adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/56af2d05-bff0-4753-b2ed-4074950d210f.json

853 lines
No EOL
38 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--56af2d05-bff0-4753-b2ed-4074950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-05-27T10:59:19.000Z",
"modified": "2016-05-27T10:59:19.000Z",
"name": "CthulhuSPRL.be",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--56af2d05-bff0-4753-b2ed-4074950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-05-27T10:59:19.000Z",
"modified": "2016-05-27T10:59:19.000Z",
"name": "OSINT Introducing Hi-Zor RAT by Fidelis",
"published": "2017-01-11T17:49:03Z",
"object_refs": [
"observed-data--56af2dae-5358-441d-97bb-4223950d210f",
"url--56af2dae-5358-441d-97bb-4223950d210f",
"observed-data--56af2dcd-37b0-4f5e-a760-4070950d210f",
"url--56af2dcd-37b0-4f5e-a760-4070950d210f",
"indicator--56af2dec-db54-40ed-b12d-44a0950d210f",
"indicator--56af2ded-7a50-467f-ab41-4bfd950d210f",
"indicator--56af2ded-ca60-403e-9d3f-4028950d210f",
"indicator--56af2ded-9dcc-4ff4-ae67-466f950d210f",
"indicator--56af2e69-a158-4af8-ad95-4d71950d210f",
"indicator--56af2e95-0ee4-4e07-a2eb-4f0a950d210f",
"indicator--56af2e95-d8b8-47f7-bbfc-459c950d210f",
"observed-data--56af2ede-7140-40ad-a15b-480b950d210f",
"url--56af2ede-7140-40ad-a15b-480b950d210f",
"indicator--56af2f2c-a788-438e-a8d9-40ac950d210f",
"indicator--56af2f2c-2804-426b-8aba-4153950d210f",
"indicator--56af2f3e-c1dc-43c9-987d-463a950d210f",
"indicator--56af2f3f-4ca0-430e-936b-42c7950d210f",
"indicator--56af2f63-55a8-42a4-b2fa-46df950d210f",
"indicator--56af2f64-05c0-4c4e-b1e0-4f05950d210f",
"indicator--56af2f7e-d078-4748-b2c6-42b8950d210f",
"indicator--56af2f7f-e2d0-4ad6-9b66-4c90950d210f",
"indicator--56af300e-4698-4085-b38e-490602de0b81",
"observed-data--56af300e-49c0-4299-b3fb-48df02de0b81",
"url--56af300e-49c0-4299-b3fb-48df02de0b81",
"indicator--56af300f-ce4c-4d37-962a-4bd402de0b81",
"observed-data--56af300f-6d5c-424b-8f79-434502de0b81",
"url--56af300f-6d5c-424b-8f79-434502de0b81",
"indicator--56af300f-4f1c-42db-ba5f-441702de0b81",
"observed-data--56af3010-9ef8-4f11-a983-486f02de0b81",
"url--56af3010-9ef8-4f11-a983-486f02de0b81",
"indicator--56af3010-01a0-498b-ba3b-401602de0b81",
"observed-data--56af3010-ee54-4140-b790-491102de0b81",
"url--56af3010-ee54-4140-b790-491102de0b81",
"indicator--56af414a-6ae0-4748-874f-4406950d210f",
"x-misp-attribute--56af4183-6a04-4a4c-bebc-4172950d210f",
"indicator--56af41a1-8fb0-4db8-b6a5-4455950d210f",
"indicator--56af41b8-f8b8-4dfd-94d6-4ff5950d210f",
"indicator--56af41c7-0ed4-4bbd-9da9-4b7e950d210f",
"x-misp-attribute--56af4229-082c-493b-96b5-40c8950d210f",
"indicator--56af423c-2de8-4e99-88c5-4d35950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56af2dae-5358-441d-97bb-4223950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:04:30.000Z",
"modified": "2016-02-01T10:04:30.000Z",
"first_observed": "2016-02-01T10:04:30Z",
"last_observed": "2016-02-01T10:04:30Z",
"number_observed": 1,
"object_refs": [
"url--56af2dae-5358-441d-97bb-4223950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56af2dae-5358-441d-97bb-4223950d210f",
"value": "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56af2dcd-37b0-4f5e-a760-4070950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:05:01.000Z",
"modified": "2016-02-01T10:05:01.000Z",
"first_observed": "2016-02-01T10:05:01Z",
"last_observed": "2016-02-01T10:05:01Z",
"number_observed": 1,
"object_refs": [
"url--56af2dcd-37b0-4f5e-a760-4070950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56af2dcd-37b0-4f5e-a760-4070950d210f",
"value": "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2dec-db54-40ed-b12d-44a0950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T11:25:49.000Z",
"modified": "2016-02-01T11:25:49.000Z",
"description": "rat payload for inocnation campaign,12/15/2015",
"pattern": "[file:hashes.MD5 = '75d3d1f23628122a64a2f1b7ef33f5cf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T11:25:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2ded-7a50-467f-ab41-4bfd950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:05:33.000Z",
"modified": "2016-02-01T10:05:33.000Z",
"pattern": "[file:hashes.SHA256 = 'cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:05:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2ded-ca60-403e-9d3f-4028950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:05:33.000Z",
"modified": "2016-02-01T10:05:33.000Z",
"pattern": "[file:hashes.MD5 = 'f25cc334809bd1c36fd94184177de8a4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:05:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2ded-9dcc-4ff4-ae67-466f950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:05:33.000Z",
"modified": "2016-02-01T10:05:33.000Z",
"pattern": "[file:hashes.SHA256 = '2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:05:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2e69-a158-4af8-ad95-4d71950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:07:37.000Z",
"modified": "2016-02-01T10:07:37.000Z",
"pattern": "[network-traffic:extensions.'http-request-ext'.request_header.'User-Agent' = 'iexplorer']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:07:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"user-agent\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2e95-0ee4-4e07-a2eb-4f0a950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:08:21.000Z",
"modified": "2016-02-01T10:08:21.000Z",
"pattern": "[domain-name:value = 'citrix.vipreclod.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:08:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2e95-d8b8-47f7-bbfc-459c950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:08:29.000Z",
"modified": "2016-02-01T10:08:29.000Z",
"pattern": "[domain-name:value = 'inocnation.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:08:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56af2ede-7140-40ad-a15b-480b950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:09:34.000Z",
"modified": "2016-02-01T10:09:34.000Z",
"first_observed": "2016-02-01T10:09:34Z",
"last_observed": "2016-02-01T10:09:34Z",
"number_observed": 1,
"object_refs": [
"url--56af2ede-7140-40ad-a15b-480b950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56af2ede-7140-40ad-a15b-480b950d210f",
"value": "https://github.com/fideliscyber/indicators/tree/master/FTA-1020"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2f2c-a788-438e-a8d9-40ac950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:10:52.000Z",
"modified": "2016-02-01T10:10:52.000Z",
"description": "initial dropper for inocnation campaign 12/15/2015",
"pattern": "[file:hashes.MD5 = 'a7bd555866ae1c161f78630a638850e7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:10:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2f2c-2804-426b-8aba-4153950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:10:52.000Z",
"modified": "2016-02-01T10:10:52.000Z",
"description": "initial dropper for inocnation campaign 12/15/2015",
"pattern": "[file:hashes.SHA256 = 'fce3dd4bd160b8c0698ca1dfba37bc49b3e1ad80cf77a31741bdbd2fa698be36']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:10:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2f3e-c1dc-43c9-987d-463a950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:11:10.000Z",
"modified": "2016-02-01T10:11:10.000Z",
"description": "rat installer for inocnation campaign 12/15/2015",
"pattern": "[file:hashes.MD5 = '4f4bf27b738ff8f2a89d1bc487b054a8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:11:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2f3f-4ca0-430e-936b-42c7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:11:11.000Z",
"modified": "2016-02-01T10:11:11.000Z",
"description": "rat installer for inocnation campaign 12/15/2015",
"pattern": "[file:hashes.SHA256 = '01a0c03f7e01bc41e91cff5d2610ac22da77dbfd01decf60c486b500390cd3ae']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:11:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2f63-55a8-42a4-b2fa-46df950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:11:47.000Z",
"modified": "2016-02-01T10:11:47.000Z",
"description": "rat payload for inocnation campaign 12/15/2015",
"pattern": "[file:hashes.MD5 = '75d3d1f23628122a64a2f1b7ef33f5cf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:11:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2f64-05c0-4c4e-b1e0-4f05950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:11:48.000Z",
"modified": "2016-02-01T10:11:48.000Z",
"description": "rat payload for inocnation campaign 12/15/2015",
"pattern": "[file:hashes.SHA256 = 'cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:11:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2f7e-d078-4748-b2c6-42b8950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:12:14.000Z",
"modified": "2016-02-01T10:12:14.000Z",
"description": "decoy anyconnect installer used in inocnation campaign 12/15/2015",
"pattern": "[file:hashes.MD5 = '2f7e5f91be1f5be2b2f4fda0910a4c16']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:12:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af2f7f-e2d0-4ad6-9b66-4c90950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:12:15.000Z",
"modified": "2016-02-01T10:12:15.000Z",
"description": "decoy anyconnect installer used in inocnation campaign 12/15/2015",
"pattern": "[file:hashes.SHA256 = '1ed0c71298d7e69916fb579772f67109f43c7c9c2809fd80e61fc5e680079663']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:12:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af300e-4698-4085-b38e-490602de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:14:38.000Z",
"modified": "2016-02-01T10:14:38.000Z",
"description": "rat payload for inocnation campaign 12/15/2015 - Xchecked via VT: cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c",
"pattern": "[file:hashes.SHA1 = '3d7b789e3a630c0bd9db0b3217f72348025b845c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:14:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56af300e-49c0-4299-b3fb-48df02de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:14:38.000Z",
"modified": "2016-02-01T10:14:38.000Z",
"first_observed": "2016-02-01T10:14:38Z",
"last_observed": "2016-02-01T10:14:38Z",
"number_observed": 1,
"object_refs": [
"url--56af300e-49c0-4299-b3fb-48df02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56af300e-49c0-4299-b3fb-48df02de0b81",
"value": "https://www.virustotal.com/file/cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c/analysis/1453497583/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af300f-ce4c-4d37-962a-4bd402de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:14:39.000Z",
"modified": "2016-02-01T10:14:39.000Z",
"description": "rat installer for inocnation campaign 12/15/2015 - Xchecked via VT: 01a0c03f7e01bc41e91cff5d2610ac22da77dbfd01decf60c486b500390cd3ae",
"pattern": "[file:hashes.SHA1 = '13a53cbe20908d9b1c705d3901ae87655a87cfb9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:14:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56af300f-6d5c-424b-8f79-434502de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:14:39.000Z",
"modified": "2016-02-01T10:14:39.000Z",
"first_observed": "2016-02-01T10:14:39Z",
"last_observed": "2016-02-01T10:14:39Z",
"number_observed": 1,
"object_refs": [
"url--56af300f-6d5c-424b-8f79-434502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56af300f-6d5c-424b-8f79-434502de0b81",
"value": "https://www.virustotal.com/file/01a0c03f7e01bc41e91cff5d2610ac22da77dbfd01decf60c486b500390cd3ae/analysis/1450425230/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af300f-4f1c-42db-ba5f-441702de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:14:39.000Z",
"modified": "2016-02-01T10:14:39.000Z",
"description": "initial dropper for inocnation campaign 12/15/2015 - Xchecked via VT: fce3dd4bd160b8c0698ca1dfba37bc49b3e1ad80cf77a31741bdbd2fa698be36",
"pattern": "[file:hashes.SHA1 = 'b38a8747f2fe62d9f57921154f5d6829688a7ab7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:14:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56af3010-9ef8-4f11-a983-486f02de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:14:40.000Z",
"modified": "2016-02-01T10:14:40.000Z",
"first_observed": "2016-02-01T10:14:40Z",
"last_observed": "2016-02-01T10:14:40Z",
"number_observed": 1,
"object_refs": [
"url--56af3010-9ef8-4f11-a983-486f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56af3010-9ef8-4f11-a983-486f02de0b81",
"value": "https://www.virustotal.com/file/fce3dd4bd160b8c0698ca1dfba37bc49b3e1ad80cf77a31741bdbd2fa698be36/analysis/1450425880/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af3010-01a0-498b-ba3b-401602de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:14:40.000Z",
"modified": "2016-02-01T10:14:40.000Z",
"description": "- Xchecked via VT: 2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca",
"pattern": "[file:hashes.SHA1 = '8a34521175b66e073ee34870263d55611b38b1da']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T10:14:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56af3010-ee54-4140-b790-491102de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T10:14:40.000Z",
"modified": "2016-02-01T10:14:40.000Z",
"first_observed": "2016-02-01T10:14:40Z",
"last_observed": "2016-02-01T10:14:40Z",
"number_observed": 1,
"object_refs": [
"url--56af3010-ee54-4140-b790-491102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56af3010-ee54-4140-b790-491102de0b81",
"value": "https://www.virustotal.com/file/2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca/analysis/1452694847/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af414a-6ae0-4748-874f-4406950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T11:28:10.000Z",
"modified": "2016-02-01T11:28:10.000Z",
"description": "Domain used by INOCNATION campaign,12/15/2015",
"pattern": "[domain-name:value = 'mail.cbppnews.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T11:28:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--56af4183-6a04-4a4c-bebc-4172950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T11:29:07.000Z",
"modified": "2016-02-01T11:29:07.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "INOCNATION"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af41a1-8fb0-4db8-b6a5-4455950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T11:29:37.000Z",
"modified": "2016-02-01T11:29:37.000Z",
"description": "IP used by INOCNATION (inocnation.com) current as of this date,12/15/2015",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '87.193.23.40']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T11:29:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af41b8-f8b8-4dfd-94d6-4ff5950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T11:30:00.000Z",
"modified": "2016-02-01T11:30:00.000Z",
"description": "Previous IP used by INOCNATION (inocnation.com) used until Oct 2015,12/15/2015",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '211.104.106.41']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T11:30:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af41c7-0ed4-4bbd-9da9-4b7e950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T11:30:15.000Z",
"modified": "2016-02-01T11:30:15.000Z",
"description": "IP used by INOCNATION (mail.cbppnews.com) current as of this date,12/15/2015",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '202.172.32.160']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-01T11:30:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--56af4229-082c-493b-96b5-40c8950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-01T11:31:53.000Z",
"modified": "2016-02-01T11:31:53.000Z",
"labels": [
"misp:type=\"pattern-in-memory\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pattern-in-memory",
"x_misp_value": "1a53b0cp32e46g0qio9"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56af423c-2de8-4e99-88c5-4d35950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-05-27T10:59:19.000Z",
"modified": "2016-05-27T10:59:19.000Z",
"pattern": "[rule dll_rat_1a53b0cp32e46g0qio7\r\n{\r\nmeta:\r\nhash1 = \"75d3d1f23628122a64a2f1b7ef33f5cf\"\r\nhash2 = \"d9821468315ccd3b9ea03161566ef18e\"\r\nhash3 = \"b9af5f5fd434a65d7aa1b55f5441c90a\"\r\nstrings:\r\n // Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0;rv:11.0) like Gecko\r\n $ = { c7 [2] 64 00 63 00 c7 [2] 69 00 62 00 c7 [2] 7a 00 7e 00 c7 [2] 2d 00 43 00 c7 [2] 59\r\n 00 2d 00 c7 [2] 3b 00 23 00 c7 [2] 3e 00 36 00 c7 [2] 2d 00 5a 00 c7 [2] 42 00 5a 00 c7 [2] 3b 00\r\n 39 00 c7 [2] 36 00 2d 00 c7 [2] 59 00 7f 00 c7 [2] 64 00 69 00 c7 [2] 68 00 63 00 c7 [2] 79 00 22\r\n 00 c7 [2] 3a 00 23 00 c7 [2] 3d 00 36 00 c7 [2] 2d 00 7f 00 c7 [2] 7b 00 37 00 c7 [2] 3c 00 3c 00\r\n c7 [2] 23 00 3d 00 c7 [2] 24 00 2d 00 c7 [2] 61 00 64 00 c7 [2] 66 00 68 00 c7 [2] 2d 00 4a 00 c7\r\n [2] 68 00 6e 00 c7 [2] 66 00 62 00 } // offset 10001566\r\n // Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n $ = { c7 [2] 23 00 24 00 c7 [2] 24 00 33 00 c7 [2] 38 00 22 00 c7 [2] 00 00 33 00 c7 [2] 24\r\n 00 25 00 c7 [2] 3f 00 39 00 c7 [2] 38 00 0a 00 c7 [2] 04 00 23 00 c7 [2] 38 00 00 00 c7 [2] 43 00\r\n 66 00 c7 [2] 6d 00 60 00 c7 [2] 67 00 52 00 c7 [2] 6e 00 63 00 c7 [2] 7b 00 67 00 c7 [2] 70 00 00\r\n 00 c7 [2] 43 00 4d 00 c7 [2] 44 00 00 00 c7 [2] 0f 00 43 00 c7 [2] 00 00 50 00 c7 [2] 49 00 4e 00\r\n c7 [2] 47 00 00 00 c7 [2] 11 00 12 00 c7 [2] 17 00 0e 00 c7 [2] 10 00 0e 00 c7 [2] 10 00 0e 00 c7\r\n [2] 11 00 06 00 c7 [2] 44 00 45 00 c7 [2] 4c 00 00 00 } // 10003D09\r\n $ = { 66 [4-7] 0d 40 83 f8 44 7c ?? }\r\n // xor word ptr [ebp+eax*2+var_5C], 14h\r\n // inc eax\r\n // cmp eax, 14h\r\n // Loop to decode a static string. It reveals the \"1a53b0cp32e46g0qio9\" static string sent in the beacon\r\n $ = { 66 [4-7] 14 40 83 f8 14 7c ?? } // 100017F0\r\n $ = { 66 [4-7] 56 40 83 f8 2d 7c ?? } // 10003621\r\n $ = { 66 [4-7] 20 40 83 f8 1a 7c ?? } // 10003640\r\n $ = { 80 [2-7] 2e 40 3d 50 02 00 00 72 ?? } // 10003930\r\n $ = \"%08x%08x%08x%08x\" wide ascii\r\n $ = \"WinHttpGetIEProxyConfigForCurrentUser\" wide ascii\r\ncondition:\r\n (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-05-27T10:59:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink