216 lines
No EOL
9.3 KiB
JSON
216 lines
No EOL
9.3 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--586f5fb9-2678-4fe5-a14e-45e5950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-06T10:12:54.000Z",
|
|
"modified": "2017-01-06T10:12:54.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--586f5fb9-2678-4fe5-a14e-45e5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-06T10:12:54.000Z",
|
|
"modified": "2017-01-06T10:12:54.000Z",
|
|
"name": "OSINT - Exposing an AV-Disabling Driver Just in Time for Lunch",
|
|
"published": "2017-01-06T14:38:39Z",
|
|
"object_refs": [
|
|
"observed-data--586f63f8-d83c-4ff1-8e7b-4db8950d210f",
|
|
"url--586f63f8-d83c-4ff1-8e7b-4db8950d210f",
|
|
"x-misp-attribute--586f6420-21b0-4760-b9b3-24ba950d210f",
|
|
"indicator--586f6429-c9a0-4a3d-9206-4a49950d210f",
|
|
"indicator--586f6452-0abc-4a68-8607-4fcf02de0b81",
|
|
"indicator--586f6452-8f80-4dd7-9b5f-459402de0b81",
|
|
"observed-data--586f6453-114c-43c1-a501-423502de0b81",
|
|
"url--586f6453-114c-43c1-a501-423502de0b81",
|
|
"observed-data--586f6543-3660-443d-a1e7-489b950d210f",
|
|
"url--586f6543-3660-443d-a1e7-489b950d210f"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"ms-caro-malware:malware-platform=\"Win32\"",
|
|
"ecsirt:malicious-code=\"malware\"",
|
|
"circl:incident-classification=\"malware\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--586f63f8-d83c-4ff1-8e7b-4db8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-06T09:31:36.000Z",
|
|
"modified": "2017-01-06T09:31:36.000Z",
|
|
"first_observed": "2017-01-06T09:31:36Z",
|
|
"last_observed": "2017-01-06T09:31:36Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--586f63f8-d83c-4ff1-8e7b-4db8950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--586f63f8-d83c-4ff1-8e7b-4db8950d210f",
|
|
"value": "https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--586f6420-21b0-4760-b9b3-24ba950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-06T09:32:16.000Z",
|
|
"modified": "2017-01-06T09:32:16.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Disable AV, Reload Without Resistance\r\n\r\nWe also noticed that the malware using this driver causes the system to reboot after installing the driver. This causes the targeted AV software not to be loaded after the system restores, enabling the malware to execute without disturbance.\r\n\r\nThe driver performs this action because the user-mode code can\u00e2\u20ac\u2122t overwrite AV registry data; it employs self-protections to prevent exactly that. However, when executed by a driver, which can carry out more actions on a deeper privilege level, it is much harder to prevent such actions."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--586f6429-c9a0-4a3d-9206-4a49950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-06T09:32:25.000Z",
|
|
"modified": "2017-01-06T09:32:25.000Z",
|
|
"pattern": "[file:hashes.MD5 = '48b872f91f1ff3f96594bf480ebf3dcc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-01-06T09:32:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--586f6452-0abc-4a68-8607-4fcf02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-06T09:33:06.000Z",
|
|
"modified": "2017-01-06T09:33:06.000Z",
|
|
"description": "- Xchecked via VT: 48b872f91f1ff3f96594bf480ebf3dcc",
|
|
"pattern": "[file:hashes.SHA256 = '1613f863490f5b28f85483d5eedde68899f1c71d048973e0786f51c4427112be']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-01-06T09:33:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--586f6452-8f80-4dd7-9b5f-459402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-06T09:33:06.000Z",
|
|
"modified": "2017-01-06T09:33:06.000Z",
|
|
"description": "- Xchecked via VT: 48b872f91f1ff3f96594bf480ebf3dcc",
|
|
"pattern": "[file:hashes.SHA1 = '822004b4b09c92acc4a281a17e0cab175d90dca6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-01-06T09:33:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--586f6453-114c-43c1-a501-423502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-06T09:33:07.000Z",
|
|
"modified": "2017-01-06T09:33:07.000Z",
|
|
"first_observed": "2017-01-06T09:33:07Z",
|
|
"last_observed": "2017-01-06T09:33:07Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--586f6453-114c-43c1-a501-423502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--586f6453-114c-43c1-a501-423502de0b81",
|
|
"value": "https://www.virustotal.com/file/1613f863490f5b28f85483d5eedde68899f1c71d048973e0786f51c4427112be/analysis/1483620148/"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--586f6543-3660-443d-a1e7-489b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-01-06T09:37:07.000Z",
|
|
"modified": "2017-01-06T09:37:07.000Z",
|
|
"first_observed": "2017-01-06T09:37:07Z",
|
|
"last_observed": "2017-01-06T09:37:07Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--586f6543-3660-443d-a1e7-489b950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--586f6543-3660-443d-a1e7-489b950d210f",
|
|
"value": "https://twitter.com/LiorKesh/status/816653825738211328"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |