misp-circl-feed/feeds/circl/stix-2.1/5a391a35-45c8-4e0b-b580-4cdc950d210f.json

216 lines
No EOL
9.6 KiB
JSON

{
"type": "bundle",
"id": "bundle--5a391a35-45c8-4e0b-b580-4cdc950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-21T03:00:48.000Z",
"modified": "2017-12-21T03:00:48.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5a391a35-45c8-4e0b-b580-4cdc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-21T03:00:48.000Z",
"modified": "2017-12-21T03:00:48.000Z",
"name": "OSINT - The Emotet Banking Trojan: Analysis of Dropped Malware Morphing at Scale",
"published": "2017-12-28T13:35:51Z",
"object_refs": [
"observed-data--5a391a5b-1b48-4f03-ad50-18e3950d210f",
"url--5a391a5b-1b48-4f03-ad50-18e3950d210f",
"x-misp-attribute--5a391b26-fa94-4cb9-b69d-1690950d210f",
"indicator--5a391b6c-d4e4-4072-9d3c-1713950d210f",
"indicator--5a391b85-5068-4092-ba25-bfca950d210f",
"indicator--e3be9ae2-cc8e-4629-a7e7-266ea9e25610",
"x-misp-object--c29a6f81-d269-48e2-8e91-585613d1fbd0",
"relationship--422cdaa1-fde2-4f9a-adf5-b95c3cc32a46"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"Emotet\"",
"misp-galaxy:banker=\"Geodo\"",
"type:OSINT",
"osint:source-type=\"blog-post\"",
"ms-caro-malware-full:malware-family=\"Banker\"",
"malware_classification:malware-category=\"Trojan\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a391a5b-1b48-4f03-ad50-18e3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-20T21:37:39.000Z",
"modified": "2017-12-20T21:37:39.000Z",
"first_observed": "2017-12-20T21:37:39Z",
"last_observed": "2017-12-20T21:37:39Z",
"number_observed": 1,
"object_refs": [
"url--5a391a5b-1b48-4f03-ad50-18e3950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a391a5b-1b48-4f03-ad50-18e3950d210f",
"value": "https://blogs.bromium.com/emotet-banking-trojan-malware-analysis/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a391b26-fa94-4cb9-b69d-1690950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-20T21:37:39.000Z",
"modified": "2017-12-20T21:37:39.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Recently, the Bromium Lab team uncovered a series of samples containing the Emotet banking trojan, which indicates that malware authors are rapidly rewrapping their packed executables and the documents used to distribute them. Based on feedback and further monitoring, we investigated the polymorphic dropped executables in more detail. The results are quite interesting; the samples don\u00e2\u20ac\u2122t just feature trivial changes or the addition of random data. Rather, the sample appears like completely different software in many aspects. This allows the samples to avoid signature-based anti-virus as well as package detection and static analysis."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a391b6c-d4e4-4072-9d3c-1713950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-19T14:00:12.000Z",
"modified": "2017-12-19T14:00:12.000Z",
"pattern": "[file:hashes.SHA256 = '906e9607b4ad68eb380a1bd55842b8a7c601a8108c16d1c3d3a1cf74eefeb180' AND file:size = '229000' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-19T14:00:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a391b85-5068-4092-ba25-bfca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-19T14:00:37.000Z",
"modified": "2017-12-19T14:00:37.000Z",
"pattern": "[file:hashes.SHA256 = 'bcc70a49fab005b4cdbe0cbd87863ec622c6b2c656987d201adbb0e05ec03e56' AND file:size = '95000' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-19T14:00:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e3be9ae2-cc8e-4629-a7e7-266ea9e25610",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-20T21:37:42.000Z",
"modified": "2017-12-20T21:37:42.000Z",
"pattern": "[file:hashes.MD5 = '16b3f663d0f0371a4706642c6ac04e42' AND file:hashes.SHA1 = '3a1f908941311fc357051b5c35fd2a4e0c834e37' AND file:hashes.SHA256 = 'bcc70a49fab005b4cdbe0cbd87863ec622c6b2c656987d201adbb0e05ec03e56']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-20T21:37:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--c29a6f81-d269-48e2-8e91-585613d1fbd0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-20T21:37:39.000Z",
"modified": "2017-12-20T21:37:39.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/bcc70a49fab005b4cdbe0cbd87863ec622c6b2c656987d201adbb0e05ec03e56/analysis/1513344175/",
"category": "External analysis",
"uuid": "5a3ad823-da5c-4c1a-b078-406702de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "53/67",
"category": "Other",
"uuid": "5a3ad823-f67c-4a9a-b75a-4f2802de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-12-15T13:22:55",
"category": "Other",
"uuid": "5a3ad823-6f14-43ea-a9e7-43e902de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--422cdaa1-fde2-4f9a-adf5-b95c3cc32a46",
"created": "2017-12-28T13:35:51.000Z",
"modified": "2017-12-28T13:35:51.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--e3be9ae2-cc8e-4629-a7e7-266ea9e25610",
"target_ref": "x-misp-object--c29a6f81-d269-48e2-8e91-585613d1fbd0"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}