{ "type": "bundle", "id": "bundle--5894bd56-d458-489f-a692-41d102de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:06:05.000Z", "modified": "2017-02-03T21:06:05.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5894bd56-d458-489f-a692-41d102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:06:05.000Z", "modified": "2017-02-03T21:06:05.000Z", "name": "OSINT: Malicious software targeting financial sector internals", "published": "2017-02-03T21:06:16Z", "object_refs": [ "indicator--5894be75-7574-4e69-bfae-455202de0b81", "indicator--5894be76-7508-4910-9d02-4dba02de0b81", "indicator--5894be76-4f38-4e7e-ac86-497f02de0b81", "indicator--5894be77-75b0-4734-8249-40a902de0b81", "indicator--5894be78-4ab0-454c-9b6b-450f02de0b81", "indicator--5894be79-6d7c-4bde-bcd3-465202de0b81", "indicator--5894be79-698c-4f80-b7b5-499402de0b81", "indicator--5894be7a-58b4-4e46-a226-480f02de0b81", "indicator--5894be7b-8e00-49c2-aefc-447b02de0b81", "indicator--5894be7c-b780-4516-bbf0-4ed702de0b81", "indicator--5894be7d-b554-4cc4-85d8-499e02de0b81", "indicator--5894be7d-4fb0-4992-b86f-42a502de0b81", "indicator--5894be7e-2770-473e-9555-440f02de0b81", "indicator--5894be7f-4d6c-4b70-816b-409402de0b81", "indicator--5894be7f-62f0-4f96-b04a-482202de0b81", "indicator--5894be80-8628-4324-8b08-488102de0b81", "indicator--5894be81-1b9c-4742-b624-4aa002de0b81", "indicator--5894be81-0220-46ab-b665-4e6c02de0b81", "indicator--5894be82-36dc-43bf-ba0a-4c7902de0b81", "observed-data--5894be83-553c-4da5-9230-445002de0b81", "domain-name--5894be83-553c-4da5-9230-445002de0b81", "observed-data--5894be84-385c-4009-ab47-476802de0b81", "domain-name--5894be84-385c-4009-ab47-476802de0b81", "observed-data--5894be84-c4d0-4b38-85ab-40d802de0b81", "url--5894be84-c4d0-4b38-85ab-40d802de0b81", "observed-data--5894f097-1eb8-4aab-9cbb-41d202de0b81", "url--5894f097-1eb8-4aab-9cbb-41d202de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:topic=\"finance\"", "Threat Type:RAT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be75-7574-4e69-bfae-455202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:33.000Z", "modified": "2017-02-03T17:31:33.000Z", "description": "malware hash", "pattern": "[file:hashes.MD5 = 'c1364bbf63b3617b25b58209e4529d8c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be76-7508-4910-9d02-4dba02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:34.000Z", "modified": "2017-02-03T17:31:34.000Z", "description": "malware hash", "pattern": "[file:hashes.MD5 = '85d316590edfb4212049c4490db08c4b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be76-4f38-4e7e-ac86-497f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:34.000Z", "modified": "2017-02-03T17:31:34.000Z", "description": "malware hash", "pattern": "[file:hashes.MD5 = '1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be77-75b0-4734-8249-40a902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:35.000Z", "modified": "2017-02-03T17:31:35.000Z", "description": "malware hash", "pattern": "[file:hashes.SHA1 = '496207db444203a6a9c02a32aff28d563999736c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be78-4ab0-454c-9b6b-450f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:36.000Z", "modified": "2017-02-03T17:31:36.000Z", "description": "malware hash", "pattern": "[file:hashes.SHA1 = '4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be79-6d7c-4bde-bcd3-465202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:37.000Z", "modified": "2017-02-03T17:31:37.000Z", "description": "malware hash", "pattern": "[file:hashes.SHA1 = 'bedceafa2109139c793cb158cec9fa48f980ff2b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be79-698c-4f80-b7b5-499402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:37.000Z", "modified": "2017-02-03T17:31:37.000Z", "description": "malware hash", "pattern": "[file:hashes.SHA256 = 'fc8607c155617e09d540c5030eabad9a9512f656f16b38682fd50b2007583e9b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be7a-58b4-4e46-a226-480f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:38.000Z", "modified": "2017-02-03T17:31:38.000Z", "description": "malware hash", "pattern": "[file:hashes.SHA256 = 'd4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be7b-8e00-49c2-aefc-447b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:39.000Z", "modified": "2017-02-03T17:31:39.000Z", "description": "malware hash", "pattern": "[file:hashes.SHA256 = 