in most modern browsers (natively or via a specific plugin). More precisely, Internet Explorer 9 supports the basic SVG feature sets and IE10 extended the support by adding SVG 1.1 support. In the Microsoft Windows operating system, SVG files are handled by Internet Explorer by default." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58886ccc-507c-4c7e-87b0-5b46950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T09:16:21.000Z", "modified": "2017-01-25T09:16:21.000Z", "first_observed": "2017-01-25T09:16:21Z", "last_observed": "2017-01-25T09:16:21Z", "number_observed": 1, "object_refs": [ "url--58886ccc-507c-4c7e-87b0-5b46950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"b\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58886ccc-507c-4c7e-87b0-5b46950d210f", "value": "https://isc.sans.edu/forums/diary/Malicious+SVG+Files+in+the+Wild/21971/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58886d0f-7a80-4188-9ca9-2fc5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T09:17:03.000Z", "modified": "2017-01-25T09:17:03.000Z", "description": "00967999543-(02).svg", "pattern": "[file:hashes.MD5 = '6b9649531f35c7de78735aa45d25d1a7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-25T09:17:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58886d10-9ca4-452d-a1e1-2fc5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T09:17:04.000Z", "modified": "2017-01-25T09:17:04.000Z", "description": "P0039988439992_001.jpg.svg", "pattern": "[file:hashes.MD5 = 'e2f7245d016c52fc9c56531e483e6cfb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-25T09:17:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58886d30-90dc-4a21-8d14-f8e5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T14:26:48.000Z", "modified": "2017-01-25T14:26:48.000Z", "description": "The second part is a classic obfuscated JavaScript that executes the following (de-obfuscated) code:", "pattern": "[url:value = 'http://juanpedroperez.com/fotos/photos/xfs_extension.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-25T14:26:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-status=\"compromised\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5888b58a-9d84-49d9-9465-4e3f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T14:26:18.000Z", "modified": "2017-01-25T14:26:18.000Z", "description": "P0039988439992_001.jpg.svg - Xchecked via VT: e2f7245d016c52fc9c56531e483e6cfb", "pattern": "[file:hashes.SHA256 = '7cd31c21f03d54f88de2d5ae715be416bfaa69b3230bdd93aba44c07963363df']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-25T14:26:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5888b58b-0fc8-4aee-bc0f-430f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T14:26:19.000Z", "modified": "2017-01-25T14:26:19.000Z", "description": "P0039988439992_001.jpg.svg - Xchecked via VT: e2f7245d016c52fc9c56531e483e6cfb", "pattern": "[file:hashes.SHA1 = 'caf8d6099ed95d223993f43a156b703220d1a1c3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-25T14:26:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5888b58b-879c-409a-8eaa-465b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T14:26:19.000Z", "modified": "2017-01-25T14:26:19.000Z", "first_observed": "2017-01-25T14:26:19Z", "last_observed": "2017-01-25T14:26:19Z", "number_observed": 1, "object_refs": [ "url--5888b58b-879c-409a-8eaa-465b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5888b58b-879c-409a-8eaa-465b02de0b81", "value": "https://www.virustotal.com/file/7cd31c21f03d54f88de2d5ae715be416bfaa69b3230bdd93aba44c07963363df/analysis/1484747652/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5888b58c-eb80-46a8-8853-46a402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T14:26:20.000Z", "modified": "2017-01-25T14:26:20.000Z", "description": "00967999543-(02).svg - Xchecked via VT: 6b9649531f35c7de78735aa45d25d1a7", "pattern": "[file:hashes.SHA256 = '4682a3ad2c6ae46a8eb1190936583ebc69644b206e2e9103071c4630f081b3f2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-25T14:26:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5888b58d-c0c8-406b-b0d1-41ae02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T14:26:21.000Z", "modified": "2017-01-25T14:26:21.000Z", "description": "00967999543-(02).svg - Xchecked via VT: 6b9649531f35c7de78735aa45d25d1a7", "pattern": "[file:hashes.SHA1 = '5837a4d288ac9d0065143a88f4899283b4603eee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-25T14:26:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5888b58e-0508-4f80-a64e-486102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-25T14:26:22.000Z", "modified": "2017-01-25T14:26:22.000Z", "first_observed": "2017-01-25T14:26:22Z", "last_observed": "2017-01-25T14:26:22Z", "number_observed": 1, "object_refs": [ "url--5888b58e-0508-4f80-a64e-486102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5888b58e-0508-4f80-a64e-486102de0b81", "value": "https://www.virustotal.com/file/4682a3ad2c6ae46a8eb1190936583ebc69644b206e2e9103071c4630f081b3f2/analysis/1485160514/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }