780 lines
No EOL
33 KiB
JSON
780 lines
No EOL
33 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--355c00b3-a85f-4a6c-850f-95bc7357abd1",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:21:42.000Z",
|
|
"modified": "2020-09-22T12:21:42.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--355c00b3-a85f-4a6c-850f-95bc7357abd1",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:21:42.000Z",
|
|
"modified": "2020-09-22T12:21:42.000Z",
|
|
"name": "Linux/CDRThief\u2009\u2014\u2009Indicators of Compromise - Who is calling? CDRThief targets Linux VoIP softswitches",
|
|
"published": "2020-09-22T12:23:24Z",
|
|
"object_refs": [
|
|
"indicator--50cd9c70-16e3-4d80-a63f-6a8cccc82068",
|
|
"indicator--3e5b904b-5895-4b38-a3fe-3f1c45556e2d",
|
|
"indicator--0e0e63a2-2df9-48bf-a051-033dc07e1c28",
|
|
"indicator--4bc87d38-3261-47a3-8aed-2f4e6d6a90b9",
|
|
"observed-data--d0bc874d-f910-42af-8487-49d59744ac09",
|
|
"url--d0bc874d-f910-42af-8487-49d59744ac09",
|
|
"indicator--e709726a-d154-43ef-86c7-18eb24a81774",
|
|
"indicator--7bba10cd-0db9-4236-8351-3e592852b524",
|
|
"indicator--23f961d6-6059-47a4-854e-9122fe8ad07e",
|
|
"indicator--509ee329-28fd-433e-866e-8756879ee048",
|
|
"indicator--19c40342-9c51-4d22-863a-aa043f160819",
|
|
"indicator--3f66f469-98f7-40d5-b7a8-f8107c5f494a",
|
|
"indicator--bc967985-2f6a-4ddd-bdf2-65742ffc89c6",
|
|
"indicator--a753b1c5-18cd-4f49-903a-dbec8618f0c6",
|
|
"indicator--d4470b8f-b772-415b-a89a-b22c25431d9f",
|
|
"indicator--aeb2152e-d589-4dce-8691-2eb1b25b0430",
|
|
"observed-data--b520b0c5-ba26-4f60-8ad4-77a9dd37987e",
|
|
"url--b520b0c5-ba26-4f60-8ad4-77a9dd37987e",
|
|
"x-misp-object--88331ce0-09ff-4c8a-93c5-3e27fc8e287c",
|
|
"indicator--f782bda7-4bcb-4ad0-8c2f-2c5f18863652",
|
|
"x-misp-object--b53bd1ed-b1e6-46ac-b34d-3bbe67107eae",
|
|
"indicator--0bc9fcae-fc75-4910-a8c0-61949bd76bb9",
|
|
"x-misp-object--32b7a65f-d4d2-4920-a244-29c98222f6ff",
|
|
"indicator--10b7197c-b557-4d29-a593-8f81e682c400",
|
|
"x-misp-object--1752315a-8a3b-4114-badf-c204312c304b",
|
|
"indicator--4e2be21d-c114-470c-8845-572d708cdbec",
|
|
"x-misp-object--25558597-1dd5-4fb9-99b6-53db526d0e6e",
|
|
"relationship--3deb05e0-10f6-465e-8ca2-8378c1afec11",
|
|
"relationship--9c98184c-3cc9-46f3-a531-943fb1c7f6af",
|
|
"relationship--9e887e2a-1e70-426e-8f60-481c0e7b9d39",
|
|
"relationship--3d8d31ff-247c-42a8-974c-3a6a67fff805"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--50cd9c70-16e3-4d80-a63f-6a8cccc82068",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:15:24.000Z",
|
|
"modified": "2020-09-22T12:15:24.000Z",
|
|
"pattern": "[file:hashes.SHA1 = 'cc373d633a16817f7d21372c56955923c9dda825']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:15:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--3e5b904b-5895-4b38-a3fe-3f1c45556e2d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:15:24.000Z",
|
|
"modified": "2020-09-22T12:15:24.000Z",
|
|
"description": "(UPX packed)",
|
|
"pattern": "[file:hashes.SHA1 = '8e2624da4d209abd3364d90f7bc08230f84510db']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:15:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--0e0e63a2-2df9-48bf-a051-033dc07e1c28",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:15:24.000Z",
|
|
"modified": "2020-09-22T12:15:24.000Z",
|
|
"pattern": "[file:hashes.SHA1 = 'fc7ccabb239ad6fd22472e5b7bb6a5773b7a3dac']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:15:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--4bc87d38-3261-47a3-8aed-2f4e6d6a90b9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:15:24.000Z",
|
|
"modified": "2020-09-22T12:15:24.000Z",
|
|
"description": "(Corrupted)",
|
|
"pattern": "[file:hashes.SHA1 = '8532e858eb24ae38632091d2d790a1299b7bbc87']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:15:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--d0bc874d-f910-42af-8487-49d59744ac09",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:15:44.000Z",
|
|
"modified": "2020-09-22T12:15:44.000Z",
|
|
"first_observed": "2020-09-22T12:15:44Z",
|
|
"last_observed": "2020-09-22T12:15:44Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--d0bc874d-f910-42af-8487-49d59744ac09"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--d0bc874d-f910-42af-8487-49d59744ac09",
|
|
"value": "https://github.com/eset/malware-ioc/tree/master/cdrthief"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e709726a-d154-43ef-86c7-18eb24a81774",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:16:04.000Z",
|
|
"modified": "2020-09-22T12:16:04.000Z",
|
|
"description": "C&C servers",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '119.29.173.65']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:16:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--7bba10cd-0db9-4236-8351-3e592852b524",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:16:04.000Z",
|
|
"modified": "2020-09-22T12:16:04.000Z",
|
|
"description": "C&C servers",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '129.211.157.244']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:16:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--23f961d6-6059-47a4-854e-9122fe8ad07e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:16:04.000Z",
|
|
"modified": "2020-09-22T12:16:04.000Z",
|
|
"description": "C&C servers",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '129.226.134.180']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:16:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--509ee329-28fd-433e-866e-8756879ee048",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:16:04.000Z",
|
|
"modified": "2020-09-22T12:16:04.000Z",
|
|
"description": "C&C servers",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '150.109.79.136']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:16:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--19c40342-9c51-4d22-863a-aa043f160819",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:16:04.000Z",
|
|
"modified": "2020-09-22T12:16:04.000Z",
|
|
"description": "C&C servers",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '34.94.199.142']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:16:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--3f66f469-98f7-40d5-b7a8-f8107c5f494a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:16:04.000Z",
|
|
"modified": "2020-09-22T12:16:04.000Z",
|
|
"description": "C&C servers",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '35.236.173.187']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:16:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--bc967985-2f6a-4ddd-bdf2-65742ffc89c6",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:16:57.000Z",
|
|
"modified": "2020-09-22T12:16:57.000Z",
|
|
"pattern": "[mutex:name = '/dev/shm/.bin']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:16:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"mutex\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--a753b1c5-18cd-4f49-903a-dbec8618f0c6",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:16:57.000Z",
|
|
"modified": "2020-09-22T12:16:57.000Z",
|
|
"pattern": "[mutex:name = '/dev/shm/.linux']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:16:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"mutex\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d4470b8f-b772-415b-a89a-b22c25431d9f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:17:30.000Z",
|
|
"modified": "2020-09-22T12:17:30.000Z",
|
|
"pattern": "[file:name = '/dev/shm/callservice']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:17:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--aeb2152e-d589-4dce-8691-2eb1b25b0430",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:17:30.000Z",
|
|
"modified": "2020-09-22T12:17:30.000Z",
|
|
"pattern": "[file:name = '/dev/shm/sys.png']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:17:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--b520b0c5-ba26-4f60-8ad4-77a9dd37987e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:21:25.000Z",
|
|
"modified": "2020-09-22T12:21:25.000Z",
|
|
"first_observed": "2020-09-22T12:21:25Z",
|
|
"last_observed": "2020-09-22T12:21:25Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--b520b0c5-ba26-4f60-8ad4-77a9dd37987e"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--b520b0c5-ba26-4f60-8ad4-77a9dd37987e",
|
|
"value": "https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--88331ce0-09ff-4c8a-93c5-3e27fc8e287c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:19:10.000Z",
|
|
"modified": "2020-09-22T12:19:10.000Z",
|
|
"labels": [
|
|
"misp:name=\"crypto-material\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "text",
|
|
"value": "-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQ3k3GgS3FX4pI7s9x0krBYqbMcSaw4BPY91Ln\r\ntt5/X8s9l0BC6PUTbQcUzs6PPXhKKTx8ph5CYQqdWynxOLJah0FMMRYxS8d0HX+Qx9eWUeKRHm2E\r\nAtZQjdHxqTJ9EBpHYWV4RrWmeoOsWAOisvedlb23O0E55e8rrGGrZLhPbwIDAQAB\r\n-----END PUBLIC KEY-----",
|
|
"category": "Other",
|
|
"uuid": "d54175fd-fa8c-4446-8b2c-548791780397"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "RSA",
|
|
"category": "Other",
|
|
"uuid": "a31298ce-323c-49c0-84d7-2662b873a082"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "origin",
|
|
"value": "malware-extraction",
|
|
"category": "Other",
|
|
"uuid": "82b73e68-5afe-4e5c-9c52-38242f13c139"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "crypto-material"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--f782bda7-4bcb-4ad0-8c2f-2c5f18863652",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:20:29.000Z",
|
|
"modified": "2020-09-22T12:20:29.000Z",
|
|
"pattern": "[file:hashes.MD5 = '7124c56ab6d8133e2ed2042fb8c2248e' AND file:hashes.SHA1 = 'cc373d633a16817f7d21372c56955923c9dda825' AND file:hashes.SHA256 = '665acb48f9ad6317806231e52e5d3d05e91a93b20f40771a55e634192e8b094b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:20:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--b53bd1ed-b1e6-46ac-b34d-3bbe67107eae",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:20:29.000Z",
|
|
"modified": "2020-09-22T12:20:29.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2020-09-22T10:56:34+00:00",
|
|
"category": "Other",
|
|
"uuid": "9a8f52cd-f16e-49e5-a1ed-d019bbbd082d"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/665acb48f9ad6317806231e52e5d3d05e91a93b20f40771a55e634192e8b094b/detection/f-665acb48f9ad6317806231e52e5d3d05e91a93b20f40771a55e634192e8b094b-1600772194",
|
|
"category": "Payload delivery",
|
|
"uuid": "1fa1ca4e-2145-4caf-8ab8-4ad2c1052100"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "32/62",
|
|
"category": "Payload delivery",
|
|
"uuid": "80c0cf1c-41e3-4ffa-9e48-374af830eaa4"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--0bc9fcae-fc75-4910-a8c0-61949bd76bb9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:20:29.000Z",
|
|
"modified": "2020-09-22T12:20:29.000Z",
|
|
"pattern": "[file:hashes.MD5 = '926c77d3d9fdad7217a9b49bdf033336' AND file:hashes.SHA1 = '8e2624da4d209abd3364d90f7bc08230f84510db' AND file:hashes.SHA256 = 'ffe88d3012c15a680a506f0382264ea763ff2d426bf4ad3caf03111d47d9a80c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:20:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--32b7a65f-d4d2-4920-a244-29c98222f6ff",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:20:29.000Z",
|
|
"modified": "2020-09-22T12:20:29.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2020-09-22T10:56:43+00:00",
|
|
"category": "Other",
|
|
"comment": "(UPX packed)",
|
|
"uuid": "7d174551-08ad-4371-819b-4f5ff30ea7e7"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/ffe88d3012c15a680a506f0382264ea763ff2d426bf4ad3caf03111d47d9a80c/detection/f-ffe88d3012c15a680a506f0382264ea763ff2d426bf4ad3caf03111d47d9a80c-1600772203",
|
|
"category": "Payload delivery",
|
|
"comment": "(UPX packed)",
|
|
"uuid": "da28f735-72f5-4fe2-9789-adae6df6294f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "27/60",
|
|
"category": "Payload delivery",
|
|
"comment": "(UPX packed)",
|
|
"uuid": "83b1dbb1-0edf-4939-80d1-7a0635d14587"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--10b7197c-b557-4d29-a593-8f81e682c400",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:20:29.000Z",
|
|
"modified": "2020-09-22T12:20:29.000Z",
|
|
"pattern": "[file:hashes.MD5 = '444a5116c6e2b37b33066be16f3e7e6d' AND file:hashes.SHA1 = '8532e858eb24ae38632091d2d790a1299b7bbc87' AND file:hashes.SHA256 = 'af75687cb030418c3196d6535d10479bc45e4248d60d3427230381e0d09e5ca4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:20:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--1752315a-8a3b-4114-badf-c204312c304b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:20:29.000Z",
|
|
"modified": "2020-09-22T12:20:29.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2020-09-22T10:56:33+00:00",
|
|
"category": "Other",
|
|
"comment": "(Corrupted)",
|
|
"uuid": "f1afdfdd-941e-4136-a79c-19c30e0c3301"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/af75687cb030418c3196d6535d10479bc45e4248d60d3427230381e0d09e5ca4/detection/f-af75687cb030418c3196d6535d10479bc45e4248d60d3427230381e0d09e5ca4-1600772193",
|
|
"category": "Payload delivery",
|
|
"comment": "(Corrupted)",
|
|
"uuid": "46b3ca6a-2d76-4117-9317-92c3c5dd32d8"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "25/62",
|
|
"category": "Payload delivery",
|
|
"comment": "(Corrupted)",
|
|
"uuid": "df800269-bf3b-432d-b8b3-aea329ae0be8"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--4e2be21d-c114-470c-8845-572d708cdbec",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:20:29.000Z",
|
|
"modified": "2020-09-22T12:20:29.000Z",
|
|
"pattern": "[file:hashes.MD5 = '3339b8c4a522548b67fca732c54fa232' AND file:hashes.SHA1 = 'fc7ccabb239ad6fd22472e5b7bb6a5773b7a3dac' AND file:hashes.SHA256 = '6b15cf51e4dff3e25b805173eef88940dbeb52b2662bd265450e6e54d5bb84d6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-09-22T12:20:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--25558597-1dd5-4fb9-99b6-53db526d0e6e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-09-22T12:20:29.000Z",
|
|
"modified": "2020-09-22T12:20:29.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2020-09-22T10:56:24+00:00",
|
|
"category": "Other",
|
|
"uuid": "baf23e87-428f-4974-8764-e4bbcd5ea9b4"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/6b15cf51e4dff3e25b805173eef88940dbeb52b2662bd265450e6e54d5bb84d6/detection/f-6b15cf51e4dff3e25b805173eef88940dbeb52b2662bd265450e6e54d5bb84d6-1600772184",
|
|
"category": "Payload delivery",
|
|
"uuid": "b397af60-d203-4dfe-bfad-d67bc45763ff"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "30/61",
|
|
"category": "Payload delivery",
|
|
"uuid": "f9400666-419d-444a-b2dd-bf8ea02c78e6"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--3deb05e0-10f6-465e-8ca2-8378c1afec11",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--f782bda7-4bcb-4ad0-8c2f-2c5f18863652",
|
|
"target_ref": "x-misp-object--b53bd1ed-b1e6-46ac-b34d-3bbe67107eae"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--9c98184c-3cc9-46f3-a531-943fb1c7f6af",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--0bc9fcae-fc75-4910-a8c0-61949bd76bb9",
|
|
"target_ref": "x-misp-object--32b7a65f-d4d2-4920-a244-29c98222f6ff"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--9e887e2a-1e70-426e-8f60-481c0e7b9d39",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--10b7197c-b557-4d29-a593-8f81e682c400",
|
|
"target_ref": "x-misp-object--1752315a-8a3b-4114-badf-c204312c304b"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--3d8d31ff-247c-42a8-974c-3a6a67fff805",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--4e2be21d-c114-470c-8845-572d708cdbec",
|
|
"target_ref": "x-misp-object--25558597-1dd5-4fb9-99b6-53db526d0e6e"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |