115 lines
No EOL
5.6 KiB
JSON
115 lines
No EOL
5.6 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5c1223df-3c00-45e4-8fd0-48c3950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-12-13T10:03:04.000Z",
|
|
"modified": "2018-12-13T10:03:04.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "grouping",
|
|
"spec_version": "2.1",
|
|
"id": "grouping--5c1223df-3c00-45e4-8fd0-48c3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-12-13T10:03:04.000Z",
|
|
"modified": "2018-12-13T10:03:04.000Z",
|
|
"name": "OSINT - New Version of Disk-Wiping Shamoon/Disttrack Spotted: What You Need to Know",
|
|
"context": "suspicious-activity",
|
|
"object_refs": [
|
|
"observed-data--5c122442-d114-4df8-b62a-4f37950d210f",
|
|
"url--5c122442-d114-4df8-b62a-4f37950d210f",
|
|
"x-misp-attribute--5c1224db-ac60-4d54-9084-4d4b950d210f",
|
|
"indicator--5c12297c-1368-4361-b757-4d1f950d210f"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:tool=\"Shamoon\"",
|
|
"type:OSINT",
|
|
"workflow:todo=\"expansion\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c122442-d114-4df8-b62a-4f37950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-12-13T09:20:02.000Z",
|
|
"modified": "2018-12-13T09:20:02.000Z",
|
|
"first_observed": "2018-12-13T09:20:02Z",
|
|
"last_observed": "2018-12-13T09:20:02Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5c122442-d114-4df8-b62a-4f37950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5c122442-d114-4df8-b62a-4f37950d210f",
|
|
"value": "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5c1224db-ac60-4d54-9084-4d4b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-12-13T09:22:35.000Z",
|
|
"modified": "2018-12-13T09:22:35.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "We came across external reports that the notorious, disk-wiping worm Shamoon, also known as Disttrack, has reemerged with an updated version. We were also able to source several samples of this version of Shamoon that Trend Micro detects as Trojan.Win32.DISTTRACK.AA and Trojan.Win64.DISTTRACK.AA. While there are no obvious indications that this new version is currently in the wild, we are further analyzing the malware to verify its functions and capabilities given its destructive impact."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c12297c-1368-4361-b757-4d1f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-12-13T09:42:20.000Z",
|
|
"modified": "2018-12-13T09:42:20.000Z",
|
|
"pattern": "[file:name = '_tdibth.exe' AND file:name = 'mdmgcs_8.exe' AND file:name = 'prngt6_4.exe' AND file:name = 'prnsv0_56.exe' AND file:name = 'vsmxraid.exe' AND file:name = 'mdmusrk1g5.exe' AND file:name = 'arcx6u0.exe' AND file:name = 'netbxndxlg2.exe' AND file:name = 'tsprint_ibv.exe' AND file:name = 'wiacnt7001.exe' AND file:name = 'prnlx00ctl.exe' AND file:name = 'prncaz90x.exe' AND file:name = 'megasasop.exe' AND file:name = 'mdamx_5560.exe' AND file:name = 'averfix2h826d_noaverir.exe' AND file:name = 'hidirkbdmvs2.exe' AND file:name = 'af0038bdax.exe' AND file:name = 'acpipmi2z.exe' AND file:name = '_wialx002.exe' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-12-13T09:42:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |