adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/580138b8-23f8-4c51-b788-4f3702de0b81.json

228 lines
No EOL
9.8 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--580138b8-23f8-4c51-b788-4f3702de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-14T20:03:42.000Z",
"modified": "2016-10-14T20:03:42.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--580138b8-23f8-4c51-b788-4f3702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-14T20:03:42.000Z",
"modified": "2016-10-14T20:03:42.000Z",
"name": "ELF Linux/NyaDrop",
"published": "2016-10-14T20:04:03Z",
"object_refs": [
"observed-data--580138c2-4584-48f1-b719-c28f02de0b81",
"url--580138c2-4584-48f1-b719-c28f02de0b81",
"x-misp-attribute--580138d4-bd1c-4701-9b0d-c2bb02de0b81",
"indicator--580138f3-4fe8-49b6-a630-c56c02de0b81",
"x-misp-attribute--5801396d-7f5c-4084-8125-c2bb02de0b81",
"indicator--580139b8-adac-46dc-a628-474702de0b81",
"indicator--580139e6-deec-4e3f-8d0c-cdc002de0b81",
"indicator--58013a1e-8b50-4121-b21d-cdbe02de0b81",
"observed-data--58013a1e-9bb0-4212-92b0-cdbe02de0b81",
"url--58013a1e-9bb0-4212-92b0-cdbe02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:incident-classification=\"malware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--580138c2-4584-48f1-b719-c28f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-14T19:57:54.000Z",
"modified": "2016-10-14T19:57:54.000Z",
"first_observed": "2016-10-14T19:57:54Z",
"last_observed": "2016-10-14T19:57:54Z",
"number_observed": 1,
"object_refs": [
"url--580138c2-4584-48f1-b719-c28f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--580138c2-4584-48f1-b719-c28f02de0b81",
"value": "http://blog.malwaremustdie.org/2016/10/mmd-0058-2016-elf-linuxnyadrop.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--580138d4-bd1c-4701-9b0d-c2bb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-14T19:58:12.000Z",
"modified": "2016-10-14T19:58:12.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Since the end of September 2016 I received a new type of attacks that aims the MIPS platform I provided to detect IoT attacks. I will call this threat as new ELF Linux/NyaDrop as per the name used by threat actor himself, for the \"nyadrop\" binary that is dropped in the compromised system.\r\n\r\nThis is not the \"really\" first time we're seeing this threat actually, in this year, some small events was detected on having these attacks which I ignored for some reasons, and on May 22th, me and hFiref0x of KernelMode was in a convo regarding to the threat which was detected. It was obviously the same threat (proof is as per picture below, thanks to hFiref0x for the ping that time)."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580138f3-4fe8-49b6-a630-c56c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-14T19:58:50.000Z",
"modified": "2016-10-14T19:58:50.000Z",
"pattern": "[file:hashes.SHA256 = 'c3865eb1c211de6435d1352647c023c2606f9285d3304d54f17261a16bbec5ff']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-14T19:58:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5801396d-7f5c-4084-8125-c2bb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-14T20:00:45.000Z",
"modified": "2016-10-14T20:00:45.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "Linux/NyaDrop"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580139b8-adac-46dc-a628-474702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-14T20:02:00.000Z",
"modified": "2016-10-14T20:02:00.000Z",
"pattern": "[network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '46.172.91.20']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-14T20:02:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580139e6-deec-4e3f-8d0c-cdc002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-14T20:02:46.000Z",
"modified": "2016-10-14T20:02:46.000Z",
"description": "nyadrop",
"pattern": "[file:hashes.SHA1 = '095bb52056d00f0d93bba78e4b5b56313de7b79f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-14T20:02:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58013a1e-8b50-4121-b21d-cdbe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-14T20:03:42.000Z",
"modified": "2016-10-14T20:03:42.000Z",
"description": "- Xchecked via VT: c3865eb1c211de6435d1352647c023c2606f9285d3304d54f17261a16bbec5ff",
"pattern": "[file:hashes.MD5 = '752e353a88b6e3e5e5a60891ba06a065']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-14T20:03:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58013a1e-9bb0-4212-92b0-cdbe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-14T20:03:42.000Z",
"modified": "2016-10-14T20:03:42.000Z",
"first_observed": "2016-10-14T20:03:42Z",
"last_observed": "2016-10-14T20:03:42Z",
"number_observed": 1,
"object_refs": [
"url--58013a1e-9bb0-4212-92b0-cdbe02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58013a1e-9bb0-4212-92b0-cdbe02de0b81",
"value": "https://www.virustotal.com/file/c3865eb1c211de6435d1352647c023c2606f9285d3304d54f17261a16bbec5ff/analysis/1476430710/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink