misp-circl-feed/feeds/circl/stix-2.1/57232f8f-c210-454d-ad75-4d11950d210f.json

438 lines
No EOL
18 KiB
JSON

{
"type": "bundle",
"id": "bundle--57232f8f-c210-454d-ad75-4d11950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T12:52:55.000Z",
"modified": "2016-04-29T12:52:55.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--57232f8f-c210-454d-ad75-4d11950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T12:52:55.000Z",
"modified": "2016-04-29T12:52:55.000Z",
"name": "OSINT - Over 100,000 South Korean Users Affected by BlackMoon Campaign",
"published": "2016-04-29T12:55:11Z",
"object_refs": [
"x-misp-attribute--57232fa6-7414-40ab-98b4-4aea950d210f",
"observed-data--57232fc1-fb14-40b0-8f7d-4357950d210f",
"url--57232fc1-fb14-40b0-8f7d-4357950d210f",
"indicator--57233003-95fc-43c3-bca7-488d950d210f",
"indicator--57233003-4298-4f0e-bace-45dd950d210f",
"indicator--57233004-ae44-497e-b9de-4380950d210f",
"indicator--57233004-9498-43cd-b496-4377950d210f",
"indicator--57233005-5e14-43fa-bf3e-40b1950d210f",
"indicator--57233005-2eb4-4609-bc43-442a950d210f",
"indicator--57233005-ff28-4e9a-8ead-4e3d950d210f",
"indicator--57233006-5814-4ba8-b738-469a950d210f",
"indicator--5723321d-338c-468a-b1c1-4421950d210f",
"indicator--5723321e-de2c-45aa-bd9a-4dd2950d210f",
"indicator--5723321e-89dc-4a63-99d9-4504950d210f",
"indicator--5723321f-8a50-4e51-93b0-4747950d210f",
"indicator--5723321f-f474-4f2b-b9b7-4b7f950d210f",
"indicator--5723321f-2d2c-4d64-934e-43f9950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57232fa6-7414-40ab-98b4-4aea950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T09:55:50.000Z",
"modified": "2016-04-29T09:55:50.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "The FortiGuard Virtualization Execution X (VEX) system \u00e2\u20ac\u201c a behaviour-based, in-house framework designed to identify zero-day samples \u00e2\u20ac\u201c has detected a previously undiscovered iteration of the BlackMoon Trojan.\r\n\r\nBlackMoon Trojan is a banking trojan that is designed to phish user credentials from various South Korean banking institutions. It was discovered in early 2014 and was named after a debug string, \u00e2\u20ac\u0153BlackMoon\u00e2\u20ac\u009d, that was present in its code.\r\n\r\nWhile the BlackMoon malware code has been constantly updated by its perpetrators, the extent of the campaign's infection is previously unknown. This post intends to share the findings of the FortiGuard Lion Team on BlackMoon\u00e2\u20ac\u2122s prevalence and its latest code updates."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57232fc1-fb14-40b0-8f7d-4357950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T09:56:17.000Z",
"modified": "2016-04-29T09:56:17.000Z",
"first_observed": "2016-04-29T09:56:17Z",
"last_observed": "2016-04-29T09:56:17Z",
"number_observed": 1,
"object_refs": [
"url--57232fc1-fb14-40b0-8f7d-4357950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57232fc1-fb14-40b0-8f7d-4357950d210f",
"value": "http://blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57233003-95fc-43c3-bca7-488d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T09:57:23.000Z",
"modified": "2016-04-29T09:57:23.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '100.43.185.34']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T09:57:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57233003-4298-4f0e-bace-45dd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T09:57:23.000Z",
"modified": "2016-04-29T09:57:23.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.0.211']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T09:57:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57233004-ae44-497e-b9de-4380950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T09:57:24.000Z",
"modified": "2016-04-29T09:57:24.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.151.158.196']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T09:57:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57233004-9498-43cd-b496-4377950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T09:57:24.000Z",
"modified": "2016-04-29T09:57:24.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '206.161.216.35']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T09:57:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57233005-5e14-43fa-bf3e-40b1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T09:57:25.000Z",
"modified": "2016-04-29T09:57:25.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '207.226.136.14']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T09:57:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57233005-2eb4-4609-bc43-442a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T09:57:25.000Z",
"modified": "2016-04-29T09:57:25.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '100.43.185.42']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T09:57:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57233005-ff28-4e9a-8ead-4e3d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T09:57:25.000Z",
"modified": "2016-04-29T09:57:25.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.194.82']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T09:57:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57233006-5814-4ba8-b738-469a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T09:57:26.000Z",
"modified": "2016-04-29T09:57:26.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '205.209.141.84']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T09:57:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5723321d-338c-468a-b1c1-4421950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T10:06:21.000Z",
"modified": "2016-04-29T10:06:21.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.MD5 = 'dfd4dc577d02b76efea004cd2c131ff7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T10:06:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5723321e-de2c-45aa-bd9a-4dd2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T10:06:22.000Z",
"modified": "2016-04-29T10:06:22.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.MD5 = '163f885cc88c0e69a4094122e5667190']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T10:06:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5723321e-89dc-4a63-99d9-4504950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T10:06:22.000Z",
"modified": "2016-04-29T10:06:22.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.MD5 = '3cfd66340f204e1b8697e7a8514c00ab']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T10:06:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5723321f-8a50-4e51-93b0-4747950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T10:06:23.000Z",
"modified": "2016-04-29T10:06:23.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.MD5 = 'ee0def01d390ca7fd7ced414c83f9782']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T10:06:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5723321f-f474-4f2b-b9b7-4b7f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T10:06:23.000Z",
"modified": "2016-04-29T10:06:23.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.MD5 = '2aabd4fa21cca0f153f57ccc1f3c54c0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T10:06:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5723321f-2d2c-4d64-934e-43f9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T10:06:23.000Z",
"modified": "2016-04-29T10:06:23.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.MD5 = 'bbcbd3dc203829c9cdbf7d1b057f0e79']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-29T10:06:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}