{ "type": "bundle", "id": "bundle--5ccf3134-ea64-43c1-a356-f9f3950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-13T09:20:09.000Z", "modified": "2019-05-13T09:20:09.000Z", "name": "MalwareMustDie", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5ccf3134-ea64-43c1-a356-f9f3950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-13T09:20:09.000Z", "modified": "2019-05-13T09:20:09.000Z", "name": "SystemTen (ELF trojan installer, miner, bot and rootkit) / ex-Rocke", "context": "suspicious-activity", "object_refs": [ "observed-data--5ccf331e-da90-4718-94c8-49d3950d210f", "url--5ccf331e-da90-4718-94c8-49d3950d210f", "observed-data--5ccf331e-1534-4301-9d4c-4d32950d210f", "url--5ccf331e-1534-4301-9d4c-4d32950d210f", "observed-data--5ccf338a-a70c-4aef-ae6c-4b95950d210f", "file--5ccf338a-a70c-4aef-ae6c-4b95950d210f", "observed-data--5ccf338a-41ec-4332-86d4-4ee9950d210f", "file--5ccf338a-41ec-4332-86d4-4ee9950d210f", "observed-data--5ccf338a-3788-4d10-8dfb-45b6950d210f", "file--5ccf338a-3788-4d10-8dfb-45b6950d210f", "observed-data--5ccf338b-8d84-4997-9c96-454a950d210f", "file--5ccf338b-8d84-4997-9c96-454a950d210f", "observed-data--5ccf338b-2d54-4f22-afff-4296950d210f", "file--5ccf338b-2d54-4f22-afff-4296950d210f", "observed-data--5ccf338b-9b24-43ce-ba79-400f950d210f", "file--5ccf338b-9b24-43ce-ba79-400f950d210f", "observed-data--5ccf338b-7164-4214-b2af-489a950d210f", "file--5ccf338b-7164-4214-b2af-489a950d210f", "observed-data--5ccf338b-29f4-4d56-91a8-4ec9950d210f", "file--5ccf338b-29f4-4d56-91a8-4ec9950d210f", "observed-data--5ccf338b-8848-4992-830d-4f87950d210f", "file--5ccf338b-8848-4992-830d-4f87950d210f", "observed-data--5ccf338b-0c80-4351-9fe5-4ae4950d210f", "file--5ccf338b-0c80-4351-9fe5-4ae4950d210f", "observed-data--5ccf338b-e194-463f-86b2-4c83950d210f", "file--5ccf338b-e194-463f-86b2-4c83950d210f", "observed-data--5ccf338b-dc8c-4e16-930c-4ea4950d210f", "file--5ccf338b-dc8c-4e16-930c-4ea4950d210f", "observed-data--5ccf338b-d720-4e12-9828-400b950d210f", "file--5ccf338b-d720-4e12-9828-400b950d210f", "observed-data--5ccf338b-9eec-415d-8713-4dba950d210f", "file--5ccf338b-9eec-415d-8713-4dba950d210f", "observed-data--5ccf338b-9ca0-4ff6-906a-4949950d210f", "file--5ccf338b-9ca0-4ff6-906a-4949950d210f", "observed-data--5ccf338b-34c4-4ceb-9797-4327950d210f", "file--5ccf338b-34c4-4ceb-9797-4327950d210f", "observed-data--5ccf338b-1e8c-4620-b81d-48a7950d210f", "file--5ccf338b-1e8c-4620-b81d-48a7950d210f", "observed-data--5ccf338b-d71c-4be9-bf9f-424d950d210f", "file--5ccf338b-d71c-4be9-bf9f-424d950d210f", "observed-data--5ccf338b-20fc-4572-980b-4937950d210f", "file--5ccf338b-20fc-4572-980b-4937950d210f", "observed-data--5ccf338b-77c0-4310-b0b8-4155950d210f", "file--5ccf338b-77c0-4310-b0b8-4155950d210f", "observed-data--5ccf338b-5f70-42cf-b488-4660950d210f", "file--5ccf338b-5f70-42cf-b488-4660950d210f", "observed-data--5ccf338b-fc44-4109-98ee-4ea1950d210f", "file--5ccf338b-fc44-4109-98ee-4ea1950d210f", "observed-data--5ccf33c6-84b8-4b61-8d12-4c63950d210f", "file--5ccf33c6-84b8-4b61-8d12-4c63950d210f", "observed-data--5ccf33c6-8bd4-4b84-ae73-43ef950d210f", "file--5ccf33c6-8bd4-4b84-ae73-43ef950d210f", "observed-data--5ccf33c6-2c48-49d9-bdc6-4af6950d210f", "file--5ccf33c6-2c48-49d9-bdc6-4af6950d210f", "observed-data--5ccf33c6-1690-4a1c-a41e-4b65950d210f", "file--5ccf33c6-1690-4a1c-a41e-4b65950d210f", "observed-data--5ccf33c6-f0d4-4a32-9cc7-405e950d210f", "file--5ccf33c6-f0d4-4a32-9cc7-405e950d210f", "indicator--5ccf343e-6444-410e-9d87-415c950d210f", "indicator--5ccf343e-3880-492a-93ba-423d950d210f", "indicator--5ccf343e-6234-48a2-88f4-4734950d210f", "indicator--5ccf343e-0500-4226-90d9-477b950d210f", "indicator--5ccf343e-59ac-4de1-be7e-408b950d210f", "indicator--5ccf343e-5098-44d0-bb39-4100950d210f", "indicator--5ccf343e-31a4-4dfe-8318-4e1e950d210f", "indicator--5ccf343e-a4c8-4a2a-99ee-45d6950d210f", "indicator--5ccf343e-f58c-4fdd-95f2-46dd950d210f", "indicator--5ccf343e-aa74-4740-8638-495d950d210f", "indicator--5ccf343e-2c70-41eb-a61c-45b3950d210f", "indicator--5ccf343e-f75c-4aae-b652-4e03950d210f", "indicator--5ccf343e-0e58-4347-8020-4d32950d210f", "indicator--5ccf355f-6d0c-41a1-a55a-4dc7950d210f", "indicator--5ccf355f-04d4-4359-8fbb-47cf950d210f", "indicator--5ccf355f-93a0-48b2-b7fc-427d950d210f", "indicator--5ccf355f-39dc-4d46-beeb-4488950d210f", "indicator--5ccf355f-f5f8-439d-bb9f-49f8950d210f", "indicator--5ccf355f-9aa4-4759-8b0d-4838950d210f", "indicator--5ccf355f-3460-4721-8f60-4d31950d210f", "indicator--5ccf355f-f270-4244-9357-4038950d210f", "indicator--5ccf355f-c340-44b6-92e4-41db950d210f", "indicator--5ccf355f-7d68-4c6f-bdd4-41f3950d210f", "indicator--5ccf355f-2e94-48e5-b56a-42e1950d210f", "x-misp-attribute--5ccf35e3-4f10-4cff-bb9a-4eed950d210f", "x-misp-attribute--5ccf362e-9478-4f19-b38c-41d1950d210f", "vulnerability--5ccf3763-4e98-46e5-b64c-4985950d210f", "vulnerability--5ccf3763-64f0-41eb-a327-4194950d210f", "vulnerability--5ccf3763-b7f8-47ae-9128-4942950d210f", "vulnerability--5ccf3763-eaf8-4649-9c25-489b950d210f", "vulnerability--5ccf3763-2438-4331-92c7-4ddd950d210f", "x-misp-attribute--5ccf37df-cc1c-4c56-9a7d-4079950d210f", "observed-data--5ccf38a2-4590-42df-a18a-4fe6950d210f", "url--5ccf38a2-4590-42df-a18a-4fe6950d210f", "x-misp-attribute--5ccf3940-ddec-4518-b17f-4419950d210f", "x-misp-attribute--5ccf39ae-2d8c-4d58-af04-419e950d210f", "observed-data--5ccf3d10-ac0c-447c-814e-43c2950d210f", "network-traffic--5ccf3d10-ac0c-447c-814e-43c2950d210f", "ipv4-addr--5ccf3d10-ac0c-447c-814e-43c2950d210f", "observed-data--5ccf3d10-b734-4496-b135-4bc8950d210f", "network-traffic--5ccf3d10-b734-4496-b135-4bc8950d210f", "ipv4-addr--5ccf3d10-b734-4496-b135-4bc8950d210f", "observed-data--5ccf3d10-2f7c-4ceb-892e-46f0950d210f", "network-traffic--5ccf3d10-2f7c-4ceb-892e-46f0950d210f", "ipv4-addr--5ccf3d10-2f7c-4ceb-892e-46f0950d210f", "observed-data--5ccf3d10-bed0-4d85-945b-46d0950d210f", "network-traffic--5ccf3d10-bed0-4d85-945b-46d0950d210f", "ipv4-addr--5ccf3d10-bed0-4d85-945b-46d0950d210f", "indicator--5cd59ac0-f68c-4751-9022-4456950d210f", "indicator--5cd59b28-c838-44a7-a2d8-48cb950d210f", "x-misp-attribute--5cd925f5-0688-4fcc-8d9b-4d2f950d210f", "vulnerability--5cd926d2-96a0-4029-b68f-48bb950d210f", "x-misp-attribute--5cd93263-3988-4927-8996-4817950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "ms-caro-malware:malware-platform=\"Linux\"", "adversary:infrastructure-state=\"active\"", "circl:incident-classification=\"malware\"", "malware_classification:malware-category=\"Downloader\"", "malware_classification:malware-category=\"Rootkit\"", "malware_classification:malware-category=\"Botnet\"", "OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf331e-da90-4718-94c8-49d3950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:01:50.000Z", "modified": "2019-05-05T19:01:50.000Z", "first_observed": "2019-05-05T19:01:50Z", "last_observed": "2019-05-05T19:01:50Z", "number_observed": 1, "object_refs": [ "url--5ccf331e-da90-4718-94c8-49d3950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ccf331e-da90-4718-94c8-49d3950d210f", "value": "https://imgur.com/a/H7YuWuj" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf331e-1534-4301-9d4c-4d32950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:01:50.000Z", "modified": "2019-05-05T19:01:50.000Z", "first_observed": "2019-05-05T19:01:50Z", "last_observed": "2019-05-05T19:01:50Z", "number_observed": 1, "object_refs": [ "url--5ccf331e-1534-4301-9d4c-4d32950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ccf331e-1534-4301-9d4c-4d32950d210f", "value": "https://old.reddit.com/r/LinuxMalware/comments/bfaea2/fun_in_dissecting_lsd_packer_elf_golang_miner/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338a-a70c-4aef-ae6c-4b95950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:38.000Z", "modified": "2019-05-05T19:03:38.000Z", "first_observed": "2019-05-05T19:03:38Z", "last_observed": "2019-05-05T19:03:38Z", "number_observed": 1, "object_refs": [ "file--5ccf338a-a70c-4aef-ae6c-4b95950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338a-a70c-4aef-ae6c-4b95950d210f", "name": "/tmp/kerberods (elf trojan installer)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338a-41ec-4332-86d4-4ee9950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:38.000Z", "modified": "2019-05-05T19:03:38.000Z", "first_observed": "2019-05-05T19:03:38Z", "last_observed": "2019-05-05T19:03:38Z", "number_observed": 1, "object_refs": [ "file--5ccf338a-41ec-4332-86d4-4ee9950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338a-41ec-4332-86d4-4ee9950d210f", "name": "/tmp/khugepageds (elf monero miner xmrig)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338a-3788-4d10-8dfb-45b6950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:38.000Z", "modified": "2019-05-05T19:03:38.000Z", "first_observed": "2019-05-05T19:03:38Z", "last_observed": "2019-05-05T19:03:38Z", "number_observed": 1, "object_refs": [ "file--5ccf338a-3788-4d10-8dfb-45b6950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338a-3788-4d10-8dfb-45b6950d210f", "name": "/tmp/kthrotlds (elf trojan bot)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-8d84-4997-9c96-454a950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:38.000Z", "modified": "2019-05-05T19:03:38.000Z", "first_observed": "2019-05-05T19:03:38Z", "last_observed": "2019-05-05T19:03:38Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-8d84-4997-9c96-454a950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-8d84-4997-9c96-454a950d210f", "name": "/tmp/kintegrityds (elf trojan bot)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-2d54-4f22-afff-4296950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-2d54-4f22-afff-4296950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-2d54-4f22-afff-4296950d210f", "name": "/tmp/kpsmouseds (elf trojan installer)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-9b24-43ce-ba79-400f950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-9b24-43ce-ba79-400f950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-9b24-43ce-ba79-400f950d210f", "name": "/tmp/kerb (elf trojan bot)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-7164-4214-b2af-489a950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-7164-4214-b2af-489a950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-7164-4214-b2af-489a950d210f", "name": "/etc/cron.d/tomcat (persistence)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-29f4-4d56-91a8-4ec9950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-29f4-4d56-91a8-4ec9950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-29f4-4d56-91a8-4ec9950d210f", "name": "/etc/cron.d/root (persistence)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-8848-4992-830d-4f87950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-8848-4992-830d-4f87950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-8848-4992-830d-4f87950d210f", "name": "/var/spool/cron/root (persistence)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-0c80-4351-9fe5-4ae4950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-0c80-4351-9fe5-4ae4950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-0c80-4351-9fe5-4ae4950d210f", "name": "/var/spool/cron/crontabs/root (persistence)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-e194-463f-86b2-4c83950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-e194-463f-86b2-4c83950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-e194-463f-86b2-4c83950d210f", "name": "/usr/sbin/kthrotlds (elf trojan bot)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-dc8c-4e16-930c-4ea4950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-dc8c-4e16-930c-4ea4950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-dc8c-4e16-930c-4ea4950d210f", "name": "/usr/sbin/kintegrityds (elf trojan bot)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-d720-4e12-9828-400b950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-d720-4e12-9828-400b950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-d720-4e12-9828-400b950d210f", "name": "/usr/sbin/kerberods (elf trojan installer)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-9eec-415d-8713-4dba950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-9eec-415d-8713-4dba950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-9eec-415d-8713-4dba950d210f", "name": "/usr/sbin/kpsmouseds (elf trojan installer)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-9ca0-4ff6-906a-4949950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-9ca0-4ff6-906a-4949950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-9ca0-4ff6-906a-4949950d210f", "name": "/etc/rc.d/init.d/kthrotlds (persistence)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-34c4-4ceb-9797-4327950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-34c4-4ceb-9797-4327950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-34c4-4ceb-9797-4327950d210f", "name": "/etc/rc.d/init.d/kerberods (persistence)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-1e8c-4620-b81d-48a7950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-1e8c-4620-b81d-48a7950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-1e8c-4620-b81d-48a7950d210f", "name": "/etc/rc.d/init.d/kpsmouseds (persistence)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-d71c-4be9-bf9f-424d950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-d71c-4be9-bf9f-424d950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-d71c-4be9-bf9f-424d950d210f", "name": "/etc/rc.d/init.d/kintegrityds (persistence)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-20fc-4572-980b-4937950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-20fc-4572-980b-4937950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-20fc-4572-980b-4937950d210f", "name": "/tmp/ld.so.preload (rootkit preload module)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-77c0-4310-b0b8-4155950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-77c0-4310-b0b8-4155950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-77c0-4310-b0b8-4155950d210f", "name": "/usr/local/lib/libpamcd.so (rootkit preload module)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-5f70-42cf-b488-4660950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:03:39.000Z", "modified": "2019-05-05T19:03:39.000Z", "first_observed": "2019-05-05T19:03:39Z", "last_observed": "2019-05-05T19:03:39Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-5f70-42cf-b488-4660950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-5f70-42cf-b488-4660950d210f", "name": "/usr/local/lib/libcset.so (rootkit preload module)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf338b-fc44-4109-98ee-4ea1950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-13T09:20:09.000Z", "modified": "2019-05-13T09:20:09.000Z", "first_observed": "2019-05-13T09:20:09Z", "last_observed": "2019-05-13T09:20:09Z", "number_observed": 1, "object_refs": [ "file--5ccf338b-fc44-4109-98ee-4ea1950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf338b-fc44-4109-98ee-4ea1950d210f", "name": "/usr/local/lib/libdb-0.1.so (rootkit preload module)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf33c6-84b8-4b61-8d12-4c63950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:08:39.000Z", "modified": "2019-05-05T19:08:39.000Z", "first_observed": "2019-05-05T19:08:39Z", "last_observed": "2019-05-05T19:08:39Z", "number_observed": 1, "object_refs": [ "file--5ccf33c6-84b8-4b61-8d12-4c63950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf33c6-84b8-4b61-8d12-4c63950d210f", "hashes": { "MD5": "8ecf8e7653e6a67d61ff03e0c61f3825" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf33c6-8bd4-4b84-ae73-43ef950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:08:49.000Z", "modified": "2019-05-05T19:08:49.000Z", "first_observed": "2019-05-05T19:08:49Z", "last_observed": "2019-05-05T19:08:49Z", "number_observed": 1, "object_refs": [ "file--5ccf33c6-8bd4-4b84-ae73-43ef950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf33c6-8bd4-4b84-ae73-43ef950d210f", "hashes": { "MD5": "a1e0e218b3b7c063bbf3f21003763548" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf33c6-2c48-49d9-bdc6-4af6950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:09:08.000Z", "modified": "2019-05-05T19:09:08.000Z", "first_observed": "2019-05-05T19:09:08Z", "last_observed": "2019-05-05T19:09:08Z", "number_observed": 1, "object_refs": [ "file--5ccf33c6-2c48-49d9-bdc6-4af6950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf33c6-2c48-49d9-bdc6-4af6950d210f", "hashes": { "MD5": "bedc270205ee06817ab6b3d58f260794" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf33c6-1690-4a1c-a41e-4b65950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:09:18.000Z", "modified": "2019-05-05T19:09:18.000Z", "first_observed": "2019-05-05T19:09:18Z", "last_observed": "2019-05-05T19:09:18Z", "number_observed": 1, "object_refs": [ "file--5ccf33c6-1690-4a1c-a41e-4b65950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf33c6-1690-4a1c-a41e-4b65950d210f", "hashes": { "MD5": "5301972a7ef320e894274a38f0bb2b2c" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf33c6-f0d4-4a32-9cc7-405e950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:08:59.000Z", "modified": "2019-05-05T19:08:59.000Z", "first_observed": "2019-05-05T19:08:59Z", "last_observed": "2019-05-05T19:08:59Z", "number_observed": 1, "object_refs": [ "file--5ccf33c6-f0d4-4a32-9cc7-405e950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ccf33c6-f0d4-4a32-9cc7-405e950d210f", "hashes": { "MD5": "17e9e888b8d0f374b5c623ae6b6d6cc6" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-6444-410e-9d87-415c950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'd.heheda.tk.']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-3880-492a-93ba-423d950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'c.heheda.tk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-6234-48a2-88f4-4734950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'dd.heheda.tk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-0500-4226-90d9-477b950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'systemten.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-59ac-4de1-be7e-408b950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'w.3ei.xyz']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-5098-44d0-bb39-4100950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'w.21-3n.xyz']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-31a4-4dfe-8318-4e1e950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 't.w2wz.cn']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-a4c8-4a2a-99ee-45d6950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = '1.z9ls.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-f58c-4fdd-95f2-46dd950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'yxarsh.shop']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-aa74-4740-8638-495d950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'i.ooxx.ooo']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-2c70-41eb-a61c-45b3950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'baocangwh.cn']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-f75c-4aae-b652-4e03950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'img.sobot.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf343e-0e58-4347-8020-4d32950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:06:38.000Z", "modified": "2019-05-05T19:06:38.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'sowcar.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf355f-6d0c-41a1-a55a-4dc7950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:11:27.000Z", "modified": "2019-05-05T19:11:27.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '42.56.76.104']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf355f-04d4-4359-8fbb-47cf950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:11:27.000Z", "modified": "2019-05-05T19:11:27.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.90.213.21']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf355f-93a0-48b2-b7fc-427d950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:11:27.000Z", "modified": "2019-05-05T19:11:27.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '116.62.232.226']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf355f-39dc-4d46-beeb-4488950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:11:27.000Z", "modified": "2019-05-05T19:11:27.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '211.91.160.238']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf355f-f5f8-439d-bb9f-49f8950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:11:27.000Z", "modified": "2019-05-05T19:11:27.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '221.204.60.69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf355f-9aa4-4759-8b0d-4838950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:11:27.000Z", "modified": "2019-05-05T19:11:27.