307 lines
No EOL
13 KiB
JSON
307 lines
No EOL
13 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--596724b6-83dc-417f-962a-4cc8950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:31.000Z",
|
|
"modified": "2017-07-13T08:17:31.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--596724b6-83dc-417f-962a-4cc8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:31.000Z",
|
|
"modified": "2017-07-13T08:17:31.000Z",
|
|
"name": "OSINT - LockPoS Joins the Flock",
|
|
"published": "2017-07-13T08:17:56Z",
|
|
"object_refs": [
|
|
"observed-data--5967252b-5fe0-4a7d-8d4d-44ff950d210f",
|
|
"url--5967252b-5fe0-4a7d-8d4d-44ff950d210f",
|
|
"x-misp-attribute--5967254e-9ac8-45bc-8b14-417b950d210f",
|
|
"x-misp-attribute--59672c22-9c8c-4123-a747-4ad1950d210f",
|
|
"indicator--59672c3f-6678-412c-a543-436b950d210f",
|
|
"indicator--59672c67-e798-4996-9533-45a1950d210f",
|
|
"indicator--59672c87-d8d0-4cf5-92ac-427002de0b81",
|
|
"indicator--59672c87-8068-45a5-8285-472102de0b81",
|
|
"observed-data--59672c88-e380-4b6f-9a68-4ec202de0b81",
|
|
"url--59672c88-e380-4b6f-9a68-4ec202de0b81",
|
|
"indicator--59672c88-67fc-4e04-9113-4f1302de0b81",
|
|
"indicator--59672c88-c918-456d-b4d4-4ab202de0b81",
|
|
"observed-data--59672c88-d000-4c09-b3e8-464002de0b81",
|
|
"url--59672c88-d000-4c09-b3e8-464002de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5967252b-5fe0-4a7d-8d4d-44ff950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:31.000Z",
|
|
"modified": "2017-07-13T08:17:31.000Z",
|
|
"first_observed": "2017-07-13T08:17:31Z",
|
|
"last_observed": "2017-07-13T08:17:31Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5967252b-5fe0-4a7d-8d4d-44ff950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5967252b-5fe0-4a7d-8d4d-44ff950d210f",
|
|
"value": "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5967254e-9ac8-45bc-8b14-417b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:31.000Z",
|
|
"modified": "2017-07-13T08:17:31.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "While revisiting a Flokibot campaign that was targeting point of sale (PoS) systems in Brazil earlier this year, we discovered something interesting. One of the command and control (C2) servers that had been dormant for quite some time had suddenly woken up and started distributing what looks to be a new PoS malware family we\u00e2\u20ac\u2122re calling LockPoS. This post opens the lock up and takes a look inside."
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--59672c22-9c8c-4123-a747-4ad1950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:11.000Z",
|
|
"modified": "2017-07-13T08:17:11.000Z",
|
|
"labels": [
|
|
"misp:type=\"pdb\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
],
|
|
"x_misp_category": "Artifacts dropped",
|
|
"x_misp_type": "pdb",
|
|
"x_misp_value": "%USERPROFILE%\\Desktop\\key\\dropper\\Release\\dropper.pdb"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59672c3f-6678-412c-a543-436b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:11.000Z",
|
|
"modified": "2017-07-13T08:17:11.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-07-13T08:17:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59672c67-e798-4996-9533-45a1950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:11.000Z",
|
|
"modified": "2017-07-13T08:17:11.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-07-13T08:17:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59672c87-d8d0-4cf5-92ac-427002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:11.000Z",
|
|
"modified": "2017-07-13T08:17:11.000Z",
|
|
"description": "- Xchecked via VT: a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa",
|
|
"pattern": "[file:hashes.SHA1 = 'f9484baf6f7194248a388d41dfd06543b3dc5d26']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-07-13T08:17:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59672c87-8068-45a5-8285-472102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:11.000Z",
|
|
"modified": "2017-07-13T08:17:11.000Z",
|
|
"description": "- Xchecked via VT: a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa",
|
|
"pattern": "[file:hashes.MD5 = '624f84a9d8979789c630327a6b08c7c6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-07-13T08:17:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59672c88-e380-4b6f-9a68-4ec202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:12.000Z",
|
|
"modified": "2017-07-13T08:17:12.000Z",
|
|
"first_observed": "2017-07-13T08:17:12Z",
|
|
"last_observed": "2017-07-13T08:17:12Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59672c88-e380-4b6f-9a68-4ec202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59672c88-e380-4b6f-9a68-4ec202de0b81",
|
|
"value": "https://www.virustotal.com/file/a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa/analysis/1499924910/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59672c88-67fc-4e04-9113-4f1302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:12.000Z",
|
|
"modified": "2017-07-13T08:17:12.000Z",
|
|
"description": "- Xchecked via VT: 93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488",
|
|
"pattern": "[file:hashes.SHA1 = '419311da2ef6b2a9ca27dba3241a0d62a4e25848']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-07-13T08:17:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59672c88-c918-456d-b4d4-4ab202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:12.000Z",
|
|
"modified": "2017-07-13T08:17:12.000Z",
|
|
"description": "- Xchecked via VT: 93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488",
|
|
"pattern": "[file:hashes.MD5 = '3d0f6367f1fedfc08734b35200c7abf9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-07-13T08:17:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59672c88-d000-4c09-b3e8-464002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-07-13T08:17:12.000Z",
|
|
"modified": "2017-07-13T08:17:12.000Z",
|
|
"first_observed": "2017-07-13T08:17:12Z",
|
|
"last_observed": "2017-07-13T08:17:12Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59672c88-d000-4c09-b3e8-464002de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59672c88-d000-4c09-b3e8-464002de0b81",
|
|
"value": "https://www.virustotal.com/file/93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488/analysis/1499919639/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |