misp-circl-feed/feeds/circl/stix-2.1/5a54ca42-e9a0-4d71-a9e6-4f9b950d210f.json

{
    "type": "bundle",
    "id": "bundle--5a54ca42-e9a0-4d71-a9e6-4f9b950d210f",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-16T03:00:30.000Z",
            "modified": "2018-01-16T03:00:30.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--5a54ca42-e9a0-4d71-a9e6-4f9b950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-16T03:00:30.000Z",
            "modified": "2018-01-16T03:00:30.000Z",
            "name": "OSINT - Experts analyzed an Advanced \"all in memory\" CryptoWorm",
            "published": "2018-02-16T08:50:36Z",
            "object_refs": [
                "observed-data--5a54ca53-f374-44ba-9475-455f950d210f",
                "url--5a54ca53-f374-44ba-9475-455f950d210f",
                "x-misp-attribute--5a5c5cdc-dd14-4415-8ce3-4ae3950d210f",
                "indicator--5a5c5d76-21e8-42fd-8b34-4d39950d210f",
                "indicator--5a5c5d76-59e8-46ee-88b7-4240950d210f",
                "x-misp-attribute--5a5c5dfd-aaac-4c47-9eff-417d950d210f",
                "indicator--5a5c5e0f-4364-483b-98c3-4fad950d210f",
                "indicator--5a5c5e0f-0dac-46db-b486-4cbb950d210f",
                "indicator--5a5c5e62-827c-4ed3-94d6-4de0950d210f",
                "indicator--ef15fe55-96db-4f8e-a563-90107aa04fd8",
                "x-misp-object--f12256d2-41cd-4eb1-bbd1-fb0128573238",
                "indicator--d932fbce-6248-4955-bf1c-ddbd669a67b3",
                "x-misp-object--c46c80e3-a03a-497f-87ee-816333479203",
                "relationship--5ae1470d-89c7-4256-8b0f-b5eced96ea69",
                "relationship--8194e33a-10b9-4f65-b8b0-5c42b8d3b3e8"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "osint:source-type=\"blog-post\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--5a54ca53-f374-44ba-9475-455f950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T09:34:09.000Z",
            "modified": "2018-01-15T09:34:09.000Z",
            "first_observed": "2018-01-15T09:34:09Z",
            "last_observed": "2018-01-15T09:34:09Z",
            "number_observed": 1,
            "object_refs": [
                "url--5a54ca53-f374-44ba-9475-455f950d210f"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--5a54ca53-f374-44ba-9475-455f950d210f",
            "value": "http://securityaffairs.co/wordpress/63488/malware/advanced-memory-cryptoworm.html"
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--5a5c5cdc-dd14-4415-8ce3-4ae3950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T09:34:10.000Z",
            "modified": "2018-01-15T09:34:10.000Z",
            "labels": [
                "misp:type=\"comment\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\""
            ],
            "x_misp_category": "External analysis",
            "x_misp_type": "comment",
            "x_misp_value": "Today I want to share a nice Malware analysis having an interesting flow. The \u00e2\u20ac\u0153interesting\u00e2\u20ac\u009d adjective comes from the abilities the given sample owns. Capabilities of exploiting, hard obfuscations and usage of advanced techniques to steal credentials and run commands.\r\n\r\nThe analyzed sample has been provided by a colleague of mine (Alessandro) who received the first stage by eMail. A special thanks to Luca and Edoardo for having recognized XMRig during the last infection stage."
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5a5c5d76-21e8-42fd-8b34-4d39950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T09:34:10.000Z",
            "modified": "2018-01-15T09:34:10.000Z",
            "pattern": "[file:name = 'info6.ps1']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-01-15T09:34:10Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"filename\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5a5c5d76-59e8-46ee-88b7-4240950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T09:34:10.000Z",
            "modified": "2018-01-15T09:34:10.000Z",
            "pattern": "[url:value = 'http://118.184.48.95:8000/']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-01-15T09:34:10Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--5a5c5dfd-aaac-4c47-9eff-417d950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T09:34:11.000Z",
            "modified": "2018-01-15T09:34:11.000Z",
            "labels": [
                "misp:type=\"other\"",
                "misp:category=\"Financial fraud\""
            ],
            "x_misp_category": "Financial fraud",
            "x_misp_comment": "Monero Address",
            "x_misp_type": "other",
            "x_misp_value": "46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5a5c5e0f-4364-483b-98c3-4fad950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T07:53:51.000Z",
            "modified": "2018-01-15T07:53:51.000Z",
            "pattern": "[file:hashes.SHA256 = '19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-01-15T07:53:51Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5a5c5e0f-0dac-46db-b486-4cbb950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T07:53:51.000Z",
            "modified": "2018-01-15T07:53:51.000Z",
            "pattern": "[file:hashes.SHA256 = '038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-01-15T07:53:51Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5a5c5e62-827c-4ed3-94d6-4de0950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T09:34:11.000Z",
            "modified": "2018-01-15T09:34:11.000Z",
            "pattern": "[file:name = 'y1.bat']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-01-15T09:34:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"filename\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--ef15fe55-96db-4f8e-a563-90107aa04fd8",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T09:34:14.000Z",
            "modified": "2018-01-15T09:34:14.000Z",
            "pattern": "[file:hashes.MD5 = '9ac3bdb9378cd1fafbb8e08def738481' AND file:hashes.SHA1 = '8da156580747bf9ef8fa4d1c42ee112ab743da69' AND file:hashes.SHA256 = '038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-01-15T09:34:14Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--f12256d2-41cd-4eb1-bbd1-fb0128573238",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T09:34:13.000Z",
            "modified": "2018-01-15T09:34:13.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/file/038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309/analysis/1513112352/",
                    "category": "External analysis",
                    "uuid": "5a5c7595-db48-49f6-84da-459f02de0b81"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "47/67",
                    "category": "Other",
                    "uuid": "5a5c7595-4a78-4b7d-b6d0-422f02de0b81"
                },
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2017-12-12T20:59:12",
                    "category": "Other",
                    "uuid": "5a5c7596-3728-4530-b061-411f02de0b81"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--d932fbce-6248-4955-bf1c-ddbd669a67b3",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T09:34:17.000Z",
            "modified": "2018-01-15T09:34:17.000Z",
            "pattern": "[file:hashes.MD5 = '8365158c74008879df00a9d49e61aaea' AND file:hashes.SHA1 = '686761aff5e4efedbc5b2931c0f214d8ba7b9463' AND file:hashes.SHA256 = '19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2018-01-15T09:34:17Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--c46c80e3-a03a-497f-87ee-816333479203",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2018-01-15T09:34:15.000Z",
            "modified": "2018-01-15T09:34:15.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/file/19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc/analysis/1513112312/",
                    "category": "External analysis",
                    "uuid": "5a5c7598-efc4-400f-9451-4f2502de0b81"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "30/65",
                    "category": "Other",
                    "uuid": "5a5c7599-bbfc-49f5-bf91-417d02de0b81"
                },
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2017-12-12T20:58:32",
                    "category": "Other",
                    "uuid": "5a5c7599-ce88-4d2a-9ccd-446c02de0b81"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--5ae1470d-89c7-4256-8b0f-b5eced96ea69",
            "created": "2018-02-16T08:50:36.000Z",
            "modified": "2018-02-16T08:50:36.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--ef15fe55-96db-4f8e-a563-90107aa04fd8",
            "target_ref": "x-misp-object--f12256d2-41cd-4eb1-bbd1-fb0128573238"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--8194e33a-10b9-4f65-b8b0-5c42b8d3b3e8",
            "created": "2018-02-16T08:50:36.000Z",
            "modified": "2018-02-16T08:50:36.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--d932fbce-6248-4955-bf1c-ddbd669a67b3",
            "target_ref": "x-misp-object--c46c80e3-a03a-497f-87ee-816333479203"
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}