adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5824e43f-9370-463b-9681-452b950d210f.json

392 lines
No EOL
17 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--5824e43f-9370-463b-9681-452b950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:21:36.000Z",
"modified": "2016-11-10T21:21:36.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5824e43f-9370-463b-9681-452b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:21:36.000Z",
"modified": "2016-11-10T21:21:36.000Z",
"name": "OSINT - Floki Bot and the stealthy dropper",
"published": "2016-11-10T21:36:04Z",
"object_refs": [
"observed-data--5824e452-b3a0-4edd-8102-45ff950d210f",
"url--5824e452-b3a0-4edd-8102-45ff950d210f",
"x-misp-attribute--5824e470-175c-4fc9-b8ca-48f1950d210f",
"indicator--5824e4ac-0070-4ea1-b3ec-44c6950d210f",
"indicator--5824e4ad-3450-453f-8fa8-4506950d210f",
"indicator--5824e4ad-fedc-4697-90e7-46f5950d210f",
"indicator--5824e4e0-9608-4753-8cb8-4eea02de0b81",
"indicator--5824e4e1-e038-4976-b573-49df02de0b81",
"observed-data--5824e4e1-6e98-430a-aae0-46cb02de0b81",
"url--5824e4e1-6e98-430a-aae0-46cb02de0b81",
"indicator--5824e4e2-12f4-4f88-bd09-49d302de0b81",
"indicator--5824e4e3-2ecc-4f5a-9348-46a902de0b81",
"observed-data--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",
"url--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",
"indicator--5824e4e4-77c4-4c25-b06e-412402de0b81",
"indicator--5824e4e4-0ca8-47a7-aeec-4e4102de0b81",
"observed-data--5824e4e4-5228-4344-8a68-474a02de0b81",
"url--5824e4e4-5228-4344-8a68-474a02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"circl:incident-classification=\"malware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5824e452-b3a0-4edd-8102-45ff950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:19:14.000Z",
"modified": "2016-11-10T21:19:14.000Z",
"first_observed": "2016-11-10T21:19:14Z",
"last_observed": "2016-11-10T21:19:14Z",
"number_observed": 1,
"object_refs": [
"url--5824e452-b3a0-4edd-8102-45ff950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5824e452-b3a0-4edd-8102-45ff950d210f",
"value": "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5824e470-175c-4fc9-b8ca-48f1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:19:44.000Z",
"modified": "2016-11-10T21:19:44.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.\r\n\r\nAccording to the advertisements announced on the black market, this bot is capable of making very stealthy injections, evading many mechanisms of detection. We decided to take a look at what are the tricks behind it. It turned out, that although the injection method that the dropper uses is not novel by itself, but it comes with few interesting twists, that are not so commonly used in malware."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5824e4ac-0070-4ea1-b3ec-44c6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:20:44.000Z",
"modified": "2016-11-10T21:20:44.000Z",
"description": "dropper <- main focus of this analysis",
"pattern": "[file:hashes.MD5 = '5649e7a200df2fb85ad1fb5a723bef22']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-10T21:20:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5824e4ad-3450-453f-8fa8-4506950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:20:45.000Z",
"modified": "2016-11-10T21:20:45.000Z",
"description": "core module \u00e2\u20ac\u201c bot 32bit",
"pattern": "[file:hashes.MD5 = 'e54d28a24c976348c438f45281d68c54']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-10T21:20:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5824e4ad-fedc-4697-90e7-46f5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:20:45.000Z",
"modified": "2016-11-10T21:20:45.000Z",
"description": "core module \u00e2\u20ac\u201c bot 64bit",
"pattern": "[file:hashes.MD5 = 'd4c5384da41fd391d16eff60abc21405']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-10T21:20:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5824e4e0-9608-4753-8cb8-4eea02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:21:36.000Z",
"modified": "2016-11-10T21:21:36.000Z",
"description": "core module \u00e2\u20ac\u201c bot 64bit - Xchecked via VT: d4c5384da41fd391d16eff60abc21405",
"pattern": "[file:hashes.SHA256 = '0522bfea61ab0db154cde9c1217c90547bd46ba1be0fc6a17bfb4b52e8241a63']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-10T21:21:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5824e4e1-e038-4976-b573-49df02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:21:37.000Z",
"modified": "2016-11-10T21:21:37.000Z",
"description": "core module \u00e2\u20ac\u201c bot 64bit - Xchecked via VT: d4c5384da41fd391d16eff60abc21405",
"pattern": "[file:hashes.SHA1 = '75f47640299fc2b33492c3640128d58ac2dc1463']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-10T21:21:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5824e4e1-6e98-430a-aae0-46cb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:21:37.000Z",
"modified": "2016-11-10T21:21:37.000Z",
"first_observed": "2016-11-10T21:21:37Z",
"last_observed": "2016-11-10T21:21:37Z",
"number_observed": 1,
"object_refs": [
"url--5824e4e1-6e98-430a-aae0-46cb02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5824e4e1-6e98-430a-aae0-46cb02de0b81",
"value": "https://www.virustotal.com/file/0522bfea61ab0db154cde9c1217c90547bd46ba1be0fc6a17bfb4b52e8241a63/analysis/1478618112/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5824e4e2-12f4-4f88-bd09-49d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:21:38.000Z",
"modified": "2016-11-10T21:21:38.000Z",
"description": "core module \u00e2\u20ac\u201c bot 32bit - Xchecked via VT: e54d28a24c976348c438f45281d68c54",
"pattern": "[file:hashes.SHA256 = '5d2ee0440314f7229a126baa152e43473d771591e818f8317275c175fd888f23']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-10T21:21:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5824e4e3-2ecc-4f5a-9348-46a902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:21:39.000Z",
"modified": "2016-11-10T21:21:39.000Z",
"description": "core module \u00e2\u20ac\u201c bot 32bit - Xchecked via VT: e54d28a24c976348c438f45281d68c54",
"pattern": "[file:hashes.SHA1 = '3cd014e2ebdb8dd679deb70cd1005b0a2b8283e7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-10T21:21:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:21:39.000Z",
"modified": "2016-11-10T21:21:39.000Z",
"first_observed": "2016-11-10T21:21:39Z",
"last_observed": "2016-11-10T21:21:39Z",
"number_observed": 1,
"object_refs": [
"url--5824e4e3-4e10-4f41-bbf8-4b9002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5824e4e3-4e10-4f41-bbf8-4b9002de0b81",
"value": "https://www.virustotal.com/file/5d2ee0440314f7229a126baa152e43473d771591e818f8317275c175fd888f23/analysis/1478618090/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5824e4e4-77c4-4c25-b06e-412402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:21:40.000Z",
"modified": "2016-11-10T21:21:40.000Z",
"description": "dropper <- main focus of this analysis - Xchecked via VT: 5649e7a200df2fb85ad1fb5a723bef22",
"pattern": "[file:hashes.SHA256 = '5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-10T21:21:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5824e4e4-0ca8-47a7-aeec-4e4102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:21:40.000Z",
"modified": "2016-11-10T21:21:40.000Z",
"description": "dropper <- main focus of this analysis - Xchecked via VT: 5649e7a200df2fb85ad1fb5a723bef22",
"pattern": "[file:hashes.SHA1 = 'b057d20122048001850afeca671fd31dbcdd1c76']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-10T21:21:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5824e4e4-5228-4344-8a68-474a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-10T21:21:40.000Z",
"modified": "2016-11-10T21:21:40.000Z",
"first_observed": "2016-11-10T21:21:40Z",
"last_observed": "2016-11-10T21:21:40Z",
"number_observed": 1,
"object_refs": [
"url--5824e4e4-5228-4344-8a68-474a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5824e4e4-5228-4344-8a68-474a02de0b81",
"value": "https://www.virustotal.com/file/5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e/analysis/1478549521/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink