misp-circl-feed/feeds/circl/stix-2.1/5a3cbdf8-172c-4738-9b96-c31d950d210f.json

594 lines
No EOL
25 KiB
JSON

{
"type": "bundle",
"id": "bundle--5a3cbdf8-172c-4738-9b96-c31d950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-30T14:28:47.000Z",
"modified": "2018-10-30T14:28:47.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5a3cbdf8-172c-4738-9b96-c31d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-10-30T14:28:47.000Z",
"modified": "2018-10-30T14:28:47.000Z",
"name": "OSINT - Digmine Cryptocurrency Miner Spreading via Facebook Messenger",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5a3cbe23-e3fc-4f14-8aad-55ea950d210f",
"url--5a3cbe23-e3fc-4f14-8aad-55ea950d210f",
"x-misp-attribute--5a5cbdca-e130-4082-b292-44c2950d210f",
"indicator--5a5cbf71-02d0-4661-94ac-48c4950d210f",
"indicator--5a5cbf72-c6a8-4c3e-902e-40e3950d210f",
"indicator--5a5cbf73-2cc8-4645-ab88-464f950d210f",
"indicator--5a5cbf73-8c2c-4b1d-be95-40dd950d210f",
"indicator--5a5cbf73-59d0-4ddb-a95d-4a41950d210f",
"indicator--5a5cbf74-d9c4-4822-a6da-498a950d210f",
"indicator--5a5cbf74-2274-4921-aa86-40ef950d210f",
"indicator--5a5cbf75-d1c4-47b5-b69d-4f2e950d210f",
"indicator--5a5cbf76-2460-4448-970d-4de2950d210f",
"indicator--5a5cbf76-0f24-480e-a813-4d2e950d210f",
"indicator--5a5cbf76-4d2c-4785-9161-430b950d210f",
"indicator--5a5cbfe3-c574-4f96-978e-42b7950d210f",
"indicator--5a5cbfe4-f630-44c2-9af1-4329950d210f",
"indicator--5a5cbfe4-cd54-4c67-8652-4b98950d210f",
"indicator--c9227520-0ad9-46ab-95c3-cbccbfca0d41",
"x-misp-object--84ba4228-3be2-4c13-875f-52799e79680f",
"indicator--96f46bd7-e112-46d4-b676-1bbb1d0065a4",
"x-misp-object--e48a8058-0d5c-45fe-b3a3-5b1a52e928e6",
"relationship--7895f26f-c839-4bc9-b222-1ed407edebd0",
"relationship--fc1da9a6-0ca9-4a0b-8865-e687134ed26d"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"Digmine\"",
"dnc:malware-type=\"CoinMiner\"",
"workflow:state=\"complete\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a3cbe23-e3fc-4f14-8aad-55ea950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:54.000Z",
"modified": "2018-02-09T14:01:54.000Z",
"first_observed": "2018-02-09T14:01:54Z",
"last_observed": "2018-02-09T14:01:54Z",
"number_observed": 1,
"object_refs": [
"url--5a3cbe23-e3fc-4f14-8aad-55ea950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a3cbe23-e3fc-4f14-8aad-55ea950d210f",
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a5cbdca-e130-4082-b292-44c2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:55.000Z",
"modified": "2018-02-09T14:01:55.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "We found a new cryptocurrency-mining bot spreading through Facebook Messenger, which we first observed in South Korea. We named this Digmine based on the moniker (\ube44\ud2b8\ucf54\uc778 \ucc44\uad74\uae30 bot) it was referred to in a report of recent related incidents in South Korea. We\u2019ve also seen Digmine spreading in other regions such as Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. It\u2019s not far-off for Digmine to reach other countries given the way it propagates."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbf71-02d0-4661-94ac-48c4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:55.000Z",
"modified": "2018-02-09T14:01:55.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'vijus.bid']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:01:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbf72-c6a8-4c3e-902e-40e3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:55.000Z",
"modified": "2018-02-09T14:01:55.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'ozivu.bid']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:01:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbf73-2cc8-4645-ab88-464f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:56.000Z",
"modified": "2018-02-09T14:01:56.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'thisdayfunnyday.space']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:01:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbf73-8c2c-4b1d-be95-40dd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:56.000Z",
"modified": "2018-02-09T14:01:56.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'thisaworkstation.space']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:01:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbf73-59d0-4ddb-a95d-4a41950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:57.000Z",
"modified": "2018-02-09T14:01:57.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'mybigthink.space']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbf74-d9c4-4822-a6da-498a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:57.000Z",
"modified": "2018-02-09T14:01:57.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'mokuz.bid']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbf74-2274-4921-aa86-40ef950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:57.000Z",
"modified": "2018-02-09T14:01:57.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'pabus.bid']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbf75-d1c4-47b5-b69d-4f2e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:58.000Z",
"modified": "2018-02-09T14:01:58.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'yezav.bid']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:01:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbf76-2460-4448-970d-4de2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:58.000Z",
"modified": "2018-02-09T14:01:58.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'bigih.bid']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:01:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbf76-0f24-480e-a813-4d2e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:59.000Z",
"modified": "2018-02-09T14:01:59.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'taraz.bid']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:01:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbf76-4d2c-4785-9161-430b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:01:59.000Z",
"modified": "2018-02-09T14:01:59.000Z",
"description": "C&C",
"pattern": "[domain-name:value = 'megu.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:01:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbfe3-c574-4f96-978e-42b7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T14:51:15.000Z",
"modified": "2018-01-15T14:51:15.000Z",
"description": "detected as TROJ_DIGMINEIN.A",
"pattern": "[file:hashes.SHA256 = 'beb7274d78c63aa44515fe6bbfd324f49ec2cc0b8650aeb2d6c8ab61a0ae9f1d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T14:51:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbfe4-f630-44c2-9af1-4329950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T14:51:16.000Z",
"modified": "2018-01-15T14:51:16.000Z",
"description": "detected as BREX_DIGMINEEX.A",
"pattern": "[file:hashes.SHA256 = '5a5b8551a82c57b683f9bd8ba49aefeab3d7c9d299a2d2cb446816cd15d3b3e9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T14:51:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5cbfe4-cd54-4c67-8652-4b98950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T14:51:16.000Z",
"modified": "2018-01-15T14:51:16.000Z",
"description": "detected as TROJ_DIGMINE.A",
"pattern": "[file:hashes.SHA256 = 'f7e0398ae1f5a2f48055cf712b08972a1b6eb14579333bf038d37ed862c55909']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T14:51:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c9227520-0ad9-46ab-95c3-cbccbfca0d41",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:02:03.000Z",
"modified": "2018-02-09T14:02:03.000Z",
"pattern": "[file:hashes.MD5 = 'd0857aba2c626d554c6982d2d2d4db8a' AND file:hashes.SHA1 = '772e3fab70b1c8339064d2a8b75413819d9e4a5d' AND file:hashes.SHA256 = 'beb7274d78c63aa44515fe6bbfd324f49ec2cc0b8650aeb2d6c8ab61a0ae9f1d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:02:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--84ba4228-3be2-4c13-875f-52799e79680f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:02:01.000Z",
"modified": "2018-02-09T14:02:01.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/beb7274d78c63aa44515fe6bbfd324f49ec2cc0b8650aeb2d6c8ab61a0ae9f1d/analysis/1515510769/",
"category": "External analysis",
"comment": "detected as TROJ_DIGMINEIN.A",
"uuid": "5a7da9d9-1868-4623-acc4-7f4202de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "47/67",
"category": "Other",
"comment": "detected as TROJ_DIGMINEIN.A",
"uuid": "5a7da9da-8140-46c2-be5b-7f4202de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-01-09 15:12:49",
"category": "Other",
"comment": "detected as TROJ_DIGMINEIN.A",
"uuid": "5a7da9da-16a0-438f-abe8-7f4202de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--96f46bd7-e112-46d4-b676-1bbb1d0065a4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:02:05.000Z",
"modified": "2018-02-09T14:02:05.000Z",
"pattern": "[file:hashes.MD5 = '8f7ac245965e43d521bf6870ef3ff924' AND file:hashes.SHA1 = 'c5db86423e0f50a46daea2f3025fad7d9b7b0d1c' AND file:hashes.SHA256 = 'f7e0398ae1f5a2f48055cf712b08972a1b6eb14579333bf038d37ed862c55909']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-09T14:02:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e48a8058-0d5c-45fe-b3a3-5b1a52e928e6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-09T14:02:04.000Z",
"modified": "2018-02-09T14:02:04.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/f7e0398ae1f5a2f48055cf712b08972a1b6eb14579333bf038d37ed862c55909/analysis/1515510846/",
"category": "External analysis",
"comment": "detected as TROJ_DIGMINE.A",
"uuid": "5a7da9dc-fb64-4968-bff4-7f4202de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/67",
"category": "Other",
"comment": "detected as TROJ_DIGMINE.A",
"uuid": "5a7da9dc-2c44-478f-90d7-7f4202de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-01-09 15:14:06",
"category": "Other",
"comment": "detected as TROJ_DIGMINE.A",
"uuid": "5a7da9dd-d220-4017-b954-7f4202de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7895f26f-c839-4bc9-b222-1ed407edebd0",
"created": "2018-02-16T08:56:38.000Z",
"modified": "2018-02-16T08:56:38.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--c9227520-0ad9-46ab-95c3-cbccbfca0d41",
"target_ref": "x-misp-object--84ba4228-3be2-4c13-875f-52799e79680f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fc1da9a6-0ca9-4a0b-8865-e687134ed26d",
"created": "2018-02-16T08:56:38.000Z",
"modified": "2018-02-16T08:56:38.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--96f46bd7-e112-46d4-b676-1bbb1d0065a4",
"target_ref": "x-misp-object--e48a8058-0d5c-45fe-b3a3-5b1a52e928e6"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}