misp-circl-feed/feeds/circl/stix-2.1/5870f5e0-ff9c-414f-ad38-46d4950d210f.json

434 lines
No EOL
19 KiB
JSON

{
"type": "bundle",
"id": "bundle--5870f5e0-ff9c-414f-ad38-46d4950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:12:19.000Z",
"modified": "2017-01-07T14:12:19.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5870f5e0-ff9c-414f-ad38-46d4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:12:19.000Z",
"modified": "2017-01-07T14:12:19.000Z",
"name": "OSINT - The curious case of a Sundown EK variant dropping a Cryptocurrency Miner",
"published": "2017-01-07T14:12:49Z",
"object_refs": [
"observed-data--5870f60d-a3cc-49c4-b039-4cf7950d210f",
"url--5870f60d-a3cc-49c4-b039-4cf7950d210f",
"x-misp-attribute--5870f62d-ce08-476c-9679-487d950d210f",
"indicator--5870f64b-7e14-4246-8a21-4b78950d210f",
"indicator--5870f64b-2f3c-46bb-b17e-483b950d210f",
"indicator--5870f64c-9efc-4747-8a05-4955950d210f",
"x-misp-attribute--5870f681-170c-4155-8339-4df7950d210f",
"indicator--5870f6f1-e8cc-4c33-ab88-4840950d210f",
"indicator--5870f6fe-c400-4386-8952-4eec02de0b81",
"indicator--5870f6ff-8d84-4239-97c4-485302de0b81",
"observed-data--5870f6ff-374c-470d-9a07-417802de0b81",
"url--5870f6ff-374c-470d-9a07-417802de0b81",
"indicator--5870f700-7a9c-4102-a5c1-4f2902de0b81",
"indicator--5870f701-26f0-4fc5-b27f-49ab02de0b81",
"observed-data--5870f701-7850-40e5-9965-4a5702de0b81",
"url--5870f701-7850-40e5-9965-4a5702de0b81",
"indicator--5870f702-ceb8-45fe-b8f0-468d02de0b81",
"indicator--5870f703-6b48-4ba7-b8ba-400302de0b81",
"observed-data--5870f704-7df0-425d-886f-493c02de0b81",
"url--5870f704-7df0-425d-886f-493c02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:exploit-kit=\"Sundown\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f60d-a3cc-49c4-b039-4cf7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:07:09.000Z",
"modified": "2017-01-07T14:07:09.000Z",
"first_observed": "2017-01-07T14:07:09Z",
"last_observed": "2017-01-07T14:07:09Z",
"number_observed": 1,
"object_refs": [
"url--5870f60d-a3cc-49c4-b039-4cf7950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5870f60d-a3cc-49c4-b039-4cf7950d210f",
"value": "https://blog.malwarebytes.com/cybercrime/2017/01/the-curious-case-of-a-sundown-ek-variant-dropping-a-cryptocurrency-miner/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5870f62d-ce08-476c-9679-487d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:07:41.000Z",
"modified": "2017-01-07T14:07:41.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "We recently encountered an atypical case of Sundown EK in the wild \u00e2\u20ac\u201c usually the landing page is obfuscated, but in this case there was plain JavaScript. The exploit was dropping some malicious payloads that we took for further analysis. It turned out that they are also atypical by many means. In this article, we will describe the details of our investigation."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f64b-7e14-4246-8a21-4b78950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:08:11.000Z",
"modified": "2017-01-07T14:08:11.000Z",
"description": "original sample, dropped by EK (UPX packed)",
"pattern": "[file:hashes.MD5 = '0f597c738f2e1a58c03a69f66825fa80']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:08:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f64b-2f3c-46bb-b17e-483b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:08:11.000Z",
"modified": "2017-01-07T14:08:11.000Z",
"description": "payload (miner) \u00e2\u20ac\u201c UPX packed",
"pattern": "[file:hashes.MD5 = '22e4113fb0a9d136a56988f7a10c46b8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:08:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f64c-9efc-4747-8a05-4955950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:08:12.000Z",
"modified": "2017-01-07T14:08:12.000Z",
"description": "payload (miner) \u00e2\u20ac\u201c UPX layer removed",
"pattern": "[file:hashes.MD5 = '9f2c0ae3cb7ae032bd66f025fcb93f03']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:08:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5870f681-170c-4155-8339-4df7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:09:05.000Z",
"modified": "2017-01-07T14:09:05.000Z",
"labels": [
"misp:type=\"whois-registrant-email\"",
"misp:category=\"Attribution\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Attribution",
"x_misp_type": "whois-registrant-email",
"x_misp_value": "lovemonero2.worker@hotmail.com"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f6f1-e8cc-4c33-ab88-4840950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:10:57.000Z",
"modified": "2017-01-07T14:10:57.000Z",
"description": "The name of the user \u00e2\u20ac\u201c LoveMonero \u00e2\u20ac\u201c suggests that this application is not used to mine Bitcoins, but another cryptocurrency \u00e2\u20ac\u201c Monero. This choice makes sense, because the pool of bitcoins is more and more saturated \u00e2\u20ac\u201c and nowadays mining them is much more difficult and resource-consuming than it was in the past, when this currency was still young.",
"pattern": "[user-account:account_type = 'github' AND user-account:account_login = 'lovemonero']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:10:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Social network"
}
],
"labels": [
"misp:type=\"github-username\"",
"misp:category=\"Social network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f6fe-c400-4386-8952-4eec02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:11:10.000Z",
"modified": "2017-01-07T14:11:10.000Z",
"description": "original sample, dropped by EK (UPX packed) - Xchecked via VT: 0f597c738f2e1a58c03a69f66825fa80",
"pattern": "[file:hashes.SHA256 = '3826017cc19f829ccc17893803de42028cd1ebbd99dad24ab9ed984c9dae57b8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:11:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f6ff-8d84-4239-97c4-485302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:11:10.000Z",
"modified": "2017-01-07T14:11:10.000Z",
"description": "original sample, dropped by EK (UPX packed) - Xchecked via VT: 0f597c738f2e1a58c03a69f66825fa80",
"pattern": "[file:hashes.SHA1 = 'c18732f554b87ee6d866b9ee7a4d2fb202b1853f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:11:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f6ff-374c-470d-9a07-417802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:11:11.000Z",
"modified": "2017-01-07T14:11:11.000Z",
"first_observed": "2017-01-07T14:11:11Z",
"last_observed": "2017-01-07T14:11:11Z",
"number_observed": 1,
"object_refs": [
"url--5870f6ff-374c-470d-9a07-417802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5870f6ff-374c-470d-9a07-417802de0b81",
"value": "https://www.virustotal.com/file/3826017cc19f829ccc17893803de42028cd1ebbd99dad24ab9ed984c9dae57b8/analysis/1483650552/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f700-7a9c-4102-a5c1-4f2902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:11:12.000Z",
"modified": "2017-01-07T14:11:12.000Z",
"description": "payload (miner) \u00e2\u20ac\u201c UPX packed - Xchecked via VT: 22e4113fb0a9d136a56988f7a10c46b8",
"pattern": "[file:hashes.SHA256 = '30ba2cbe1202a96258d605d7318d1775d616b4bf3dcabd155b531128464daa2d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:11:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f701-26f0-4fc5-b27f-49ab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:11:13.000Z",
"modified": "2017-01-07T14:11:13.000Z",
"description": "payload (miner) \u00e2\u20ac\u201c UPX packed - Xchecked via VT: 22e4113fb0a9d136a56988f7a10c46b8",
"pattern": "[file:hashes.SHA1 = '046692b4c5bcceb8ce1cbe551018325f184af453']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:11:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f701-7850-40e5-9965-4a5702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:11:13.000Z",
"modified": "2017-01-07T14:11:13.000Z",
"first_observed": "2017-01-07T14:11:13Z",
"last_observed": "2017-01-07T14:11:13Z",
"number_observed": 1,
"object_refs": [
"url--5870f701-7850-40e5-9965-4a5702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5870f701-7850-40e5-9965-4a5702de0b81",
"value": "https://www.virustotal.com/file/30ba2cbe1202a96258d605d7318d1775d616b4bf3dcabd155b531128464daa2d/analysis/1483749344/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f702-ceb8-45fe-b8f0-468d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:11:14.000Z",
"modified": "2017-01-07T14:11:14.000Z",
"description": "payload (miner) \u00e2\u20ac\u201c UPX layer removed - Xchecked via VT: 9f2c0ae3cb7ae032bd66f025fcb93f03",
"pattern": "[file:hashes.SHA256 = '541888040a3c01902d646ba13a8d48bdf5d18da917820e1b06075beed205fd55']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:11:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5870f703-6b48-4ba7-b8ba-400302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:11:15.000Z",
"modified": "2017-01-07T14:11:15.000Z",
"description": "payload (miner) \u00e2\u20ac\u201c UPX layer removed - Xchecked via VT: 9f2c0ae3cb7ae032bd66f025fcb93f03",
"pattern": "[file:hashes.SHA1 = '92eda16f5af5c722fd31b735aa7ae45f2a1abe3b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-07T14:11:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5870f704-7df0-425d-886f-493c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-07T14:11:16.000Z",
"modified": "2017-01-07T14:11:16.000Z",
"first_observed": "2017-01-07T14:11:16Z",
"last_observed": "2017-01-07T14:11:16Z",
"number_observed": 1,
"object_refs": [
"url--5870f704-7df0-425d-886f-493c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5870f704-7df0-425d-886f-493c02de0b81",
"value": "https://www.virustotal.com/file/541888040a3c01902d646ba13a8d48bdf5d18da917820e1b06075beed205fd55/analysis/1483676986/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}