misp-circl-feed/feeds/circl/stix-2.1/21daf42e-7045-461c-8656-ff9894186820.json

641 lines
No EOL
29 KiB
JSON

{
"type": "bundle",
"id": "bundle--21daf42e-7045-461c-8656-ff9894186820",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:51:45.000Z",
"modified": "2021-07-16T09:51:45.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--21daf42e-7045-461c-8656-ff9894186820",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:51:45.000Z",
"modified": "2021-07-16T09:51:45.000Z",
"name": "OSINT - Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware",
"published": "2021-07-16T09:54:40Z",
"object_refs": [
"vulnerability--5943081c-8a85-46d1-ab52-f76ab1ce77d3",
"vulnerability--c6223f13-3052-4d17-8414-53c8247d4336",
"indicator--834bc79d-2ab9-4d6d-88ac-958e4002f0ac",
"indicator--86e09e70-3691-4a0e-9133-ca4d34d3765e",
"indicator--4dec628f-d2c8-47ae-9895-fb8bd312639a",
"indicator--acbb4f61-a934-4e35-96a9-2c36c65695b5",
"indicator--938519ce-9f5b-48e1-8970-9277243bde83",
"indicator--4a17d32b-67c7-494b-82af-6c94a14a40b5",
"indicator--03025c82-02ed-4bd2-8d35-9296d3f12028",
"indicator--132c25d5-9373-4ac7-9709-b07d6f38f325",
"indicator--bdc5a7cb-0b72-4e8f-b458-01c1174febad",
"indicator--80c6ee70-9a34-4460-8794-c5bdec459a7c",
"indicator--0242da80-8905-43f7-a732-fa6de536a012",
"indicator--526b69aa-8492-4fab-9e71-940c372e9ebc",
"indicator--80ab30f5-1082-4951-bb3c-7e9262450260",
"indicator--bc3cc056-18ef-4fab-ba28-6c6650d38cc6",
"indicator--3353c7a2-18b2-4cfc-85b6-d37bdf67a66b",
"indicator--9df83f7f-03c9-4147-905d-3f0a4a7b9162",
"indicator--60838fb9-3271-4bcb-bea0-7ba16bb51fa1",
"x-misp-object--ae4dccf1-d8a4-4527-87d8-32fcd90baf61",
"vulnerability--97622622-6ddc-43ed-a2b5-8ccc5b1289ff",
"vulnerability--52713382-c72c-45c5-a3c8-5948aaaf4a66",
"indicator--f7f3e4bd-da33-4fc9-96e3-b6b518b925fb",
"indicator--b177fed6-5bf9-4647-8e4b-8e66a772f421"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5943081c-8a85-46d1-ab52-f76ab1ce77d3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:29:19.000Z",
"modified": "2021-07-16T09:29:19.000Z",
"name": "CVE-2021-31979",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"External analysis\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-31979"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--c6223f13-3052-4d17-8414-53c8247d4336",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:29:19.000Z",
"modified": "2021-07-16T09:29:19.000Z",
"name": "CVE-2021-33771",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"External analysis\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-33771"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--834bc79d-2ab9-4d6d-88ac-958e4002f0ac",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'noc-service-streamer.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--86e09e70-3691-4a0e-9133-ca4d34d3765e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'fbcdnads.live']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4dec628f-d2c8-47ae-9895-fb8bd312639a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'hilocake.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--acbb4f61-a934-4e35-96a9-2c36c65695b5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'backxercise.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--938519ce-9f5b-48e1-8970-9277243bde83",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'winmslaf.xyz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4a17d32b-67c7-494b-82af-6c94a14a40b5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'service-deamon.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--03025c82-02ed-4bd2-8d35-9296d3f12028",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'online-affiliate-mon.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--132c25d5-9373-4ac7-9709-b07d6f38f325",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'codeingasmylife.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bdc5a7cb-0b72-4e8f-b458-01c1174febad",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'kenoratravels.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--80c6ee70-9a34-4460-8794-c5bdec459a7c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'weathercheck.digital']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0242da80-8905-43f7-a732-fa6de536a012",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'colorpallatess.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--526b69aa-8492-4fab-9e71-940c372e9ebc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'library-update.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--80ab30f5-1082-4951-bb3c-7e9262450260",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'online-source-validate.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bc3cc056-18ef-4fab-ba28-6c6650d38cc6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:00.000Z",
"modified": "2021-07-16T09:32:00.000Z",
"pattern": "[domain-name:value = 'grayhornet.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3353c7a2-18b2-4cfc-85b6-d37bdf67a66b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:01.000Z",
"modified": "2021-07-16T09:32:01.000Z",
"pattern": "[domain-name:value = 'johnshopkin.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9df83f7f-03c9-4147-905d-3f0a4a7b9162",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:01.000Z",
"modified": "2021-07-16T09:32:01.000Z",
"pattern": "[domain-name:value = 'eulenformacion.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--60838fb9-3271-4bcb-bea0-7ba16bb51fa1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:32:01.000Z",
"modified": "2021-07-16T09:32:01.000Z",
"pattern": "[domain-name:value = 'pochtarossiy.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:32:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ae4dccf1-d8a4-4527-87d8-32fcd90baf61",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:28:54.000Z",
"modified": "2021-07-16T09:28:54.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/",
"category": "External analysis",
"uuid": "bc590081-9e82-48ce-8663-566c7421fd16"
},
{
"type": "text",
"object_relation": "summary",
"value": "The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771).\r\n\r\nPrivate-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets\u2019 computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers.\r\n\r\nMSTIC believes SOURGUM is an Israel-based private-sector offensive actor. We would like to thank the Citizen Lab, at the University of Toronto\u2019s Munk School, for sharing the sample of malware that initiated this work and their collaboration during the investigation. In their blog, Citizen Lab asserts with high confidence that SOURGUM is an Israeli company commonly known as Candiru. Third-party reports indicate Candiru produces \u201chacking tools [that] are used to break into computers and servers\u201d.",
"category": "Other",
"uuid": "b3576c06-a702-4faa-97c2-3adf00bfc1d8"
},
{
"type": "text",
"object_relation": "type",
"value": "Blog post",
"category": "Other",
"uuid": "2155e6e5-2440-444e-ac36-09e37ae13e2c"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--97622622-6ddc-43ed-a2b5-8ccc5b1289ff",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:29:30.000Z",
"modified": "2021-07-16T09:29:30.000Z",
"name": "CVE-2021-31979",
"description": "Windows\u00a0Kernel\u00a0Elevation\u00a0of\u00a0Privilege\u00a0Vulnerability\u00a0This\u00a0CVE\u00a0ID\u00a0is\u00a0unique\u00a0from\u00a0CVE-2021-33771,\u00a0CVE-2021-34514.",
"labels": [
"misp:name=\"vulnerability\"",
"misp:meta-category=\"vulnerability\"",
"misp:to_ids=\"False\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-31979"
},
{
"source_name": "url",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31979"
}
],
"x_misp_modified": "2021-07-14T19:14:00+00:00",
"x_misp_published": "2021-07-14T18:15:00+00:00",
"x_misp_state": "Published"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--52713382-c72c-45c5-a3c8-5948aaaf4a66",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:29:55.000Z",
"modified": "2021-07-16T09:29:55.000Z",
"name": "CVE-2021-33771",
"description": "Windows\u00a0Kernel\u00a0Elevation\u00a0of\u00a0Privilege\u00a0Vulnerability\u00a0This\u00a0CVE\u00a0ID\u00a0is\u00a0unique\u00a0from\u00a0CVE-2021-31979,\u00a0CVE-2021-34514.",
"labels": [
"misp:name=\"vulnerability\"",
"misp:meta-category=\"vulnerability\"",
"misp:to_ids=\"False\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2021-33771"
},
{
"source_name": "url",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33771"
}
],
"x_misp_modified": "2021-07-14T19:14:00+00:00",
"x_misp_published": "2021-07-14T18:15:00+00:00",
"x_misp_state": "Published"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f7f3e4bd-da33-4fc9-96e3-b6b518b925fb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:30:34.000Z",
"modified": "2021-07-16T09:30:34.000Z",
"pattern": "import \\\\\"pe\\\\\"\r\nrule DevilsTongue_HijackDll\r\n{\r\nmeta:\r\ndescription = \\\\\"Detects SOURGUM\\'s DevilsTongue hijack DLL\\\\\"\r\nauthor = \\\\\"Microsoft Threat Intelligence Center (MSTIC)\\\\\"\r\ndate = \\\\\"2021-07-15\\\\\"\r\nstrings:\r\n$str1 = \\\\\"windows.old\\\\\\\\windows\\\\\" wide\r\n$str2 = \\\\\"NtQueryInformationThread\\\\\"\r\n$str3 = \\\\\"dbgHelp.dll\\\\\" wide\r\n$str4 = \\\\\"StackWalk64\\\\\"\r\n$str5 = \\\\\"ConvertSidToStringSidW\\\\\"\r\n$str6 = \\\\\"S-1-5-18\\\\\" wide\r\n$str7 = \\\\\"SMNew.dll\\\\\" // DLL original name\r\n// Call check in stack manipulation\r\n// B8 FF 15 00 00 mov eax, 15FFh\r\n// 66 39 41 FA cmp [rcx-6], ax\r\n// 74 06 jz short loc_1800042B9\r\n// 80 79 FB E8 cmp byte ptr [rcx-5], 0E8h ; \\'\u00e8\\'\r\n$code1 = {B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8}\r\n// PRNG to generate number of times to sleep 1s before exiting\r\n// 44 8B C0 mov r8d, eax\r\n// B8 B5 81 4E 1B mov eax, 1B4E81B5h\r\n// 41 F7 E8 imul r8d\r\n// C1 FA 05 sar edx, 5\r\n// 8B CA mov ecx, edx\r\n// C1 E9 1F shr ecx, 1Fh\r\n// 03 D1 add edx, ecx\r\n// 69 CA 2C 01 00 00 imul ecx, edx, 12Ch\r\n// 44 2B C1 sub r8d, ecx\r\n// 45 85 C0 test r8d, r8d\r\n// 7E 19 jle short loc_1800014D0\r\n$code2 = {44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19}\r\ncondition:\r\nfilesize < 800KB and\r\nuint16(0) == 0x5A4D and\r\n(pe.characteristics & pe.DLL) and\r\n(\r\n4 of them or\r\n($code1 and $code2) or\r\n(pe.imphash() == \\\\\"9a964e810949704ff7b4a393d9adda60\\\\\")\r\n)\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:30:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b177fed6-5bf9-4647-8e4b-8e66a772f421",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-16T09:31:34.000Z",
"modified": "2021-07-16T09:31:34.000Z",
"pattern": "[file:hashes.MD5 = 'a0e2223868b6133c5712ba5ed20c3e8a' AND file:hashes.SHA1 = '17614fdee3b89272e99758983b99111cbb1b312c' AND file:hashes.SHA256 = 'c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-16T09:31:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}