'cc6a731e9daff84bae4214603e1c3bad8d6735b0cbb2a0ec1635b36e6a38cb3a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be7c-b780-4516-bbf0-4ed702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:40.000Z", "modified": "2017-02-03T17:31:40.000Z", "description": "C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '125.214.195.17']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be7d-b554-4cc4-85d8-499e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:40.000Z", "modified": "2017-02-03T17:31:40.000Z", "description": "C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '196.29.166.218']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be7d-4fb0-4992-b86f-42a502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:41.000Z", "modified": "2017-02-03T17:31:41.000Z", "description": "injected URL in compromised website", "pattern": "[url:value = 'http://sap.misapor.ch/vishop/view.jsp?pagenum=1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be7e-2770-473e-9555-440f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:42.000Z", "modified": "2017-02-03T17:31:42.000Z", "pattern": "[domain-name:value = 'sap.misapor.ch']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be7f-4d6c-4b70-816b-409402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:43.000Z", "modified": "2017-02-03T17:31:43.000Z", "description": "sap.misapor.ch", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '109.164.247.169']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be7f-62f0-4f96-b04a-482202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:43.000Z", "modified": "2017-02-03T17:31:43.000Z", "description": "injected URL in compromised website", "pattern": "[url:value = 'https://www.eye-watch.in/design/fancybox/Pnf.action']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be80-8628-4324-8b08-488102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:44.000Z", "modified": "2017-02-03T17:31:44.000Z", "pattern": "[domain-name:value = 'www.eye-watch.in']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be81-1b9c-4742-b624-4aa002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:45.000Z", "modified": "2017-02-03T17:31:45.000Z", "description": "www.eye-watch.in", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '54.225.154.115']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be81-0220-46ab-b665-4e6c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:45.000Z", "modified": "2017-02-03T17:31:45.000Z", "description": "www.eye-watch.in", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '54.235.128.97']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894be82-36dc-43bf-ba0a-4c7902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:46.000Z", "modified": "2017-02-03T17:31:46.000Z", "description": "compromised website for distribution", "pattern": "[url:value = 'http://www.knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js?ver=11']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T17:31:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894be83-553c-4da5-9230-445002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:47.000Z", "modified": "2017-02-03T17:31:47.000Z", "first_observed": "2017-02-03T17:31:47Z", "last_observed": "2017-02-03T17:31:47Z", "number_observed": 1, "object_refs": [ "domain-name--5894be83-553c-4da5-9230-445002de0b81" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5894be83-553c-4da5-9230-445002de0b81", "value": "www.knf.gov.pl" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894be84-385c-4009-ab47-476802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T17:31:48.000Z", "modified": "2017-02-03T17:31:48.000Z", "first_observed": "2017-02-03T17:31:48Z", "last_observed": "2017-02-03T17:31:48Z", "number_observed": 1, "object_refs": [ "domain-name--5894be84-385c-4009-ab47-476802de0b81" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5894be84-385c-4009-ab47-476802de0b81", "value": "knf.gov.pl" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894be84-c4d0-4b38-85ab-40d802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:06:05.000Z", "modified": "2017-02-03T21:06:05.000Z", "first_observed": "2017-02-03T21:06:05Z", "last_observed": "2017-02-03T21:06:05Z", "number_observed": 1, "object_refs": [ "url--5894be84-c4d0-4b38-85ab-40d802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:information-credibility=\"3\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894be84-c4d0-4b38-85ab-40d802de0b81", "value": "https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f097-1eb8-4aab-9cbb-41d202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:05:27.000Z", "modified": "2017-02-03T21:05:27.000Z", "first_observed": "2017-02-03T21:05:27Z", "last_observed": "2017-02-03T21:05:27Z", "number_observed": 1, "object_refs": [ "url--5894f097-1eb8-4aab-9cbb-41d202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f097-1eb8-4aab-9cbb-41d202de0b81", "value": "https://www.virustotal.com/file/d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2/analysis/1486132198/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }