adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/57aaeefd-0bd4-4a41-87ad-4e17950d210f.json

252 lines
No EOL
11 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--57aaeefd-0bd4-4a41-87ad-4e17950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:40:36.000Z",
"modified": "2016-08-10T09:40:36.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--57aaeefd-0bd4-4a41-87ad-4e17950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:40:36.000Z",
"modified": "2016-08-10T09:40:36.000Z",
"name": "OSINT - Cracking Orcus RAT",
"published": "2016-08-10T09:50:13Z",
"object_refs": [
"observed-data--57aaef08-62dc-4948-ac44-473b950d210f",
"url--57aaef08-62dc-4948-ac44-473b950d210f",
"x-misp-attribute--57aaef3b-655c-4274-a59d-4572950d210f",
"indicator--57aaef5f-1808-4585-a00b-497c950d210f",
"indicator--57aaf016-8cf0-439a-b2a6-441002de0b81",
"indicator--57aaf016-ac94-4574-ba76-4b6a02de0b81",
"observed-data--57aaf016-ade0-4582-afcc-4d4602de0b81",
"url--57aaf016-ade0-4582-afcc-4d4602de0b81",
"observed-data--57aaf05f-b420-419c-bcc6-477d950d210f",
"url--57aaf05f-b420-419c-bcc6-477d950d210f",
"indicator--57aaf0e6-c11c-4aa5-99a0-4293950d210f",
"indicator--57aaf0e7-6fec-409e-9459-46ee950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"ms-caro-malware:malware-type=\"RemoteAccess\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57aaef08-62dc-4948-ac44-473b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:08:23.000Z",
"modified": "2016-08-10T09:08:23.000Z",
"first_observed": "2016-08-10T09:08:23Z",
"last_observed": "2016-08-10T09:08:23Z",
"number_observed": 1,
"object_refs": [
"url--57aaef08-62dc-4948-ac44-473b950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57aaef08-62dc-4948-ac44-473b950d210f",
"value": "http://blog.deniable.org/blog/2016/08/09/cracking-orcus-rat/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57aaef3b-655c-4274-a59d-4572950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:09:15.000Z",
"modified": "2016-08-10T09:09:15.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "At first I thought I could be dealing with someone trying to \u00e2\u20ac\u02dcphish\u00e2\u20ac\u2122 me, but the offer was legit. Challenge accepted. The zip file I got is for version 1.4.2 (which is the latest version available at the \u00e2\u20ac\u02dcOrcus RAT\u00e2\u20ac\u2122 website, at the time of this writing). The zip file is massive. Here\u00e2\u20ac\u2122s the whole contents of the zip file."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaef5f-1808-4585-a00b-497c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:09:51.000Z",
"modified": "2016-08-10T09:09:51.000Z",
"description": "Orcus.Administration.exe",
"pattern": "[file:hashes.SHA256 = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:09:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf016-8cf0-439a-b2a6-441002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:12:54.000Z",
"modified": "2016-08-10T09:12:54.000Z",
"description": "Orcus.Administration.exe - Xchecked via VT: 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea",
"pattern": "[file:hashes.SHA1 = 'ea6d05abfce77d01a1a039c8bc97f973b6780f07']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:12:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf016-ac94-4574-ba76-4b6a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:12:54.000Z",
"modified": "2016-08-10T09:12:54.000Z",
"description": "Orcus.Administration.exe - Xchecked via VT: 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea",
"pattern": "[file:hashes.MD5 = 'd2140d8c9eb3889dee164f09014380d7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:12:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57aaf016-ade0-4582-afcc-4d4602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:12:54.000Z",
"modified": "2016-08-10T09:12:54.000Z",
"first_observed": "2016-08-10T09:12:54Z",
"last_observed": "2016-08-10T09:12:54Z",
"number_observed": 1,
"object_refs": [
"url--57aaf016-ade0-4582-afcc-4d4602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57aaf016-ade0-4582-afcc-4d4602de0b81",
"value": "https://www.virustotal.com/file/4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea/analysis/1467970246/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57aaf05f-b420-419c-bcc6-477d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:14:07.000Z",
"modified": "2016-08-10T09:14:07.000Z",
"first_observed": "2016-08-10T09:14:07Z",
"last_observed": "2016-08-10T09:14:07Z",
"number_observed": 1,
"object_refs": [
"url--57aaf05f-b420-419c-bcc6-477d950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57aaf05f-b420-419c-bcc6-477d950d210f",
"value": "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf0e6-c11c-4aa5-99a0-4293950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:16:22.000Z",
"modified": "2016-08-10T09:16:22.000Z",
"description": "Sample",
"pattern": "[file:name = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea' AND file:hashes.SHA1 = 'ea6d05abfce77d01a1a039c8bc97f973b6780f07']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:16:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57aaf0e7-6fec-409e-9459-46ee950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-10T09:16:23.000Z",
"modified": "2016-08-10T09:16:23.000Z",
"description": "Sample",
"pattern": "[file:name = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea' AND file:hashes.SHA256 = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-10T09:16:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename|sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
}
]
}
Reference in a new issue View git blame Copy permalink