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.52.216.35']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf355f-3460-4721-8f60-4d31950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:11:27.000Z", "modified": "2019-05-05T19:11:27.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.63.0.102']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf355f-f270-4244-9357-4038950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:11:27.000Z", "modified": "2019-05-05T19:11:27.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.238.151.101']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf355f-c340-44b6-92e4-41db950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:11:27.000Z", "modified": "2019-05-05T19:11:27.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.248.53.213']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf355f-7d68-4c6f-bdd4-41f3950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:11:27.000Z", "modified": "2019-05-05T19:11:27.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '134.209.104.20']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ccf355f-2e94-48e5-b56a-42e1950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:11:27.000Z", "modified": "2019-05-05T19:11:27.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.204.231.250']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-05T19:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ccf35e3-4f10-4cff-bb9a-4eed950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:13:39.000Z", "modified": "2019-05-05T19:13:39.000Z", "labels": [ "misp:type=\"github-repository\"", "misp:category=\"Social network\"" ], "x_misp_category": "Social network", "x_misp_comment": "The alleged account utilized by adversary", "x_misp_type": "github-repository", "x_misp_value": "helegedada" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ccf362e-9478-4f19-b38c-41d1950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:14:54.000Z", "modified": "2019-05-05T19:14:54.000Z", "labels": [ "misp:type=\"other\"", "misp:category=\"Social network\"" ], "x_misp_category": "Social network", "x_misp_comment": "The pastebin account that is allegedly owned by adversary", "x_misp_type": "other", "x_misp_value": "https://pastebin.com/u/SYSTEMTEN" }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5ccf3763-4e98-46e5-b64c-4985950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:20:03.000Z", "modified": "2019-05-05T19:20:03.000Z", "name": "CVE-2019-3395", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2019-3395" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5ccf3763-64f0-41eb-a327-4194950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:20:03.000Z", "modified": "2019-05-05T19:20:03.000Z", "name": "CVE-2019-3396", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2019-3396" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5ccf3763-b7f8-47ae-9128-4942950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:20:03.000Z", "modified": "2019-05-05T19:20:03.000Z", "name": "CVE-2019-1003033", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2019-1003033" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5ccf3763-eaf8-4649-9c25-489b950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:20:03.000Z", "modified": "2019-05-05T19:20:03.000Z", "name": "CVE-2019-1003030", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2019-1003030" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5ccf3763-2438-4331-92c7-4ddd950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:20:03.000Z", "modified": "2019-05-05T19:20:03.000Z", "name": "CVE-2019-1003029", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2019-1003029" } ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ccf37df-cc1c-4c56-9a7d-4079950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:22:07.000Z", "modified": "2019-05-05T19:22:07.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Internal reference\"" ], "x_misp_category": "Internal reference", "x_misp_comment": "The data to be grep'ed by the malware for the upgrade and anti-competitive function which is useful to prevent similar threat.", "x_misp_type": "text", "x_misp_value": "hwlh3wlh44lh\r\nCircle_MI\r\nxmr\r\nxig\r\nddgs\r\nqW3xT\r\nwnTKYg\r\nt00ls.ru\r\nsustes\r\nthisxxs\r\nhashfish\r\nkworkerds\r\ntmp/devtool\r\nsystemctI\r\nplfsbce\r\nluyybce\r\n6Tx3Wq\r\ndblaunchs\r\nvmlinuz\r\nget.bi-chi.com\r\nhashvault.pro\r\nnanopool.org\r\n119.9.106.27\r\n104.130.210.206" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf38a2-4590-42df-a18a-4fe6950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:25:22.000Z", "modified": "2019-05-05T19:25:22.000Z", "first_observed": "2019-05-05T19:25:22Z", "last_observed": "2019-05-05T19:25:22Z", "number_observed": 1, "object_refs": [ "url--5ccf38a2-4590-42df-a18a-4fe6950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"Internal reference\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ccf38a2-4590-42df-a18a-4fe6950d210f", "value": "https://community.atlassian.com/t5/Confluence-questions/How-come-my-confluence-installation-was-hacked-by-Kerberods/qaq-p/1054605#M141274" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ccf3940-ddec-4518-b17f-4419950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:28:00.000Z", "modified": "2019-05-05T19:28:00.000Z", "labels": [ "misp:type=\"other\"", "misp:category=\"Payload delivery\"" ], "x_misp_category": "Payload delivery", "x_misp_comment": "Certification attached in the malware sample (the ELF binary installer ones)", "x_misp_type": "other", "x_misp_value": "-----BEGIN CERTIFICATE-----\r\nMIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\nMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\nMTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\nA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\nCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\nmdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\nYMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\nR7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\nKNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\ngZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH\r\n/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV\r\nBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz\r\ndCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ\r\nSsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H\r\nDBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF\r\npjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf\r\nm/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n-----END CERTIFICATE-----" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ccf39ae-2d8c-4d58-af04-419e950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:29:50.000Z", "modified": "2019-05-05T19:29:50.000Z", "labels": [ "misp:type=\"other\"", "misp:category=\"Network activity\"" ], "x_misp_category": "Network activity", "x_misp_comment": "SSL Certification used by the adversary for encrypting the SSL traffic communication", "x_misp_type": "other", "x_misp_value": "Handshake Protocol: Certificate\r\nCertificate Length: 1374\r\nCertificate (id-at-commonName=d.heheda.tk)\r\nversion: v3 (2)\r\nserialNumber : 0x0391959ec679153960186df2c0768f78425e\r\nsignature (sha256WithRSAEncryption)\r\nAlgorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)\r\nrdnSequence: 3 items\r\n(id-at-commonName=Let's Encrypt Authority X3,\r\nid-at-organizationName=Let's Encrypt,\r\nid-at-countryName=US )\r\nValidity not before: utcTime: 19-04-22 01:13:26 (UTC)\r\nValidity not after: utcTime: 19-07-21 01:13:26 (UTC)\r\nissuer: rdnSequence (0) rdnSequence: 2 items\r\n(id-at-commonName=DST Root CA X3,\r\nid-at-organizationName=Digital Signature Trust Co.)" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf3d10-ac0c-447c-814e-43c2950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:44:16.000Z", "modified": "2019-05-05T19:44:16.000Z", "first_observed": "2019-05-05T19:44:16Z", "last_observed": "2019-05-05T19:44:16Z", "number_observed": 1, "object_refs": [ "network-traffic--5ccf3d10-ac0c-447c-814e-43c2950d210f", "ipv4-addr--5ccf3d10-ac0c-447c-814e-43c2950d210f" ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ccf3d10-ac0c-447c-814e-43c2950d210f", "dst_ref": "ipv4-addr--5ccf3d10-ac0c-447c-814e-43c2950d210f", "dst_port": 53, "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ccf3d10-ac0c-447c-814e-43c2950d210f", "value": "1.1.1.1" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf3d10-b734-4496-b135-4bc8950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:44:16.000Z", "modified": "2019-05-05T19:44:16.000Z", "first_observed": "2019-05-05T19:44:16Z", "last_observed": "2019-05-05T19:44:16Z", "number_observed": 1, "object_refs": [ "network-traffic--5ccf3d10-b734-4496-b135-4bc8950d210f", "ipv4-addr--5ccf3d10-b734-4496-b135-4bc8950d210f" ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ccf3d10-b734-4496-b135-4bc8950d210f", "dst_ref": "ipv4-addr--5ccf3d10-b734-4496-b135-4bc8950d210f", "dst_port": 53, "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ccf3d10-b734-4496-b135-4bc8950d210f", "value": "8.8.8.8" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf3d10-2f7c-4ceb-892e-46f0950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:44:16.000Z", "modified": "2019-05-05T19:44:16.000Z", "first_observed": "2019-05-05T19:44:16Z", "last_observed": "2019-05-05T19:44:16Z", "number_observed": 1, "object_refs": [ "network-traffic--5ccf3d10-2f7c-4ceb-892e-46f0950d210f", "ipv4-addr--5ccf3d10-2f7c-4ceb-892e-46f0950d210f" ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ccf3d10-2f7c-4ceb-892e-46f0950d210f", "dst_ref": "ipv4-addr--5ccf3d10-2f7c-4ceb-892e-46f0950d210f", "dst_port": 5353, "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ccf3d10-2f7c-4ceb-892e-46f0950d210f", "value": "208.67.222.222" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ccf3d10-bed0-4d85-945b-46d0950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-05T19:44:16.000Z", "modified": "2019-05-05T19:44:16.000Z", "first_observed": "2019-05-05T19:44:16Z", "last_observed": "2019-05-05T19:44:16Z", "number_observed": 1, "object_refs": [ "network-traffic--5ccf3d10-bed0-4d85-945b-46d0950d210f", "ipv4-addr--5ccf3d10-bed0-4d85-945b-46d0950d210f" ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ccf3d10-bed0-4d85-945b-46d0950d210f", "dst_ref": "ipv4-addr--5ccf3d10-bed0-4d85-945b-46d0950d210f", "dst_port": 443, "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ccf3d10-bed0-4d85-945b-46d0950d210f", "value": "208.67.222.222" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd59ac0-f68c-4751-9022-4456950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-10T15:37:36.000Z", "modified": "2019-05-10T15:37:36.000Z", "description": "The origin of IP addresses used by the adversaries for their C2 servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.95.85.22']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-10T15:37:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd59b28-c838-44a7-a2d8-48cb950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-10T15:39:20.000Z", "modified": "2019-05-10T15:39:20.000Z", "description": "Malware contacted C2 hostnames", "pattern": "[domain-name:value = 'gwjyhs.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-10T15:39:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5cd925f5-0688-4fcc-8d9b-4d2f950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-13T09:00:28.000Z", "modified": "2019-05-13T09:00:28.000Z", "labels": [ "misp:type=\"whois-registrant-email\"", "misp:category=\"Social network\"" ], "x_misp_category": "Social network", "x_misp_comment": "QQ identification used by adversary's utilized payload domains \"gwjyhs .com\", \"baocangwh .cn\"", "x_misp_type": "whois-registrant-email", "x_misp_value": "4592248@qq.com" }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5cd926d2-96a0-4029-b68f-48bb950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-13T08:12:02.000Z", "modified": "2019-05-13T08:12:02.000Z", "name": "CVE-2018-1000861", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2018-1000861" } ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5cd93263-3988-4927-8996-4817950d210f", "created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f", "created": "2019-05-13T09:01:23.000Z", "modified": "2019-05-13T09:01:23.000Z", "labels": [ "misp:type=\"whois-registrant-email\"", "misp:category=\"Social network\"" ], "x_misp_category": "Social network", "x_misp_comment": "Same number as QQ ID used to register \"w2wz .cn under Gmail address", "x_misp_type": "whois-registrant-email", "x_misp_value": "4592248@gmail.com" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }