misp-circl-feed/feeds/circl/stix-2.1/5c4cb9a7-0454-42eb-8f63-383368f8e8cf.json

508 lines
No EOL
22 KiB
JSON

{
"type": "bundle",
"id": "bundle--5c4cb9a7-0454-42eb-8f63-383368f8e8cf",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2021-05-24T09:53:15.000Z",
"modified": "2021-05-24T09:53:15.000Z",
"name": "VK-Intel",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5c4cb9a7-0454-42eb-8f63-383368f8e8cf",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2021-05-24T09:53:15.000Z",
"modified": "2021-05-24T09:53:15.000Z",
"name": "2019-01-25: Lazarus Pakistan Toolkits",
"published": "2021-05-26T09:09:05Z",
"object_refs": [
"indicator--5c4cb9a7-3684-4f00-bff9-383368f8e8cf",
"indicator--5c4cba32-e9e4-4bbf-8396-383068f8e8cf",
"indicator--5c4cba32-070c-42ba-a0e0-383068f8e8cf",
"indicator--5c4cba32-0238-4c6d-b8e2-383068f8e8cf",
"indicator--5c4cba84-aed4-452e-8eb2-4e2768f8e8cf",
"indicator--5c4cba84-c3c8-422c-a870-4e2768f8e8cf",
"indicator--5c4cbbd2-1258-453f-b07d-383068f8e8cf",
"observed-data--5c4d8bce-3e80-4dc4-9820-436102de0b81",
"url--5c4d8bce-3e80-4dc4-9820-436102de0b81",
"observed-data--5c4d8bf5-85c8-4424-a35f-4dd602de0b81",
"url--5c4d8bf5-85c8-4424-a35f-4dd602de0b81",
"indicator--49032699-f4cf-4808-a272-9ca316968a35",
"x-misp-object--c3f88cfe-b795-4813-aaf3-3e8dcc5aceb6",
"indicator--a45c3106-dec5-404d-acfc-8d00abde20c1",
"x-misp-object--f8013005-dcd4-4c9f-9277-143df2440b9b",
"indicator--88a6f7a4-9334-4ba6-af2d-93defaae48d4",
"x-misp-object--de16e29f-b02f-4768-a6a2-18ea57310af0",
"relationship--67728ebc-2a75-4712-bdd1-18ccc60b56af",
"relationship--ccf37555-bbd1-41b4-8f33-662852a148f0",
"relationship--ac0677fc-db55-492c-a4cb-625235c717c0"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"Actor: Lazarus",
"DPRK",
"Malware: PowerRatankba,b",
"PowerShell Installer",
"Keylogger",
"Country: Pakistan",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:threat-actor=\"Lazarus Group\"",
"misp-galaxy:malpedia=\"PowerRatankba\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group\"",
"misp-galaxy:malpedia=\"Lazarus\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group - G0032\"",
"misp-galaxy:mitre-intrusion-set=\"Lazarus Group\"",
"misp-galaxy:tool=\"PowerRatankba\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c4cb9a7-3684-4f00-bff9-383368f8e8cf",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-26T19:48:55.000Z",
"modified": "2019-01-26T19:48:55.000Z",
"pattern": "[file:hashes.MD5 = 'c9ed87e9f99c631cda368f6f329ee27e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-26T19:48:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c4cba32-e9e4-4bbf-8396-383068f8e8cf",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-26T19:51:14.000Z",
"modified": "2019-01-26T19:51:14.000Z",
"description": "Lazarus Tools",
"pattern": "[file:hashes.MD5 = 'c9ed87e9f99c631cda368f6f329ee27e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-26T19:51:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c4cba32-070c-42ba-a0e0-383068f8e8cf",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-26T19:51:14.000Z",
"modified": "2019-01-26T19:51:14.000Z",
"description": "Lazarus Tools",
"pattern": "[file:hashes.MD5 = '5cc28f3f32e7274f13378a724a5ec33a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-26T19:51:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c4cba32-0238-4c6d-b8e2-383068f8e8cf",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-26T19:51:14.000Z",
"modified": "2019-01-26T19:51:14.000Z",
"description": "Lazarus Tools",
"pattern": "[file:hashes.MD5 = '2025d91c1cdd33db576b2c90ef4067c7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-26T19:51:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c4cba84-aed4-452e-8eb2-4e2768f8e8cf",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-26T19:52:36.000Z",
"modified": "2019-01-26T19:52:36.000Z",
"description": "C2",
"pattern": "[url:value = 'https://ecombox.store/tbl_add.php?action=cgetpsa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-26T19:52:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c4cba84-c3c8-422c-a870-4e2768f8e8cf",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-26T19:52:36.000Z",
"modified": "2019-01-26T19:52:36.000Z",
"description": "C2",
"pattern": "[url:value = 'https://ecombox.store/tbl_add.php?action=cgetrun']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-26T19:52:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c4cbbd2-1258-453f-b07d-383068f8e8cf",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-27T10:46:29.000Z",
"modified": "2019-01-27T10:46:29.000Z",
"description": "Yara for Keylogger",
"pattern": "[rule APT_Lazarus_Keylogger {\r\n meta:\r\n description = \"Detects possible Lazarus Keylogger\"\r\n author = \"@VK_Intel\"\r\n date = \"2019-01-25\"\r\n strings:\r\n\t$s0 = \"%s%s\" fullword ascii wide\r\n\t$s1 = \"[ENTER]\" fullword ascii wide \r\n\t$s2 = \"[EX]\" fullword ascii wide\r\n\t$s3 = \"%02d:%02d\" fullword ascii wide\r\n \r\n \r\n\t$dll0 = \"PSLogger.dll\" fullword ascii wide\r\n\t$dll1 = \"capture_x64.dll\" fullword ascii wide \r\n\t$exe = \"PSLogger.exe\" fullword ascii wide\r\n \r\n condition:\r\n\tuint16(0) == 0x5a4d and all of ($s*) and (1 of ($dll*) or $exe)\r\n }]",
"pattern_type": "yara",
"valid_from": "2019-01-27T10:46:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c4d8bce-3e80-4dc4-9820-436102de0b81",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-27T10:50:55.000Z",
"modified": "2019-01-27T10:50:55.000Z",
"first_observed": "2019-01-27T10:50:55Z",
"last_observed": "2019-01-27T10:50:55Z",
"number_observed": 1,
"object_refs": [
"url--5c4d8bce-3e80-4dc4-9820-436102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"osint:certainty=\"75\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5c4d8bce-3e80-4dc4-9820-436102de0b81",
"value": "https://github.com/k-vitali/apt_lazarus_toolkits/blob/master/2019-01-26.lazarus_pakistan_misp_vk.json"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c4d8bf5-85c8-4424-a35f-4dd602de0b81",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-27T10:50:54.000Z",
"modified": "2019-01-27T10:50:54.000Z",
"first_observed": "2019-01-27T10:50:54Z",
"last_observed": "2019-01-27T10:50:54Z",
"number_observed": 1,
"object_refs": [
"url--5c4d8bf5-85c8-4424-a35f-4dd602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"osint:certainty=\"75\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5c4d8bf5-85c8-4424-a35f-4dd602de0b81",
"value": "https://www.vkremez.com/2019/01/lets-learn-dissecting-lazarus.html"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--49032699-f4cf-4808-a272-9ca316968a35",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-27T10:47:15.000Z",
"modified": "2019-01-27T10:47:15.000Z",
"pattern": "[file:hashes.MD5 = 'c9ed87e9f99c631cda368f6f329ee27e' AND file:hashes.SHA1 = '943feef623db1143f4b9c957fee4c94753cfb6a5' AND file:hashes.SHA256 = '802efe9c41909354921009bd54be7dcf1ee14fcfaf62dacbcdaafbe051a711e3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-27T10:47:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--c3f88cfe-b795-4813-aaf3-3e8dcc5aceb6",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-27T10:47:16.000Z",
"modified": "2019-01-27T10:47:16.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-01-26T18:54:38",
"category": "Other",
"uuid": "7b3cc6f2-b07f-457e-b07b-d540d8411068"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/802efe9c41909354921009bd54be7dcf1ee14fcfaf62dacbcdaafbe051a711e3/analysis/1548528878/",
"category": "External analysis",
"uuid": "a0ecf930-b40e-4994-a828-67700f5f7c7e"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "2/56",
"category": "Other",
"uuid": "44dca040-d0e5-4292-9239-670b5be27c9b"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a45c3106-dec5-404d-acfc-8d00abde20c1",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-27T10:47:16.000Z",
"modified": "2019-01-27T10:47:16.000Z",
"pattern": "[file:hashes.MD5 = '2025d91c1cdd33db576b2c90ef4067c7' AND file:hashes.SHA1 = 'ec80c302c91c6caf5343cfd3fabf43b0bbd067a5' AND file:hashes.SHA256 = 'bed916831e8c9babfb6d08644058a61e3547d621f847c081309f616aed06c2fe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-27T10:47:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f8013005-dcd4-4c9f-9277-143df2440b9b",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-27T10:47:16.000Z",
"modified": "2019-01-27T10:47:16.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-01-25T21:10:16",
"category": "Other",
"uuid": "44f0d1c6-d716-4e81-9349-5d1f1de27808"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/bed916831e8c9babfb6d08644058a61e3547d621f847c081309f616aed06c2fe/analysis/1548450616/",
"category": "External analysis",
"uuid": "2e44c2c4-bb77-4f87-a9d0-5162e7ce0712"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "3/68",
"category": "Other",
"uuid": "e80a9946-d609-4362-b9e4-ff861a117761"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--88a6f7a4-9334-4ba6-af2d-93defaae48d4",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-27T10:47:16.000Z",
"modified": "2019-01-27T10:47:16.000Z",
"pattern": "[file:hashes.MD5 = '5cc28f3f32e7274f13378a724a5ec33a' AND file:hashes.SHA1 = '32292b4e125287a6567e3879d53d0d8d82bcdf01' AND file:hashes.SHA256 = '18f0ad8c58558d6eb8129f32cbc2905d0b63822185506b7c3bca49d423d837c7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-27T10:47:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--de16e29f-b02f-4768-a6a2-18ea57310af0",
"created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf",
"created": "2019-01-27T10:47:16.000Z",
"modified": "2019-01-27T10:47:16.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-01-26T22:25:46",
"category": "Other",
"uuid": "e37a032b-0abd-4860-a6fd-5e6a98537472"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/18f0ad8c58558d6eb8129f32cbc2905d0b63822185506b7c3bca49d423d837c7/analysis/1548541546/",
"category": "External analysis",
"uuid": "4c46bec8-3b2d-4494-a2de-12288573a536"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "3/56",
"category": "Other",
"uuid": "ab18849e-cd56-4123-b59e-5086417c0d7f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--67728ebc-2a75-4712-bdd1-18ccc60b56af",
"created": "2021-05-24T09:53:15.000Z",
"modified": "2021-05-24T09:53:15.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--49032699-f4cf-4808-a272-9ca316968a35",
"target_ref": "x-misp-object--c3f88cfe-b795-4813-aaf3-3e8dcc5aceb6"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ccf37555-bbd1-41b4-8f33-662852a148f0",
"created": "2021-05-24T09:53:15.000Z",
"modified": "2021-05-24T09:53:15.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--a45c3106-dec5-404d-acfc-8d00abde20c1",
"target_ref": "x-misp-object--f8013005-dcd4-4c9f-9277-143df2440b9b"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ac0677fc-db55-492c-a4cb-625235c717c0",
"created": "2021-05-24T09:53:15.000Z",
"modified": "2021-05-24T09:53:15.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--88a6f7a4-9334-4ba6-af2d-93defaae48d4",
"target_ref": "x-misp-object--de16e29f-b02f-4768-a6a2-18ea57310af0"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}