795 lines
No EOL
34 KiB
JSON
795 lines
No EOL
34 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--59b2544f-ada4-4fc3-9d6a-4165950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:24.000Z",
|
|
"modified": "2017-09-08T11:45:24.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--59b2544f-ada4-4fc3-9d6a-4165950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:24.000Z",
|
|
"modified": "2017-09-08T11:45:24.000Z",
|
|
"name": "OSINT - Cryptocurrency Miner Uses WMI and EternalBlue To Spread Filelessly",
|
|
"published": "2017-09-08T11:46:16Z",
|
|
"object_refs": [
|
|
"observed-data--59b2546b-4c88-4188-87d1-45b9950d210f",
|
|
"url--59b2546b-4c88-4188-87d1-45b9950d210f",
|
|
"x-misp-attribute--59b25480-ab30-4248-bbf0-48a0950d210f",
|
|
"indicator--59b254d8-945c-43d0-8da1-4e8e950d210f",
|
|
"indicator--59b254d8-d9b8-4fb3-ae60-449b950d210f",
|
|
"indicator--59b254d8-9ea0-4c5b-afba-4462950d210f",
|
|
"indicator--59b254d8-19e0-4c3f-a809-4c5d950d210f",
|
|
"indicator--59b254d8-2504-4dfe-b06f-45fb950d210f",
|
|
"indicator--59b254d8-cdd4-4c1a-afd7-429b950d210f",
|
|
"indicator--59b254d8-8518-4320-896f-442c950d210f",
|
|
"indicator--59b254d8-deb4-4635-b8dc-4ce3950d210f",
|
|
"indicator--59b254d8-70c0-4da4-a58d-45eb950d210f",
|
|
"indicator--59b254d8-7260-4919-a3a8-4e08950d210f",
|
|
"indicator--59b282c7-550c-474a-8043-4c6002de0b81",
|
|
"indicator--59b282c7-6d80-456d-b7fc-4d2202de0b81",
|
|
"observed-data--59b282c7-4804-4c95-aeb7-458902de0b81",
|
|
"url--59b282c7-4804-4c95-aeb7-458902de0b81",
|
|
"indicator--59b282c7-0604-4602-8aa7-404402de0b81",
|
|
"indicator--59b282c7-d0a8-416a-8f6e-4a8d02de0b81",
|
|
"observed-data--59b282c7-623c-4671-aa81-4e5602de0b81",
|
|
"url--59b282c7-623c-4671-aa81-4e5602de0b81",
|
|
"indicator--59b282c7-e34c-4990-9c23-487b02de0b81",
|
|
"indicator--59b282c7-7b20-4814-bf08-400c02de0b81",
|
|
"observed-data--59b282c7-ba08-43fe-be7f-446002de0b81",
|
|
"url--59b282c7-ba08-43fe-be7f-446002de0b81",
|
|
"indicator--59b282c7-d94c-4fb5-aee2-49a302de0b81",
|
|
"indicator--59b282c7-bd4c-4e8f-9040-47c102de0b81",
|
|
"observed-data--59b282c7-abe8-4d72-8b88-4ac302de0b81",
|
|
"url--59b282c7-abe8-4d72-8b88-4ac302de0b81",
|
|
"indicator--59b282c7-e284-4a44-beeb-492302de0b81",
|
|
"indicator--59b282c7-2134-45a0-859b-4a4f02de0b81",
|
|
"observed-data--59b282c7-e034-4c8e-8cc0-412f02de0b81",
|
|
"url--59b282c7-e034-4c8e-8cc0-412f02de0b81",
|
|
"indicator--59b282c7-6edc-4720-a999-4c0602de0b81",
|
|
"indicator--59b282c7-ac74-47f6-8c25-414302de0b81",
|
|
"observed-data--59b282c7-9eb8-4e25-a5f6-47f402de0b81",
|
|
"url--59b282c7-9eb8-4e25-a5f6-47f402de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:tool=\"ETERNALBLUE\"",
|
|
"type:OSINT",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59b2546b-4c88-4188-87d1-45b9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"first_observed": "2017-09-08T11:45:11Z",
|
|
"last_observed": "2017-09-08T11:45:11Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59b2546b-4c88-4188-87d1-45b9950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59b2546b-4c88-4188-87d1-45b9950d210f",
|
|
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--59b25480-ab30-4248-bbf0-48a0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Fileless malware can be a difficult threat to analyze and detect. It shouldn\u00e2\u20ac\u2122t be a surprise that an increasing number of new malware threats are fileless, as threat actors use this technique to make both detection and forensic investigation more difficult. We recently found a new cryptocurrency miner (which we detect as TROJ64_COINMINER.QO) that uses this particular technique as well."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b254d8-945c-43d0-8da1-4e8e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"pattern": "[url:value = 'http://wmi.mykings.top:8888/test.html']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b254d8-d9b8-4fb3-ae60-449b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"pattern": "[url:value = 'http://67.21.90.226:8888/32.zip']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b254d8-9ea0-4c5b-afba-4462950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ_CONMINER.CFG",
|
|
"pattern": "[file:hashes.SHA256 = '6315657fd523118f51e294e35158f6bd89d032b26fe7749a4de985edc81e5f86']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b254d8-19e0-4c3f-a809-4c5d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ_COINMINER.AUSWQ",
|
|
"pattern": "[file:hashes.SHA256 = '674f2df2cdadab5be61271550605163a731a2df8f4c79732481cad532f00525d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b254d8-2504-4dfe-b06f-45fb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ_CONMINER.CFG",
|
|
"pattern": "[file:hashes.SHA256 = '8c5bb89596cd732af59693b8da021a872fee9b3696927b61d4387b427834c461']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b254d8-cdd4-4c1a-afd7-429b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as BKDR_FORSHARE.A",
|
|
"pattern": "[file:hashes.SHA256 = 'a095f60ff79470c99752b73f8286b78926bc46eb2168b3ecd4783505a204a3b0']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b254d8-8518-4320-896f-442c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as BKDR_FORSHARE.B",
|
|
"pattern": "[file:hashes.SHA256 = 'e6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b254d8-deb4-4635-b8dc-4ce3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ64_COINMINER.QO",
|
|
"pattern": "[file:hashes.SHA256 = 'f37a0d5f11078ef296a7c032b787f8fa485d73b0115cbd24d62cdf2c1a810625']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b254d8-70c0-4da4-a58d-45eb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"pattern": "[domain-name:value = 'ftp.oo000oo.me']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b254d8-7260-4919-a3a8-4e08950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "On port 8888",
|
|
"pattern": "[domain-name:value = 'wmi.mykings.top']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-550c-474a-8043-4c6002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ64_COINMINER.QO - Xchecked via VT: f37a0d5f11078ef296a7c032b787f8fa485d73b0115cbd24d62cdf2c1a810625",
|
|
"pattern": "[file:hashes.SHA1 = '2db34fb90ec273120afa831cde91a5a7158b8fe6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-6d80-456d-b7fc-4d2202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ64_COINMINER.QO - Xchecked via VT: f37a0d5f11078ef296a7c032b787f8fa485d73b0115cbd24d62cdf2c1a810625",
|
|
"pattern": "[file:hashes.MD5 = '010a7fa751f4a64c989eacabf58c8fbf']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59b282c7-4804-4c95-aeb7-458902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"first_observed": "2017-09-08T11:45:11Z",
|
|
"last_observed": "2017-09-08T11:45:11Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59b282c7-4804-4c95-aeb7-458902de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59b282c7-4804-4c95-aeb7-458902de0b81",
|
|
"value": "https://www.virustotal.com/file/f37a0d5f11078ef296a7c032b787f8fa485d73b0115cbd24d62cdf2c1a810625/analysis/1504867505/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-0604-4602-8aa7-404402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as BKDR_FORSHARE.B - Xchecked via VT: e6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b",
|
|
"pattern": "[file:hashes.SHA1 = '2b10fc7ebad4eb93d1a907cc6f5211be6cf73d5e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-d0a8-416a-8f6e-4a8d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as BKDR_FORSHARE.B - Xchecked via VT: e6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b",
|
|
"pattern": "[file:hashes.MD5 = 'a206d9e633c7d74a735190299b125271']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59b282c7-623c-4671-aa81-4e5602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"first_observed": "2017-09-08T11:45:11Z",
|
|
"last_observed": "2017-09-08T11:45:11Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59b282c7-623c-4671-aa81-4e5602de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59b282c7-623c-4671-aa81-4e5602de0b81",
|
|
"value": "https://www.virustotal.com/file/e6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b/analysis/1503741182/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-e34c-4990-9c23-487b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as BKDR_FORSHARE.A - Xchecked via VT: a095f60ff79470c99752b73f8286b78926bc46eb2168b3ecd4783505a204a3b0",
|
|
"pattern": "[file:hashes.SHA1 = '806027db01b4997f71aefde8a5dbee5b8d9dbe98']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-7b20-4814-bf08-400c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as BKDR_FORSHARE.A - Xchecked via VT: a095f60ff79470c99752b73f8286b78926bc46eb2168b3ecd4783505a204a3b0",
|
|
"pattern": "[file:hashes.MD5 = 'b6b68faa706f7740dafd8941c4c5e35a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59b282c7-ba08-43fe-be7f-446002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"first_observed": "2017-09-08T11:45:11Z",
|
|
"last_observed": "2017-09-08T11:45:11Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59b282c7-ba08-43fe-be7f-446002de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59b282c7-ba08-43fe-be7f-446002de0b81",
|
|
"value": "https://www.virustotal.com/file/a095f60ff79470c99752b73f8286b78926bc46eb2168b3ecd4783505a204a3b0/analysis/1503595356/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-d94c-4fb5-aee2-49a302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ_CONMINER.CFG - Xchecked via VT: 8c5bb89596cd732af59693b8da021a872fee9b3696927b61d4387b427834c461",
|
|
"pattern": "[file:hashes.SHA1 = 'bec02c55c98612ee716bb5956f68e0dd27cf0afc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-bd4c-4e8f-9040-47c102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ_CONMINER.CFG - Xchecked via VT: 8c5bb89596cd732af59693b8da021a872fee9b3696927b61d4387b427834c461",
|
|
"pattern": "[file:hashes.MD5 = '98d615c222293ca937ab4b1b4a7c8118']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59b282c7-abe8-4d72-8b88-4ac302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"first_observed": "2017-09-08T11:45:11Z",
|
|
"last_observed": "2017-09-08T11:45:11Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59b282c7-abe8-4d72-8b88-4ac302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59b282c7-abe8-4d72-8b88-4ac302de0b81",
|
|
"value": "https://www.virustotal.com/file/8c5bb89596cd732af59693b8da021a872fee9b3696927b61d4387b427834c461/analysis/1504836079/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-e284-4a44-beeb-492302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ_COINMINER.AUSWQ - Xchecked via VT: 674f2df2cdadab5be61271550605163a731a2df8f4c79732481cad532f00525d",
|
|
"pattern": "[file:hashes.SHA1 = 'c7c374073b9631c2ce0345a9ff79bb353bd507c1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-2134-45a0-859b-4a4f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ_COINMINER.AUSWQ - Xchecked via VT: 674f2df2cdadab5be61271550605163a731a2df8f4c79732481cad532f00525d",
|
|
"pattern": "[file:hashes.MD5 = 'c0602223c09e444c537b0445d6563304']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59b282c7-e034-4c8e-8cc0-412f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"first_observed": "2017-09-08T11:45:11Z",
|
|
"last_observed": "2017-09-08T11:45:11Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59b282c7-e034-4c8e-8cc0-412f02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59b282c7-e034-4c8e-8cc0-412f02de0b81",
|
|
"value": "https://www.virustotal.com/file/674f2df2cdadab5be61271550605163a731a2df8f4c79732481cad532f00525d/analysis/1504335809/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-6edc-4720-a999-4c0602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ_CONMINER.CFG - Xchecked via VT: 6315657fd523118f51e294e35158f6bd89d032b26fe7749a4de985edc81e5f86",
|
|
"pattern": "[file:hashes.SHA1 = '53267b43122ed52aba6ec9faa50397f311a295e8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59b282c7-ac74-47f6-8c25-414302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"description": "detected as TROJ_CONMINER.CFG - Xchecked via VT: 6315657fd523118f51e294e35158f6bd89d032b26fe7749a4de985edc81e5f86",
|
|
"pattern": "[file:hashes.MD5 = '830b8dc142f16aa928ada0e271a58572']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-09-08T11:45:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59b282c7-9eb8-4e25-a5f6-47f402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-09-08T11:45:11.000Z",
|
|
"modified": "2017-09-08T11:45:11.000Z",
|
|
"first_observed": "2017-09-08T11:45:11Z",
|
|
"last_observed": "2017-09-08T11:45:11Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59b282c7-9eb8-4e25-a5f6-47f402de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59b282c7-9eb8-4e25-a5f6-47f402de0b81",
|
|
"value": "https://www.virustotal.com/file/6315657fd523118f51e294e35158f6bd89d032b26fe7749a4de985edc81e5f86/analysis/1504835923/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |