797 lines
No EOL
35 KiB
JSON
797 lines
No EOL
35 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5b9123c0-1480-4e09-877e-4783950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-12T12:36:30.000Z",
|
|
"modified": "2018-09-12T12:36:30.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5b9123c0-1480-4e09-877e-4783950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-12T12:36:30.000Z",
|
|
"modified": "2018-09-12T12:36:30.000Z",
|
|
"name": "OSINT - Sigma Ransomware Being Distributed Using Fake Craigslist Malspam",
|
|
"published": "2018-09-12T12:38:00Z",
|
|
"object_refs": [
|
|
"x-misp-attribute--5b912411-f738-46fc-b27c-4ada950d210f",
|
|
"observed-data--5b912433-50b0-4e96-8d7a-44b1950d210f",
|
|
"url--5b912433-50b0-4e96-8d7a-44b1950d210f",
|
|
"indicator--5b912ca6-7264-48c8-afca-40e4950d210f",
|
|
"indicator--5b927c00-c9c8-4780-84da-abc4950d210f",
|
|
"indicator--5b912b9e-67d4-45ad-b17d-4020950d210f",
|
|
"indicator--af63c140-7e55-4ae2-a261-9f126f0195ab",
|
|
"x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50",
|
|
"indicator--5b927884-8d5c-4a6c-af30-4daa950d210f",
|
|
"indicator--5b9279c2-40a4-4823-840a-4c03950d210f",
|
|
"indicator--5b927cc5-d5ac-46df-ace4-4cf8950d210f",
|
|
"indicator--5b927d28-edcc-445d-869b-42ae950d210f",
|
|
"indicator--5b927d3b-9628-4e2f-83b3-4cb8950d210f",
|
|
"indicator--5b927d4a-5334-448b-84e9-4545950d210f",
|
|
"indicator--5b927edc-e5a4-47e1-86a6-4a0f950d210f",
|
|
"indicator--5b927f07-0ebc-45ea-9a4c-4791950d210f",
|
|
"indicator--5b927f19-af00-4e57-bc93-49e9950d210f",
|
|
"indicator--5b927f4d-5914-4be0-bc7e-4da1950d210f",
|
|
"indicator--5b927f5e-50ac-4596-b3cb-474b950d210f",
|
|
"indicator--5b927f6b-0430-4a52-b692-4dba950d210f",
|
|
"indicator--5b927f7c-32c8-4e30-b9d5-421f950d210f",
|
|
"indicator--5b927fee-1590-49f2-a2f6-44ca950d210f",
|
|
"indicator--5b92809a-b468-47e6-a7c7-47c9950d210f",
|
|
"indicator--5b9280aa-969c-4c3e-ad03-4011950d210f",
|
|
"indicator--5b9280b9-be58-4c21-a4d2-49ca950d210f",
|
|
"indicator--5b9280c4-17b4-4114-8017-44e0950d210f",
|
|
"indicator--5b9280d0-1874-4711-87ed-4299950d210f",
|
|
"indicator--5b9280db-dfe0-41f0-9f42-44c7950d210f",
|
|
"indicator--5b9280ea-e38c-41f1-8453-47b9950d210f",
|
|
"x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e",
|
|
"relationship--7745aa48-d1f4-472c-9d36-90292c15da66",
|
|
"relationship--3f11d816-d969-4ec0-af28-3de39fa63a22"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"malware_classification:malware-category=\"Ransomware\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"misp-galaxy:ransomware=\"Sigma Ransomware\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Link - T1192\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"User Execution - T1204\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Obfuscated Files or Information - T1027\"",
|
|
"monarc-threat:unauthorised-actions=\"corruption-of-data\"",
|
|
"monarc-threat:compromise-of-information=\"malware-infection\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5b912411-f738-46fc-b27c-4ada950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T14:06:53.000Z",
|
|
"modified": "2018-09-07T14:06:53.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer."
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5b912433-50b0-4e96-8d7a-44b1950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T14:07:02.000Z",
|
|
"modified": "2018-09-07T14:07:02.000Z",
|
|
"first_observed": "2018-09-07T14:07:02Z",
|
|
"last_observed": "2018-09-07T14:07:02Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5b912433-50b0-4e96-8d7a-44b1950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5b912433-50b0-4e96-8d7a-44b1950d210f",
|
|
"value": "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b912ca6-7264-48c8-afca-40e4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-06T13:33:26.000Z",
|
|
"modified": "2018-09-06T13:33:26.000Z",
|
|
"pattern": "[url:value = 'http://185.121.139.229/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-06T13:33:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927c00-c9c8-4780-84da-abc4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:24:16.000Z",
|
|
"modified": "2018-09-07T13:24:16.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\taskwgr.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:24:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b912b9e-67d4-45ad-b17d-4020950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-06T13:29:02.000Z",
|
|
"modified": "2018-09-06T13:29:02.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-06T13:29:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-12T12:28:55.000Z",
|
|
"modified": "2018-09-12T12:28:55.000Z",
|
|
"pattern": "[file:hashes.MD5 = '9afa3302527608a30408958bc48019fc' AND file:hashes.SHA1 = '0d34add7d61e26583dc54e7b89b6d4056d6bf201' AND file:hashes.SHA256 = 'b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-12T12:28:55Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T06:48:13.000Z",
|
|
"modified": "2018-09-07T06:48:13.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-08-28T00:23:39",
|
|
"category": "Other",
|
|
"uuid": "8d5b54cd-1dfc-435b-8e19-cc4eda5b2288"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/",
|
|
"category": "External analysis",
|
|
"uuid": "18055e03-5add-4a61-9465-9afc972b1cb3"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "45/67",
|
|
"category": "Other",
|
|
"uuid": "e911d120-fdf4-4110-8272-ddb11eedd9ec"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927884-8d5c-4a6c-af30-4daa950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:09:24.000Z",
|
|
"modified": "2018-09-07T13:09:24.000Z",
|
|
"pattern": "[file:name = 'ReadMe.txt' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:09:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9279c2-40a4-4823-840a-4c03950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:15:06.000Z",
|
|
"modified": "2018-09-07T13:15:06.000Z",
|
|
"pattern": "[windows-registry-key:key = '\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\chrome' AND windows-registry-key:values[0].data_type = 'REG_NONE' AND windows-registry-key:values[0].name = 'Rundll32.exe SHELL32.DLL,ShellExec_RunDLL' AND windows-registry-key:x_misp_root_keys = 'HKCU']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:15:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"registry-key\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927cc5-d5ac-46df-ace4-4cf8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:27:33.000Z",
|
|
"modified": "2018-09-07T13:27:33.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Data\\\\Tor\\\\geoip' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:27:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927d28-edcc-445d-869b-42ae950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:29:12.000Z",
|
|
"modified": "2018-09-07T13:29:12.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Data\\\\Tor\\\\geoip6' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:29:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927d3b-9628-4e2f-83b3-4cb8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:29:31.000Z",
|
|
"modified": "2018-09-07T13:29:31.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\test1.bmp' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:29:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927d4a-5334-448b-84e9-4545950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:29:46.000Z",
|
|
"modified": "2018-09-07T13:29:46.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libeay32.dll' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:29:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927edc-e5a4-47e1-86a6-4a0f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:36:28.000Z",
|
|
"modified": "2018-09-07T13:36:28.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent_core-2-0-5.dll' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:36:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927f07-0ebc-45ea-9a4c-4791950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:37:11.000Z",
|
|
"modified": "2018-09-07T13:37:11.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-certs' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:37:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927f19-af00-4e57-bc93-49e9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:37:29.000Z",
|
|
"modified": "2018-09-07T13:37:29.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdesc-consensus' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:37:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927f4d-5914-4be0-bc7e-4da1950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:38:21.000Z",
|
|
"modified": "2018-09-07T13:38:21.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libssp-0.dll' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:38:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927f5e-50ac-4596-b3cb-474b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:38:38.000Z",
|
|
"modified": "2018-09-07T13:38:38.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\tor-gencert.exe' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:38:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927f6b-0430-4a52-b692-4dba950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:38:51.000Z",
|
|
"modified": "2018-09-07T13:38:51.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\svchost.exe' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:38:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927f7c-32c8-4e30-b9d5-421f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:39:08.000Z",
|
|
"modified": "2018-09-07T13:39:08.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\zlib1.dll' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:39:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b927fee-1590-49f2-a2f6-44ca950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:41:02.000Z",
|
|
"modified": "2018-09-07T13:41:02.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdescs.new' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:41:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b92809a-b468-47e6-a7c7-47c9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:43:54.000Z",
|
|
"modified": "2018-09-07T13:43:54.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent-2-0-5.dll' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:43:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9280aa-969c-4c3e-ad03-4011950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:44:09.000Z",
|
|
"modified": "2018-09-07T13:44:09.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\ssleay32.dll' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:44:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9280b9-be58-4c21-a4d2-49ca950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:44:25.000Z",
|
|
"modified": "2018-09-07T13:44:25.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\state' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:44:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9280c4-17b4-4114-8017-44e0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:44:36.000Z",
|
|
"modified": "2018-09-07T13:44:36.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\ReadMe.html' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:44:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9280d0-1874-4711-87ed-4299950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:44:48.000Z",
|
|
"modified": "2018-09-07T13:44:48.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libgcc_s_sjlj-1.dll' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:44:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9280db-dfe0-41f0-9f42-44c7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:44:59.000Z",
|
|
"modified": "2018-09-07T13:44:59.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent_extra-2-0-5.dll' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:44:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9280ea-e38c-41f1-8453-47b9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-07T13:45:14.000Z",
|
|
"modified": "2018-09-07T13:45:14.000Z",
|
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\lock' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-07T13:45:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-12T12:28:55.000Z",
|
|
"modified": "2018-09-12T12:28:55.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-08-28T00:23:39",
|
|
"category": "Other",
|
|
"uuid": "bff3beea-deb5-49b8-a2be-334a5603e8ac"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/",
|
|
"category": "External analysis",
|
|
"uuid": "505d7436-7769-4279-9d1a-b95934d0edc8"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "45/67",
|
|
"category": "Other",
|
|
"uuid": "00c8704b-05af-405d-a5ce-13f8167612d4"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--7745aa48-d1f4-472c-9d36-90292c15da66",
|
|
"created": "2018-09-07T06:48:21.000Z",
|
|
"modified": "2018-09-07T06:48:21.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab",
|
|
"target_ref": "x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--3f11d816-d969-4ec0-af28-3de39fa63a22",
|
|
"created": "2018-09-12T12:29:05.000Z",
|
|
"modified": "2018-09-12T12:29:05.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab",
|
|
"target_ref": "x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |