887 lines
No EOL
48 KiB
JSON
887 lines
No EOL
48 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--548033ca-5854-45f3-bf00-797e950d210b",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2018-03-18T21:50:02.000Z",
|
|
"modified": "2018-03-18T21:50:02.000Z",
|
|
"name": "CthulhuSPRL.be",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--548033ca-5854-45f3-bf00-797e950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2018-03-18T21:50:02.000Z",
|
|
"modified": "2018-03-18T21:50:02.000Z",
|
|
"name": "Regin Scanner",
|
|
"published": "2018-03-18T21:54:49Z",
|
|
"object_refs": [
|
|
"x-misp-attribute--548033d2-987c-416d-b962-503d950d210b",
|
|
"observed-data--548033e8-7bc4-4ce1-b015-2497950d210b",
|
|
"url--548033e8-7bc4-4ce1-b015-2497950d210b",
|
|
"indicator--548034d7-79e8-429d-847a-4eaf950d210b",
|
|
"indicator--548034d7-3234-416c-8cea-446b950d210b",
|
|
"indicator--548034d7-3880-4151-86f2-4296950d210b",
|
|
"indicator--548034d8-56e4-4b92-9958-46f6950d210b",
|
|
"indicator--548034d8-7a0c-4a1d-bc3f-4b45950d210b",
|
|
"indicator--548034d8-9820-4cb6-918c-42f9950d210b",
|
|
"indicator--548034d8-ceac-4873-bd3f-4f0f950d210b",
|
|
"indicator--548034d8-fb84-463d-bb7c-4b2e950d210b",
|
|
"indicator--548034d8-123c-4037-97ab-4fa6950d210b",
|
|
"indicator--548034d8-1610-4a92-9d13-490e950d210b",
|
|
"indicator--548034d8-e530-4558-9abc-4a73950d210b",
|
|
"indicator--548034d8-1c6c-4da3-ad78-4054950d210b",
|
|
"indicator--548034d8-5194-4077-bada-44c0950d210b",
|
|
"indicator--548034f5-dcfc-46c4-a941-41c5950d210b",
|
|
"indicator--548034f5-96b4-4a90-b838-47b7950d210b",
|
|
"indicator--548034f5-ba10-426a-8bc0-4f4f950d210b",
|
|
"indicator--548034f5-ef24-4077-843d-46e4950d210b",
|
|
"indicator--548034f6-bc40-4764-a308-4b4b950d210b",
|
|
"indicator--548034f6-57ac-4b35-b392-422e950d210b",
|
|
"indicator--548034f6-cf0c-47a9-9e23-4710950d210b",
|
|
"indicator--54803514-7e8c-4444-b6eb-503d950d210b",
|
|
"indicator--54803514-6c9c-4dfe-a9c5-503d950d210b",
|
|
"indicator--54803514-d928-41ea-8dd9-503d950d210b",
|
|
"indicator--5480352e-d554-4f67-be3c-2497950d210b",
|
|
"indicator--5480354e-70dc-49b6-9ac9-44b0950d210b",
|
|
"indicator--5480355c-0b58-4340-b3a9-4e07950d210b",
|
|
"indicator--54803569-9acc-4e3f-a05c-2490950d210b",
|
|
"indicator--54803577-2660-4dea-9bb2-4219950d210b",
|
|
"indicator--54803587-1fb8-42b2-b595-503d950d210b",
|
|
"x-misp-attribute--54803595-5428-45f6-af59-7eca950d210b",
|
|
"indicator--548035a2-aecc-4a3e-95e7-79dd950d210b",
|
|
"indicator--548035b1-90bc-4b1d-9d0d-159e950d210b",
|
|
"indicator--548035be-b83c-4e21-98bf-2490950d210b"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT",
|
|
"misp-galaxy:tool=\"Regin\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--548033d2-987c-416d-b962-503d950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:13:38.000Z",
|
|
"modified": "2014-12-04T10:13:38.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Regin"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--548033e8-7bc4-4ce1-b015-2497950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:14:00.000Z",
|
|
"modified": "2014-12-04T10:14:00.000Z",
|
|
"first_observed": "2014-12-04T10:14:00Z",
|
|
"last_observed": "2014-12-04T10:14:00Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--548033e8-7bc4-4ce1-b015-2497950d210b"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--548033e8-7bc4-4ce1-b015-2497950d210b",
|
|
"value": "https://github.com/Neo23x0/ReginScanner"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d7-79e8-429d-847a-4eaf950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:17:59.000Z",
|
|
"modified": "2014-12-04T10:17:59.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = '187044596bc1328efa0ed636d8aa4a5c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:17:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d7-3234-416c-8cea-446b950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:17:59.000Z",
|
|
"modified": "2014-12-04T10:17:59.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = '06665b96e293b23acc80451abb413e50']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:17:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d7-3880-4151-86f2-4296950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:17:59.000Z",
|
|
"modified": "2014-12-04T10:17:59.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = 'd240f06e98c8d3e647cbf4d442d79475']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:17:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d8-56e4-4b92-9958-46f6950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:00.000Z",
|
|
"modified": "2014-12-04T10:18:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = 'ffb0b9b5b610191051a7bdf0806e1e47']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d8-7a0c-4a1d-bc3f-4b45950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:00.000Z",
|
|
"modified": "2014-12-04T10:18:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = 'bfbe8c3ee78750c3a520480700e440f8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d8-9820-4cb6-918c-42f9950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:00.000Z",
|
|
"modified": "2014-12-04T10:18:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = 'b29ca4f22ae7b7b25f79c1d4a421139d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d8-ceac-4873-bd3f-4f0f950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:00.000Z",
|
|
"modified": "2014-12-04T10:18:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = '2c8b9d2885543d7ade3cae98225e263b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d8-fb84-463d-bb7c-4b2e950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:00.000Z",
|
|
"modified": "2014-12-04T10:18:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = '4b6b86c7fec1c574706cecedf44abded']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d8-123c-4037-97ab-4fa6950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:00.000Z",
|
|
"modified": "2014-12-04T10:18:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = '6662c390b2bbbd291ec7987388fc75d7']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d8-1610-4a92-9d13-490e950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:00.000Z",
|
|
"modified": "2014-12-04T10:18:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = '1c024e599ac055312a4ab75b3950040a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d8-e530-4558-9abc-4a73950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:00.000Z",
|
|
"modified": "2014-12-04T10:18:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = 'ba7bb65634ce1e30c1e5415be3d1db1d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d8-1c6c-4da3-ad78-4054950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:00.000Z",
|
|
"modified": "2014-12-04T10:18:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = 'b505d65721bb2453d5039a389113b566']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034d8-5194-4077-bada-44c0950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:00.000Z",
|
|
"modified": "2014-12-04T10:18:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.MD5 = 'b269894f434657db2b15949641a67532']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034f5-dcfc-46c4-a941-41c5950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:29.000Z",
|
|
"modified": "2014-12-04T10:18:29.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.SHA1 = 'e0895336617e0b45b312383814ec6783556d7635']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034f5-96b4-4a90-b838-47b7950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:29.000Z",
|
|
"modified": "2014-12-04T10:18:29.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.SHA1 = '732298fa025ed48179a3a2555b45be96f7079712']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034f5-ba10-426a-8bc0-4f4f950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:29.000Z",
|
|
"modified": "2014-12-04T10:18:29.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.SHA1 = '5164edc1d54f10b7cb00a266a1b52c623ab005e2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034f5-ef24-4077-843d-46e4950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:29.000Z",
|
|
"modified": "2014-12-04T10:18:29.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.SHA1 = '773d7fab06807b5b1bc2d74fa80343e83593caf2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034f6-bc40-4764-a308-4b4b950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:30.000Z",
|
|
"modified": "2014-12-04T10:18:30.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.SHA1 = 'a7b285d4b896b66fce0ebfcd15db53b3a74a0400']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034f6-57ac-4b35-b392-422e950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:30.000Z",
|
|
"modified": "2014-12-04T10:18:30.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.SHA1 = '8487a961c8244004c9276979bb4b0c14392fc3b8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548034f6-cf0c-47a9-9e23-4710950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:18:30.000Z",
|
|
"modified": "2014-12-04T10:18:30.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.SHA1 = 'bcf3461d67b39a427c83f9e39b9833cfec977c61']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:18:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54803514-7e8c-4444-b6eb-503d950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:19:00.000Z",
|
|
"modified": "2014-12-04T10:19:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.SHA256 = '4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:19:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54803514-6c9c-4dfe-a9c5-503d950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:19:00.000Z",
|
|
"modified": "2014-12-04T10:19:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.SHA256 = 'e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:19:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54803514-d928-41ea-8dd9-503d950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:19:00.000Z",
|
|
"modified": "2014-12-04T10:19:00.000Z",
|
|
"description": "From meta of yara rules",
|
|
"pattern": "[file:hashes.SHA256 = 'fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2014-12-04T10:19:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5480352e-d554-4f67-be3c-2497950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2018-03-18T21:50:02.000Z",
|
|
"modified": "2018-03-18T21:50:02.000Z",
|
|
"pattern": "[rule Regin_APT_KernelDriver_Generic_A {\r\n\tmeta:\r\n\t\tdescription = \"Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2\"\r\n\t\tauthor = \"@Malwrsignatures - included in APT Scanner THOR\"\r\n\t\tdate = \"23.11.14\"\r\n\t\thash1 = \"187044596bc1328efa0ed636d8aa4a5c\"\r\n\t\thash2 = \"06665b96e293b23acc80451abb413e50\"\r\n\t\thash3 = \"d240f06e98c8d3e647cbf4d442d79475\"\r\n\tstrings:\r\n\t\t$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } \r\n\t\t$m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }\r\n\t\t\r\n\t\t$s0 = \"atapi.sys\" fullword wide\r\n\t\t$s1 = \"disk.sys\" fullword wide\r\n\t\t$s3 = \"h.data\" fullword ascii\r\n\t\t$s4 = \"\\\\system32\" fullword ascii\r\n\t\t$s5 = \"\\\\SystemRoot\" fullword ascii\r\n\t\t$s6 = \"system\" fullword ascii\r\n\t\t$s7 = \"temp\" fullword ascii\r\n\t\t$s8 = \"windows\" fullword ascii\r\n\r\n\t\t$x1 = \"LRich6\" fullword ascii\r\n\t\t$x2 = \"KeServiceDescriptorTable\" fullword ascii\t\t\r\n\tcondition:\r\n\t\t$m0 at 0 and $m1 and all of ($s*) and 1 of ($x*)\r\n}]",
|
|
"pattern_type": "yara",
|
|
"valid_from": "2018-03-18T21:50:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5480354e-70dc-49b6-9ac9-44b0950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:19:58.000Z",
|
|
"modified": "2014-12-04T10:19:58.000Z",
|
|
"pattern": "[rule Regin_APT_KernelDriver_Generic_B {\r\n\tmeta:\r\n\t\tdescription = \"Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2\"\r\n\t\tauthor = \"@Malwrsignatures - included in APT Scanner THOR\"\r\n\t\tdate = \"23.11.14\"\r\n\t\thash1 = \"ffb0b9b5b610191051a7bdf0806e1e47\"\r\n\t\thash2 = \"bfbe8c3ee78750c3a520480700e440f8\"\r\n\t\thash3 = \"b29ca4f22ae7b7b25f79c1d4a421139d\"\r\n\t\thash4 = \"06665b96e293b23acc80451abb413e50\"\r\n\t\thash5 = \"2c8b9d2885543d7ade3cae98225e263b\"\r\n\t\thash6 = \"4b6b86c7fec1c574706cecedf44abded\"\r\n\t\thash7 = \"187044596bc1328efa0ed636d8aa4a5c\"\r\n\t\thash8 = \"d240f06e98c8d3e647cbf4d442d79475\"\r\n\t\thash9 = \"6662c390b2bbbd291ec7987388fc75d7\"\r\n\t\thash10 = \"1c024e599ac055312a4ab75b3950040a\"\r\n\t\thash11 = \"ba7bb65634ce1e30c1e5415be3d1db1d\"\r\n\t\thash12 = \"b505d65721bb2453d5039a389113b566\"\r\n\t\thash13 = \"b269894f434657db2b15949641a67532\"\r\n\tstrings:\r\n\t\t$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } \r\n\t\t$s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }\r\n\t\t$s2 = \"H.data\" fullword ascii nocase\r\n\t\t$s3 = \"INIT\" fullword ascii\r\n\t\t$s4 = \"ntoskrnl.exe\" fullword ascii\r\n\t\t\r\n\t\t$v1 = \"\\\\system32\" fullword ascii\r\n\t\t$v2 = \"\\\\SystemRoot\" fullword ascii\r\n\t\t$v3 = \"KeServiceDescriptorTable\" fullword ascii\t\r\n\t\t\r\n\t\t$w1 = \"\\\\system32\" fullword ascii\r\n\t\t$w2 = \"\\\\SystemRoot\" fullword ascii\t\t\r\n\t\t$w3 = \"LRich6\" fullword ascii\r\n\t\t\r\n\t\t$x1 = \"_snprintf\" fullword ascii\r\n\t\t$x2 = \"_except_handler3\" fullword ascii\r\n\t\t\r\n\t\t$y1 = \"mbstowcs\" fullword ascii\r\n\t\t$y2 = \"wcstombs\" fullword ascii\r\n\t\t$y3 = \"KeGetCurrentIrql\" fullword ascii\r\n\t\t\r\n\t\t$z1 = \"wcscpy\" fullword ascii\r\n\t\t$z2 = \"ZwCreateFile\" fullword ascii\r\n\t\t$z3 = \"ZwQueryInformationFile\" fullword ascii\r\n\t\t$z4 = \"wcslen\" fullword ascii\r\n\t\t$z5 = \"atoi\" fullword ascii\r\n\tcondition:\r\n\t\t$m0 at 0 and all of ($s*) and \r\n\t\t( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) \r\n\t\tand filesize < 20KB\r\n}]",
|
|
"pattern_type": "yara",
|
|
"valid_from": "2014-12-04T10:19:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5480355c-0b58-4340-b3a9-4e07950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:20:12.000Z",
|
|
"modified": "2014-12-04T10:20:12.000Z",
|
|
"pattern": "[rule Regin_APT_KernelDriver_Generic_C {\r\n\tmeta:\r\n\t\tdescription = \"Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2\"\r\n\t\tauthor = \"@Malwrsignatures - included in APT Scanner THOR\"\r\n\t\tdate = \"23.11.14\"\r\n\t\thash1 = \"e0895336617e0b45b312383814ec6783556d7635\"\r\n\t\thash2 = \"732298fa025ed48179a3a2555b45be96f7079712\"\t\t\r\n\tstrings:\r\n\t\t$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } \r\n\t\r\n\t\t$s0 = \"KeGetCurrentIrql\" fullword ascii\r\n\t\t$s1 = \"5.2.3790.0 (srv03_rtm.030324-2048)\" fullword wide\r\n\t\t$s2 = \"usbclass\" fullword wide\r\n\t\t\r\n\t\t$x1 = \"PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING\" ascii\r\n\t\t$x2 = \"Universal Serial Bus Class Driver\" fullword wide\r\n\t\t$x3 = \"5.2.3790.0\" fullword wide\r\n\t\t\r\n\t\t$y1 = \"LSA Shell\" fullword wide\r\n\t\t$y2 = \"0Richw\" fullword ascii\t\t\r\n\tcondition:\r\n\t\t$m0 at 0 and all of ($s*) and \r\n\t\t( all of ($x*) or all of ($y*) ) \r\n\t\tand filesize < 20KB\r\n}]",
|
|
"pattern_type": "yara",
|
|
"valid_from": "2014-12-04T10:20:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54803569-9acc-4e3f-a05c-2490950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:20:25.000Z",
|
|
"modified": "2014-12-04T10:20:25.000Z",
|
|
"pattern": "[rule Regin_sig_svcsstat {\r\n\tmeta:\r\n\t\tdescription = \"Detects svcstat from Regin report - file svcsstat.exe_sample\"\r\n\t\tauthor = \"@MalwrSignatures\"\r\n\t\tdate = \"26.11.14\"\r\n\t\thash = \"5164edc1d54f10b7cb00a266a1b52c623ab005e2\"\r\n\tstrings:\r\n\t\t$s0 = \"Service Control Manager\" fullword ascii\r\n\t\t$s1 = \"_vsnwprintf\" fullword ascii\r\n\t\t$s2 = \"Root Agency\" fullword ascii\r\n\t\t$s3 = \"Root Agency0\" fullword ascii\r\n\t\t$s4 = \"StartServiceCtrlDispatcherA\" fullword ascii\r\n\t\t$s5 = \"\\\\\\\\?\\\\UNC\" fullword wide\r\n\t\t$s6 = \"%ls%ls\" fullword wide\r\n\tcondition:\r\n\t\tall of them and filesize < 15KB and filesize > 10KB \r\n}]",
|
|
"pattern_type": "yara",
|
|
"valid_from": "2014-12-04T10:20:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54803577-2660-4dea-9bb2-4219950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:20:39.000Z",
|
|
"modified": "2014-12-04T10:20:39.000Z",
|
|
"pattern": "[rule Regin_Sample_1 {\r\n\tmeta:\r\n\t\tdescription = \"Auto-generated rule - file-3665415_sys\"\r\n\t\tauthor = \"@MalwrSignatures\"\r\n\t\tdate = \"26.11.14\"\r\n\t\thash = \"773d7fab06807b5b1bc2d74fa80343e83593caf2\"\r\n\tstrings:\r\n\t\t$s0 = \"Getting PortName/Identifier failed - %x\" fullword ascii\r\n\t\t$s1 = \"SerialAddDevice - error creating new devobj [%#08lx]\" fullword ascii\r\n\t\t$s2 = \"External Naming Failed - Status %x\" fullword ascii\r\n\t\t$s3 = \"------- Same multiport - different interrupts\" fullword ascii\r\n\t\t$s4 = \"%x occurred prior to the wait - starting the\" fullword ascii\r\n\t\t$s5 = \"'user registry info - userPortIndex: %d\" fullword ascii\r\n\t\t$s6 = \"Could not report legacy device - %x\" fullword ascii\r\n\t\t$s7 = \"entering SerialGetPortInfo\" fullword ascii\r\n\t\t$s8 = \"'user registry info - userPort: %x\" fullword ascii\r\n\t\t$s9 = \"IoOpenDeviceRegistryKey failed - %x \" fullword ascii\r\n\t\t$s10 = \"Kernel debugger is using port at address %X\" fullword ascii\r\n\t\t$s12 = \"Release - freeing multi context\" fullword ascii\r\n\t\t$s13 = \"Serial driver will not load port\" fullword ascii\r\n\t\t$s14 = \"'user registry info - userAddressSpace: %d\" fullword ascii\r\n\t\t$s15 = \"SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES\" fullword ascii\r\n\t\t$s20 = \"'user registry info - userIndexed: %d\" fullword ascii\r\n\tcondition:\r\n\t\tall of them and filesize < 110KB and filesize > 80KB\r\n}]",
|
|
"pattern_type": "yara",
|
|
"valid_from": "2014-12-04T10:20:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54803587-1fb8-42b2-b595-503d950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:20:55.000Z",
|
|
"modified": "2014-12-04T10:20:55.000Z",
|
|
"pattern": "[rule Regin_Sample_2 {\r\n\tmeta:\r\n\t\tdescription = \"Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin\"\r\n\t\tauthor = \"@MalwrSignatures\"\r\n\t\tdate = \"26.11.14\"\r\n\t\thash = \"a7b285d4b896b66fce0ebfcd15db53b3a74a0400\"\r\n\tstrings:\r\n\t\t$s0 = \"\\\\SYSTEMROOT\\\\system32\\\\lsass.exe\" fullword wide\r\n\t\t$s1 = \"atapi.sys\" fullword wide\r\n\t\t$s2 = \"disk.sys\" fullword wide\r\n\t\t$s3 = \"IoGetRelatedDeviceObject\" fullword ascii\r\n\t\t$s4 = \"HAL.dll\" fullword ascii\r\n\t\t$s5 = \"\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Services\" fullword ascii\r\n\t\t$s6 = \"PsGetCurrentProcessId\" fullword ascii\r\n\t\t$s7 = \"KeGetCurrentIrql\" fullword ascii\r\n\t\t$s8 = \"\\\\REGISTRY\\\\Machine\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\" wide\r\n\t\t$s9 = \"KeSetImportanceDpc\" fullword ascii\r\n\t\t$s10 = \"KeQueryPerformanceCounter\" fullword ascii\r\n\t\t$s14 = \"KeInitializeEvent\" fullword ascii\r\n\t\t$s15 = \"KeDelayExecutionThread\" fullword ascii\r\n\t\t$s16 = \"KeInitializeTimerEx\" fullword ascii\r\n\t\t$s18 = \"PsLookupProcessByProcessId\" fullword ascii\r\n\t\t$s19 = \"ExReleaseFastMutexUnsafe\" fullword ascii\r\n\t\t$s20 = \"ExAcquireFastMutexUnsafe\" fullword ascii\r\n\tcondition:\r\n\t\tall of them and filesize < 40KB and filesize > 30KB\r\n}]",
|
|
"pattern_type": "yara",
|
|
"valid_from": "2014-12-04T10:20:55Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--54803595-5428-45f6-af59-7eca950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2014-12-04T10:21:09.000Z",
|
|
"modified": "2014-12-04T10:21:09.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Data entered by David Andr\u00c3\u00a9"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548035a2-aecc-4a3e-95e7-79dd950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2017-11-20T15:02:19.000Z",
|
|
"modified": "2017-11-20T15:02:19.000Z",
|
|
"pattern": "[rule Regin_Sample_3 {\r\n\tmeta:\r\n\t\tdescription = \"Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129\"\r\n\t\tauthor = \"@Malwrsignatures\"\r\n\t\tdate = \"27.11.14\"\r\n\t\thash = \"fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129\"\t\t\r\n\tstrings:\r\n\t\t$hd = { fe ba dc fe }\r\n\t\r\n\t\t$s0 = \"Service Pack x\" fullword wide\r\n\t\t$s1 = \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\" fullword wide\r\n\t\t$s2 = \"\\\\REGISTRY\\\\Machine\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\HotFix\" fullword wide\r\n\t\t$s3 = \"mntoskrnl.exe\" fullword wide\r\n\t\t$s4 = \"\\\\REGISTRY\\\\Machine\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Memory Management\" fullword wide\r\n\t\t$s5 = \"Memory location: 0x%p, size 0x%08x\" wide fullword\r\n\t\t$s6 = \"Service Pack\" fullword wide\r\n\t\t$s7 = \".sys\" fullword wide\r\n\t\t$s8 = \".dll\" fullword wide\t\t\r\n\t\t\r\n\t\t$s10 = \"\\\\REGISTRY\\\\Machine\\\\Software\\\\Microsoft\\\\Updates\" fullword wide\r\n\t\t$s11 = \"IoGetRelatedDeviceObject\" fullword ascii\r\n\t\t$s12 = \"VMEM.sys\" fullword ascii\r\n\t\t$s13 = \"RtlGetVersion\" fullword wide\r\n\t\t$s14 = \"ntkrnlpa.exe\" fullword ascii\r\n\tcondition:\r\n\t\t( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB\r\n}]",
|
|
"pattern_type": "yara",
|
|
"valid_from": "2017-11-20T15:02:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548035b1-90bc-4b1d-9d0d-159e950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2018-03-18T21:18:27.000Z",
|
|
"modified": "2018-03-18T21:18:27.000Z",
|
|
"pattern": "[rule Regin_Sample_Set_1 {\r\n\tmeta:\r\n\t\tdescription = \"Auto-generated rule - file SHF-000052 and ndisips.sys\"\r\n\t\tauthor = \"@MalwrSignatures\"\r\n\t\tdate = \"26.11.14\"\r\n\t\thash1 = \"8487a961c8244004c9276979bb4b0c14392fc3b8\"\r\n\t\thash2 = \"bcf3461d67b39a427c83f9e39b9833cfec977c61\"\t\t\r\n\tstrings:\r\n\t\t$s0 = \"HAL.dll\" fullword ascii\r\n\t\t$s1 = \"IoGetDeviceObjectPointer\" fullword ascii\r\n\t\t$s2 = \"MaximumPortsServiced\" fullword wide\r\n\t\t$s3 = \"KeGetCurrentIrql\" fullword ascii\r\n\t\t$s4 = \"ntkrnlpa.exe\" fullword ascii\r\n\t\t$s5 = \"\\\\REGISTRY\\\\Machine\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\" wide\r\n\t\t$s6 = \"ConnectMultiplePorts\" fullword wide\r\n\t\t$s7 = \"\\\\SYSTEMROOT\" fullword wide\r\n\t\t$s8 = \"IoWriteErrorLogEntry\" fullword ascii\r\n\t\t$s9 = \"KeQueryPerformanceCounter\" fullword ascii\r\n\t\t$s10 = \"KeServiceDescriptorTable\" fullword ascii\r\n\t\t$s11 = \"KeRemoveEntryDeviceQueue\" fullword ascii\r\n\t\t$s12 = \"SeSinglePrivilegeCheck\" fullword ascii\r\n\t\t$s13 = \"KeInitializeEvent\" fullword ascii\r\n\t\t$s14 = \"IoBuildDeviceIoControlRequest\" fullword ascii\r\n\t\t$s15 = \"KeRemoveDeviceQueue\" fullword ascii\r\n\t\t$s16 = \"IofCompleteRequest\" fullword ascii\r\n\t\t$s17 = \"KeInitializeSpinLock\" fullword ascii\r\n\t\t$s18 = \"MmIsNonPagedSystemAddressValid\" fullword ascii\r\n\t\t$s19 = \"IoCreateDevice\" fullword ascii\r\n\t\t$s20 = \"KefReleaseSpinLockFromDpcLevel\" fullword ascii\r\n\tcondition:\r\n\t\tall of them and filesize < 40KB and filesize > 30KB\r\n}]",
|
|
"pattern_type": "yara",
|
|
"valid_from": "2018-03-18T21:18:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--548035be-b83c-4e21-98bf-2490950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2018-03-18T21:23:27.000Z",
|
|
"modified": "2018-03-18T21:23:27.000Z",
|
|
"pattern": "[rule Regin_Sample_Set_2 {\r\n meta:\r\n description = \"Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935\"\r\n author = \"@MalwrSignatures\"\r\n date = \"27.11.14\"\r\n hash0 = \"4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be\"\r\n hash1 = \"e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935\"\r\n strings:\r\n $hd = { fe ba dc fe }\r\n \r\n $s0 = \"d%ls%ls\" fullword wide\r\n $s1 = \"\\\\\\\\?\\\\UNC\" fullword wide\r\n $s2 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\" fullword wide\r\n $s3 = \"\\\\\\\\?\\\\UNC\\\\\" fullword wide\r\n $s4 = \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Class\\\\{4D36E972-E325-11CE-BFC1-08002BE10318}\" fullword wide\r\n $s5 = \"System\\\\CurrentControlSet\\\\Services\\\\Tcpip\\\\Linkage\" wide fullword\r\n $s6 = \"\\\\\\\\.\\\\Global\\\\%s\" fullword wide\r\n $s7 = \"temp\" fullword wide\r\n $s8 = \"\\\\\\\\.\\\\%s\" fullword wide\r\n $s9 = \"Memory location: 0x%p, size 0x%08x\" fullword wide \r\n \r\n $s10 = \"sscanf\" fullword ascii\r\n $s11 = \"disp.dll\" fullword ascii\r\n $s12 = \"%x:%x:%x:%x:%x:%x:%x:%x%c\" fullword ascii\r\n $s13 = \"%d.%d.%d.%d%c\" fullword ascii\r\n $s14 = \"imagehlp.dll\" fullword ascii\r\n $s15 = \"%hd %d\" fullword ascii\r\n condition:\r\n ( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB\r\n}]",
|
|
"pattern_type": "yara",
|
|
"valid_from": "2018-03-18T21:23:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:GREEN",
|
|
"definition": {
|
|
"tlp": "green"
|
|
}
|
|
}
|
|
]
|
|
} |