misp-circl-feed/feeds/circl/stix-2.1/59722019-3260-4062-bec5-4eea950d210f.json

{
    "type": "bundle",
    "id": "bundle--59722019-3260-4062-bec5-4eea950d210f",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--59722019-3260-4062-bec5-4eea950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "name": "OSINT - Linux.Bew: un backdoor para el minado de Bitcoin",
            "published": "2017-07-21T15:45:08Z",
            "object_refs": [
                "observed-data--59722024-b7ec-415d-a9d6-4032950d210f",
                "url--59722024-b7ec-415d-a9d6-4032950d210f",
                "x-misp-attribute--59722036-ecec-4b53-a575-40ce950d210f",
                "indicator--5972204b-2690-47f3-b113-4dc3950d210f",
                "indicator--59722068-7e70-418e-b27b-cf65950d210f",
                "indicator--5972207d-12d4-4674-8603-49fe950d210f",
                "indicator--5972207d-b374-4e26-b02b-4100950d210f",
                "indicator--59722091-daf0-4356-ac59-46a7950d210f",
                "indicator--597220a8-2828-4a80-8910-4076950d210f",
                "x-misp-attribute--597220ce-d71c-4ec0-b402-41d0950d210f",
                "indicator--597220eb-0b04-447b-9d6a-471002de0b81",
                "indicator--597220eb-f6a0-4b53-8948-400802de0b81",
                "observed-data--597220eb-8224-4341-9cf0-495d02de0b81",
                "url--597220eb-8224-4341-9cf0-495d02de0b81"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--59722024-b7ec-415d-a9d6-4032950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "first_observed": "2017-07-21T15:42:35Z",
            "last_observed": "2017-07-21T15:42:35Z",
            "number_observed": 1,
            "object_refs": [
                "url--59722024-b7ec-415d-a9d6-4032950d210f"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--59722024-b7ec-415d-a9d6-4032950d210f",
            "value": "https://www.securityartwork.es/2017/07/21/linux-bew-backdoor-minado-bitcoin/"
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--59722036-ecec-4b53-a575-40ce950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "labels": [
                "misp:type=\"text\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\""
            ],
            "x_misp_category": "External analysis",
            "x_misp_type": "text",
            "x_misp_value": "En el siguiente art\u00c3\u00adculo vamos a analizar una muestra del binario catalogado por varias firmas antivirus como Linux.Bew. (Virustotal), malware de tipo ELF del cual hemos detectado actividad durante este \u00c3\u00baltimo mes."
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5972204b-2690-47f3-b113-4dc3950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "pattern": "[file:hashes.SHA256 = '80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-07-21T15:42:35Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59722068-7e70-418e-b27b-cf65950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "pattern": "[file:name = '/root/.config/kdeinit4']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-07-21T15:42:35Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Artifacts dropped"
                }
            ],
            "labels": [
                "misp:type=\"filename\"",
                "misp:category=\"Artifacts dropped\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5972207d-12d4-4674-8603-49fe950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "pattern": "[domain-name:value = 'hfir.u230.org']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-07-21T15:42:35Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"hostname\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5972207d-b374-4e26-b02b-4100950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.211.49.214']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-07-21T15:42:35Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"ip-dst\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59722091-daf0-4356-ac59-46a7950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "description": "tcp/443",
            "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.58.49.98']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-07-21T15:42:35Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"ip-dst\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--597220a8-2828-4a80-8910-4076950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "pattern": "[rule LinuxBew: MALW\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Linux.Bew Backdoor\"\r\n\t\tauthor = \"Joan Soriano / @w0lfvan\"\r\n\t\tdate = \"2017-07-10\"\r\n\t\tversion = \"1.0\"\r\n\t\tMD5 = \"27d857e12b9be5d43f935b8cc86eaabf\"\r\n\t\tSHA256 = \"80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06\"\r\n\tstrings:\r\n\t\t$a = \"src/secp256k1.c\"\r\n\t\t$b = \"hfir.u230.org\"\r\n\t\t$c = \u00e2\u20ac\u0153tempfile-x11session\u00e2\u20ac\u009d\r\n\tcondition:\r\n\t\tall of them\r\n}]",
            "pattern_type": "yara",
            "pattern_version": "2.1",
            "valid_from": "2017-07-21T15:42:35Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Artifacts dropped"
                }
            ],
            "labels": [
                "misp:type=\"yara\"",
                "misp:category=\"Artifacts dropped\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--597220ce-d71c-4ec0-b402-41d0950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "labels": [
                "misp:type=\"text\"",
                "misp:category=\"Antivirus detection\""
            ],
            "x_misp_category": "Antivirus detection",
            "x_misp_type": "text",
            "x_misp_value": "Linux.Bew"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--597220eb-0b04-447b-9d6a-471002de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "description": "- Xchecked via VT: 80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06",
            "pattern": "[file:hashes.SHA1 = '4c614317fd1686f8c865c0a8d367c8e22b94087f']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-07-21T15:42:35Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--597220eb-f6a0-4b53-8948-400802de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "description": "- Xchecked via VT: 80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06",
            "pattern": "[file:hashes.MD5 = 'f42c73e5291392c4c39852670addd7f9']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-07-21T15:42:35Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--597220eb-8224-4341-9cf0-495d02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-07-21T15:42:35.000Z",
            "modified": "2017-07-21T15:42:35.000Z",
            "first_observed": "2017-07-21T15:42:35Z",
            "last_observed": "2017-07-21T15:42:35Z",
            "number_observed": 1,
            "object_refs": [
                "url--597220eb-8224-4341-9cf0-495d02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--597220eb-8224-4341-9cf0-495d02de0b81",
            "value": "https://www.virustotal.com/file/80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06/analysis/1499436533/"
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}