misp-circl-feed/feeds/circl/stix-2.1/588df693-0480-41bd-b8fd-4e9302de0b81.json

579 lines
No EOL
24 KiB
JSON

{
"type": "bundle",
"id": "bundle--588df693-0480-41bd-b8fd-4e9302de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:32:35.000Z",
"modified": "2017-01-29T14:32:35.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--588df693-0480-41bd-b8fd-4e9302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:32:35.000Z",
"modified": "2017-01-29T14:32:35.000Z",
"name": "OSINT - #OCJP-133: Hancitor\u00e3\u0192\u017e\u00e3\u0192\u00ab\u00e3\u201a\u00a6\u00e3\u201a\u00a7\u00e3\u201a\u00a2\u00e6\u201e\u0178\u00e6\u0178\u201c \u00e3\u0081\u00a8 \u00e3\u0192\u008f\u00e3\u0192\u0192\u00e3\u201a\u00ad\u00e3\u0192\u00b3\u00e3\u201a\u00b0\u00e3\u0081\u2022\u00e3\u201a\u0152\u00e3\u0081\u0178Wordpress",
"published": "2017-01-29T14:58:16Z",
"object_refs": [
"observed-data--588df77f-b26c-4985-9fbc-8c6f02de0b81",
"url--588df77f-b26c-4985-9fbc-8c6f02de0b81",
"observed-data--588df837-b088-4518-9cd0-404a02de0b81",
"url--588df837-b088-4518-9cd0-404a02de0b81",
"indicator--588dfbdc-32e0-4688-a878-424202de0b81",
"indicator--588dfbdd-0c94-439c-9612-4d8002de0b81",
"indicator--588dfbde-0244-46c1-8a74-47b602de0b81",
"indicator--588dfbde-eee8-4585-b7d1-4d9f02de0b81",
"indicator--588dfbdf-aa44-4f47-ad24-49a702de0b81",
"indicator--588dfbe0-f6cc-4473-a496-4cd902de0b81",
"indicator--588dfbe1-e7d0-4a5c-99ee-4a7802de0b81",
"indicator--588dfbe1-5db4-4f29-b1f9-412a02de0b81",
"indicator--588dfbe2-e548-4a27-aed8-476702de0b81",
"indicator--588dfbe3-c8a8-40c3-84e1-482f02de0b81",
"indicator--588dfbe4-c12c-4d5c-9e82-427a02de0b81",
"indicator--588dfbe4-1738-4dd0-aa7f-4c0502de0b81",
"indicator--588dfbe5-8160-441b-ad1b-44f602de0b81",
"indicator--588dfc1f-1c44-41e7-8248-8c6c02de0b81",
"indicator--588dfc1f-6304-454c-86b0-8c6c02de0b81",
"observed-data--588dfc20-fa44-4d8d-b90d-8c6c02de0b81",
"url--588dfc20-fa44-4d8d-b90d-8c6c02de0b81",
"indicator--588dfc21-d5f0-45fa-98f5-8c6c02de0b81",
"indicator--588dfc21-a46c-49f3-8ef5-8c6c02de0b81",
"observed-data--588dfc22-003c-4f2b-a084-8c6c02de0b81",
"url--588dfc22-003c-4f2b-a084-8c6c02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"Hancitor\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588df77f-b26c-4985-9fbc-8c6f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:11:15.000Z",
"modified": "2017-01-29T14:11:15.000Z",
"first_observed": "2017-01-29T14:11:15Z",
"last_observed": "2017-01-29T14:11:15Z",
"number_observed": 1,
"object_refs": [
"url--588df77f-b26c-4985-9fbc-8c6f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:source-reliability=\"b\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588df77f-b26c-4985-9fbc-8c6f02de0b81",
"value": "http://blog.0day.jp/2017/01/ocjp-133-hancitorwordpress.html"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588df837-b088-4518-9cd0-404a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:23:57.000Z",
"modified": "2017-01-29T14:23:57.000Z",
"first_observed": "2017-01-29T14:23:57Z",
"last_observed": "2017-01-29T14:23:57Z",
"number_observed": 1,
"object_refs": [
"url--588df837-b088-4518-9cd0-404a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"block-or-filter-list\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588df837-b088-4518-9cd0-404a02de0b81",
"value": "https://otx.alienvault.com/pulse/588dc57f5aa00d150559d1e1/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbdc-32e0-4688-a878-424202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:32:35.000Z",
"modified": "2017-01-29T14:32:35.000Z",
"description": "Hancitor CNC, Trojan Fareit CNC",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.169.190.104']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:32:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-type=\"proxy\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbdd-0c94-439c-9612-4d8002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:27:41.000Z",
"modified": "2017-01-29T14:27:41.000Z",
"description": "Zeus/Pony Panel/CNC",
"pattern": "[domain-name:value = 'rowatterding.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:27:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbde-0244-46c1-8a74-47b602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:27:42.000Z",
"modified": "2017-01-29T14:27:42.000Z",
"description": "Zeus/Pony Panel/CNC",
"pattern": "[domain-name:value = 'fortrittotfor.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:27:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbde-eee8-4585-b7d1-4d9f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:27:42.000Z",
"modified": "2017-01-29T14:27:42.000Z",
"description": "Zeus/Pony Panel/CNC",
"pattern": "[domain-name:value = 'fortmamuchco.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:27:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbdf-aa44-4f47-ad24-49a702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:27:43.000Z",
"modified": "2017-01-29T14:27:43.000Z",
"description": "Hancitor CNC, Trojan Fareit CNC",
"pattern": "[domain-name:value = 'howbetmarow.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:27:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbe0-f6cc-4473-a496-4cd902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:31:53.000Z",
"modified": "2017-01-29T14:31:53.000Z",
"description": "Zeus/Pony Panel/CNC",
"pattern": "[domain-name:value = 'aningronbut.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:31:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-type=\"panel\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbe1-e7d0-4a5c-99ee-4a7802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:32:03.000Z",
"modified": "2017-01-29T14:32:03.000Z",
"description": "Zeus/Pony Panel/CNC",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.166.172.105']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:32:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-type=\"panel\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbe1-5db4-4f29-b1f9-412a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:32:15.000Z",
"modified": "2017-01-29T14:32:15.000Z",
"description": "ZeusPanel and also Trojan Fareit CNC",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.76.89.178']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:32:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-type=\"panel\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbe2-e548-4a27-aed8-476702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:27:46.000Z",
"modified": "2017-01-29T14:27:46.000Z",
"description": "Hancitor DOC Malware Hash",
"pattern": "[file:hashes.SHA1 = '7085d46b2fb3763464c63918f16f534e2d86a7fb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:27:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbe3-c8a8-40c3-84e1-482f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:27:47.000Z",
"modified": "2017-01-29T14:27:47.000Z",
"description": "Hancitor DLL Malware Hash",
"pattern": "[file:hashes.SHA1 = '8b3a8d24022fe6ee4292b36efa62f95ae4bdda53']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:27:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbe4-c12c-4d5c-9e82-427a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:27:48.000Z",
"modified": "2017-01-29T14:27:48.000Z",
"pattern": "[url:value = 'http://howbetmarow.ru/ls5/forum.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:27:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbe4-1738-4dd0-aa7f-4c0502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:27:48.000Z",
"modified": "2017-01-29T14:27:48.000Z",
"pattern": "[url:value = 'http://howbetmarow.ru/klu/forum.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:27:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfbe5-8160-441b-ad1b-44f602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:27:49.000Z",
"modified": "2017-01-29T14:27:49.000Z",
"pattern": "[url:value = 'http://aningronbut.ru/bdk/gate.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:27:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfc1f-1c44-41e7-8248-8c6c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:28:47.000Z",
"modified": "2017-01-29T14:28:47.000Z",
"description": "Hancitor DLL Malware Hash - Xchecked via VT: 8b3a8d24022fe6ee4292b36efa62f95ae4bdda53",
"pattern": "[file:hashes.SHA256 = 'edd954f233c0f72ecf4beb0e63177969a297c6ee8e1da2bcc90924b922da0d88']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:28:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfc1f-6304-454c-86b0-8c6c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:28:47.000Z",
"modified": "2017-01-29T14:28:47.000Z",
"description": "Hancitor DLL Malware Hash - Xchecked via VT: 8b3a8d24022fe6ee4292b36efa62f95ae4bdda53",
"pattern": "[file:hashes.MD5 = 'fb436eeb13a673a30cbadbf781db4add']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:28:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588dfc20-fa44-4d8d-b90d-8c6c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:28:48.000Z",
"modified": "2017-01-29T14:28:48.000Z",
"first_observed": "2017-01-29T14:28:48Z",
"last_observed": "2017-01-29T14:28:48Z",
"number_observed": 1,
"object_refs": [
"url--588dfc20-fa44-4d8d-b90d-8c6c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588dfc20-fa44-4d8d-b90d-8c6c02de0b81",
"value": "https://www.virustotal.com/file/edd954f233c0f72ecf4beb0e63177969a297c6ee8e1da2bcc90924b922da0d88/analysis/1485679503/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfc21-d5f0-45fa-98f5-8c6c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:28:49.000Z",
"modified": "2017-01-29T14:28:49.000Z",
"description": "Hancitor DOC Malware Hash - Xchecked via VT: 7085d46b2fb3763464c63918f16f534e2d86a7fb",
"pattern": "[file:hashes.SHA256 = '190140f672fa138a01e4928714ff8b3c0bc0baabeb36ced9c9801dd032cdfe51']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:28:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588dfc21-a46c-49f3-8ef5-8c6c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:28:49.000Z",
"modified": "2017-01-29T14:28:49.000Z",
"description": "Hancitor DOC Malware Hash - Xchecked via VT: 7085d46b2fb3763464c63918f16f534e2d86a7fb",
"pattern": "[file:hashes.MD5 = 'c0a0a6be5dbb5ce5ba08ea01fbd87e42']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-29T14:28:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588dfc22-003c-4f2b-a084-8c6c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-29T14:28:50.000Z",
"modified": "2017-01-29T14:28:50.000Z",
"first_observed": "2017-01-29T14:28:50Z",
"last_observed": "2017-01-29T14:28:50Z",
"number_observed": 1,
"object_refs": [
"url--588dfc22-003c-4f2b-a084-8c6c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588dfc22-003c-4f2b-a084-8c6c02de0b81",
"value": "https://www.virustotal.com/file/190140f672fa138a01e4928714ff8b3c0bc0baabeb36ced9c9801dd032cdfe51/analysis/1485523743/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}