886 lines
No EOL
39 KiB
JSON
886 lines
No EOL
39 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--59a25cc4-e870-4bef-a7d1-48a802de0b81",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--59a25cc4-e870-4bef-a7d1-48a802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"name": "OSINT - Ukrainian Financial Institutions Targeted by Wave of Malicious EPS File Attacks",
|
|
"published": "2017-08-27T05:56:47Z",
|
|
"object_refs": [
|
|
"vulnerability--59a25cf6-d7a0-4d00-8b4e-45f902de0b81",
|
|
"vulnerability--59a25cf6-9670-4c50-a443-409202de0b81",
|
|
"vulnerability--59a25cf6-affc-42cf-948f-4f5b02de0b81",
|
|
"indicator--59a25d41-4b6c-4cbc-8e15-44a602de0b81",
|
|
"indicator--59a25d41-974c-4dad-b1d5-40fc02de0b81",
|
|
"indicator--59a25d41-d920-44d6-a046-4bf002de0b81",
|
|
"indicator--59a25d41-8a74-4e53-a3bb-43ab02de0b81",
|
|
"indicator--59a25d41-ac30-47e6-832d-411102de0b81",
|
|
"indicator--59a25d7d-17d8-48c9-9f7a-45aa02de0b81",
|
|
"x-misp-attribute--59a25da6-2424-4517-af23-4b6702de0b81",
|
|
"x-misp-attribute--59a25da6-eea4-46cf-a439-400c02de0b81",
|
|
"observed-data--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
|
|
"email-message--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
|
|
"file--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
|
|
"observed-data--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
|
|
"email-message--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
|
|
"file--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
|
|
"observed-data--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
|
|
"email-message--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
|
|
"file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
|
|
"observed-data--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
|
|
"email-message--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
|
|
"file--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
|
|
"observed-data--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
|
|
"email-message--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
|
|
"file--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
|
|
"x-misp-attribute--59a25dd9-bf68-45c0-9374-494302de0b81",
|
|
"indicator--59a25dec-e044-4ab0-a56f-b60e02de0b81",
|
|
"indicator--59a25dec-a75c-45e3-89eb-b60e02de0b81",
|
|
"observed-data--59a25dec-f1ac-4268-8c34-b60e02de0b81",
|
|
"url--59a25dec-f1ac-4268-8c34-b60e02de0b81",
|
|
"indicator--59a25dec-cd54-489e-ada2-b60e02de0b81",
|
|
"indicator--59a25dec-eb38-4439-88b3-b60e02de0b81",
|
|
"observed-data--59a25dec-7f9c-4fd1-8047-b60e02de0b81",
|
|
"url--59a25dec-7f9c-4fd1-8047-b60e02de0b81",
|
|
"indicator--59a25dec-5794-402f-a588-b60e02de0b81",
|
|
"indicator--59a25dec-2500-44c2-b562-b60e02de0b81",
|
|
"observed-data--59a25dec-0d44-442b-b613-b60e02de0b81",
|
|
"url--59a25dec-0d44-442b-b613-b60e02de0b81",
|
|
"indicator--59a25dec-a084-4101-8ba1-b60e02de0b81",
|
|
"indicator--59a25dec-2e20-4de3-90c2-b60e02de0b81",
|
|
"observed-data--59a25dec-6aa8-4213-a915-b60e02de0b81",
|
|
"url--59a25dec-6aa8-4213-a915-b60e02de0b81",
|
|
"indicator--59a25dec-bc48-4a8a-8977-b60e02de0b81",
|
|
"indicator--59a25dec-355c-4c9b-8590-b60e02de0b81",
|
|
"observed-data--59a25dec-c0d8-4432-a038-b60e02de0b81",
|
|
"url--59a25dec-c0d8-4432-a038-b60e02de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"circl:topic=\"finance\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "vulnerability",
|
|
"spec_version": "2.1",
|
|
"id": "vulnerability--59a25cf6-d7a0-4d00-8b4e-45f902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"name": "CVE-2015-2545",
|
|
"labels": [
|
|
"misp:type=\"vulnerability\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"circl:incident-classification=\"vulnerability\""
|
|
],
|
|
"external_references": [
|
|
{
|
|
"source_name": "cve",
|
|
"external_id": "CVE-2015-2545"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "vulnerability",
|
|
"spec_version": "2.1",
|
|
"id": "vulnerability--59a25cf6-9670-4c50-a443-409202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"name": "CVE-2017-0261",
|
|
"labels": [
|
|
"misp:type=\"vulnerability\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"circl:incident-classification=\"vulnerability\""
|
|
],
|
|
"external_references": [
|
|
{
|
|
"source_name": "cve",
|
|
"external_id": "CVE-2017-0261"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "vulnerability",
|
|
"spec_version": "2.1",
|
|
"id": "vulnerability--59a25cf6-affc-42cf-948f-4f5b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"name": "CVE-2017-0262",
|
|
"labels": [
|
|
"misp:type=\"vulnerability\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"circl:incident-classification=\"vulnerability\""
|
|
],
|
|
"external_references": [
|
|
{
|
|
"source_name": "cve",
|
|
"external_id": "CVE-2017-0262"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25d41-4b6c-4cbc-8e15-44a602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25d41-974c-4dad-b1d5-40fc02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25d41-d920-44d6-a046-4bf002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25d41-8a74-4e53-a3bb-43ab02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25d41-ac30-47e6-832d-411102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25d7d-17d8-48c9-9f7a-45aa02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"description": "Once the malware has managed to infect a system, it tries to connect to a server based in France over TCP port 80",
|
|
"pattern": "[url:value = 'http://137.74.224.142/z/get.php?name=3c6*****']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--59a25da6-2424-4517-af23-4b6702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"labels": [
|
|
"misp:type=\"pattern-in-file\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
],
|
|
"x_misp_category": "Artifacts dropped",
|
|
"x_misp_comment": "When we dug deeper into the details of the \u00e2\u20ac\u02dcimage1.eps\u00e2\u20ac\u2122 file, we noticed two awkward strings that you normally wouldn\u00e2\u20ac\u2122t see in malware",
|
|
"x_misp_type": "pattern-in-file",
|
|
"x_misp_value": "%%Icantdestroywhatisntthere"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--59a25da6-eea4-46cf-a439-400c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"labels": [
|
|
"misp:type=\"pattern-in-file\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
],
|
|
"x_misp_category": "Artifacts dropped",
|
|
"x_misp_comment": "When we dug deeper into the details of the \u00e2\u20ac\u02dcimage1.eps\u00e2\u20ac\u2122 file, we noticed two awkward strings that you normally wouldn\u00e2\u20ac\u2122t see in malware",
|
|
"x_misp_type": "pattern-in-file",
|
|
"x_misp_value": "%%Myheartisjusttoodarktocare"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"first_observed": "2017-08-27T05:51:40Z",
|
|
"last_observed": "2017-08-27T05:51:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"email-message--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
|
|
"file--59a25dc1-ee70-4f02-9db8-b60e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-attachment\"",
|
|
"misp:category=\"Payload delivery\""
|
|
]
|
|
},
|
|
{
|
|
"type": "email-message",
|
|
"spec_version": "2.1",
|
|
"id": "email-message--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
|
|
"is_multipart": true,
|
|
"body_multipart": [
|
|
{
|
|
"body_raw_ref": "file--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
|
|
"content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0.docx'"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "file",
|
|
"spec_version": "2.1",
|
|
"id": "file--59a25dc1-ee70-4f02-9db8-b60e02de0b81",
|
|
"name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0.docx"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"first_observed": "2017-08-27T05:51:40Z",
|
|
"last_observed": "2017-08-27T05:51:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"email-message--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
|
|
"file--59a25dc1-7764-4a0b-89c0-b60e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-attachment\"",
|
|
"misp:category=\"Payload delivery\""
|
|
]
|
|
},
|
|
{
|
|
"type": "email-message",
|
|
"spec_version": "2.1",
|
|
"id": "email-message--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
|
|
"is_multipart": true,
|
|
"body_multipart": [
|
|
{
|
|
"body_raw_ref": "file--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
|
|
"content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d1\u0081\u00d1\u2021\u00d0\u00b5\u00d1\u201a\u00d1\u0192.docx'"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "file",
|
|
"spec_version": "2.1",
|
|
"id": "file--59a25dc1-7764-4a0b-89c0-b60e02de0b81",
|
|
"name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d1\u0081\u00d1\u2021\u00d0\u00b5\u00d1\u201a\u00d1\u0192.docx"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"first_observed": "2017-08-27T05:51:40Z",
|
|
"last_observed": "2017-08-27T05:51:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"email-message--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
|
|
"file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-attachment\"",
|
|
"misp:category=\"Payload delivery\""
|
|
]
|
|
},
|
|
{
|
|
"type": "email-message",
|
|
"spec_version": "2.1",
|
|
"id": "email-message--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
|
|
"is_multipart": true,
|
|
"body_multipart": [
|
|
{
|
|
"body_raw_ref": "file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
|
|
"content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5.docx'"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "file",
|
|
"spec_version": "2.1",
|
|
"id": "file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81",
|
|
"name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5.docx"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"first_observed": "2017-08-27T05:51:40Z",
|
|
"last_observed": "2017-08-27T05:51:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"email-message--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
|
|
"file--59a25dc1-36c4-412d-8b6d-b60e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-attachment\"",
|
|
"misp:category=\"Payload delivery\""
|
|
]
|
|
},
|
|
{
|
|
"type": "email-message",
|
|
"spec_version": "2.1",
|
|
"id": "email-message--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
|
|
"is_multipart": true,
|
|
"body_multipart": [
|
|
{
|
|
"body_raw_ref": "file--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
|
|
"content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5 \u00d0\u00ba\u00d0\u00bb\u00d0\u00b8\u00d0\u00b5\u00d0\u00bd\u00d1\u201a\u00d0\u00b0.docx'"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "file",
|
|
"spec_version": "2.1",
|
|
"id": "file--59a25dc1-36c4-412d-8b6d-b60e02de0b81",
|
|
"name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5 \u00d0\u00ba\u00d0\u00bb\u00d0\u00b8\u00d0\u00b5\u00d0\u00bd\u00d1\u201a\u00d0\u00b0.docx"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"first_observed": "2017-08-27T05:51:40Z",
|
|
"last_observed": "2017-08-27T05:51:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"email-message--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
|
|
"file--59a25dc1-9058-4d49-b0e9-b60e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-attachment\"",
|
|
"misp:category=\"Payload delivery\""
|
|
]
|
|
},
|
|
{
|
|
"type": "email-message",
|
|
"spec_version": "2.1",
|
|
"id": "email-message--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
|
|
"is_multipart": true,
|
|
"body_multipart": [
|
|
{
|
|
"body_raw_ref": "file--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
|
|
"content_disposition": "attachment; filename='12.docx'"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "file",
|
|
"spec_version": "2.1",
|
|
"id": "file--59a25dc1-9058-4d49-b0e9-b60e02de0b81",
|
|
"name": "12.docx"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--59a25dd9-bf68-45c0-9374-494302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Last week, the Ukrainian Central Bank issued a warning around an attack being launched against Ukrainian banks. Thanks to one of our contacts in the region, we received the malware at an early stage and were able to provide coverage for our customers\u00e2\u20ac\u201dalways our first priority. Now that local authorities have publicly disclosed the matter, we would like to share some insights into the campaign.\r\n\r\nThe attacks appear to have targeted banks in Russia as well as Ukraine, and we are aware of reports of similar attack vectors and payloads in other countries.\r\n\r\nThe initial threat started with emails sent to the banks around August 10, 2017, and a second wave on August 18 that carried attachments containing a payload. The subject of the emails were triggered to get the attention of the users and lure them into opening the attachments."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25dec-e044-4ab0-a56f-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"description": "- Xchecked via VT: 647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51",
|
|
"pattern": "[file:hashes.SHA1 = '583570d92cc49ec7661c055c4900c439446307f9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25dec-a75c-45e3-89eb-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"description": "- Xchecked via VT: 647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51",
|
|
"pattern": "[file:hashes.MD5 = '4eee1c5db5c4678cfa7ad6262a18253d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a25dec-f1ac-4268-8c34-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"first_observed": "2017-08-27T05:51:40Z",
|
|
"last_observed": "2017-08-27T05:51:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59a25dec-f1ac-4268-8c34-b60e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59a25dec-f1ac-4268-8c34-b60e02de0b81",
|
|
"value": "https://www.virustotal.com/file/647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51/analysis/1503366922/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25dec-cd54-489e-ada2-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"description": "- Xchecked via VT: e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f",
|
|
"pattern": "[file:hashes.SHA1 = 'dfaa3825b6bf2fc21978bf3234f38ffbd2966b96']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25dec-eb38-4439-88b3-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"description": "- Xchecked via VT: e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f",
|
|
"pattern": "[file:hashes.MD5 = '98c5c33f5c0bd07ac3e24935edab202a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a25dec-7f9c-4fd1-8047-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"first_observed": "2017-08-27T05:51:40Z",
|
|
"last_observed": "2017-08-27T05:51:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59a25dec-7f9c-4fd1-8047-b60e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59a25dec-7f9c-4fd1-8047-b60e02de0b81",
|
|
"value": "https://www.virustotal.com/file/e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f/analysis/1503021378/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25dec-5794-402f-a588-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"description": "- Xchecked via VT: 1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6",
|
|
"pattern": "[file:hashes.SHA1 = 'a85e66a654ca056a14f64516af62e82c07036e06']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25dec-2500-44c2-b562-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"description": "- Xchecked via VT: 1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6",
|
|
"pattern": "[file:hashes.MD5 = 'cfc0b41a7cde01333f10d48e9997d293']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a25dec-0d44-442b-b613-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"first_observed": "2017-08-27T05:51:40Z",
|
|
"last_observed": "2017-08-27T05:51:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59a25dec-0d44-442b-b613-b60e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59a25dec-0d44-442b-b613-b60e02de0b81",
|
|
"value": "https://www.virustotal.com/file/1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6/analysis/1503475768/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25dec-a084-4101-8ba1-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"description": "- Xchecked via VT: 430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952",
|
|
"pattern": "[file:hashes.SHA1 = 'a8bcbaedfbd3eff1e3d5005c35bd8f4c4f6f325c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25dec-2e20-4de3-90c2-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"description": "- Xchecked via VT: 430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952",
|
|
"pattern": "[file:hashes.MD5 = '5df8067a6fcb6c45c3b5c14adb944806']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a25dec-6aa8-4213-a915-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"first_observed": "2017-08-27T05:51:40Z",
|
|
"last_observed": "2017-08-27T05:51:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59a25dec-6aa8-4213-a915-b60e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59a25dec-6aa8-4213-a915-b60e02de0b81",
|
|
"value": "https://www.virustotal.com/file/430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952/analysis/1503474922/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25dec-bc48-4a8a-8977-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"description": "- Xchecked via VT: ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d",
|
|
"pattern": "[file:hashes.SHA1 = '5983b31b80b7f3d84d9d0436574a7351d8522e9c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59a25dec-355c-4c9b-8590-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"description": "- Xchecked via VT: ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d",
|
|
"pattern": "[file:hashes.MD5 = 'c43f1716d6dbb243f0b8cd92944a04bd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-08-27T05:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59a25dec-c0d8-4432-a038-b60e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-08-27T05:51:40.000Z",
|
|
"modified": "2017-08-27T05:51:40.000Z",
|
|
"first_observed": "2017-08-27T05:51:40Z",
|
|
"last_observed": "2017-08-27T05:51:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59a25dec-c0d8-4432-a038-b60e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59a25dec-c0d8-4432-a038-b60e02de0b81",
|
|
"value": "https://www.virustotal.com/file/ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d/analysis/1503475773/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |