misp-circl-feed/feeds/circl/misp/58538c11-4694-47ba-a01c-4cfe02de0b81.json

489 lines
No EOL
22 KiB
JSON

{
"type": "bundle",
"id": "bundle--58538c11-4694-47ba-a01c-4cfe02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:47:25.000Z",
"modified": "2016-12-16T06:47:25.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58538c11-4694-47ba-a01c-4cfe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:47:25.000Z",
"modified": "2016-12-16T06:47:25.000Z",
"name": "OSINT - One, if by email, and two, if by EK: The Cerbers are coming!",
"published": "2016-12-16T06:48:34Z",
"object_refs": [
"observed-data--58538c1d-82a0-4d24-867d-41a202de0b81",
"url--58538c1d-82a0-4d24-867d-41a202de0b81",
"x-misp-attribute--58538c3f-4960-4980-bab9-4c6b02de0b81",
"indicator--58538ce3-601c-4716-bb6f-417b02de0b81",
"indicator--58538ce4-7814-4334-8180-418102de0b81",
"indicator--58538ce4-7bec-4498-b89a-445302de0b81",
"indicator--58538ce5-3240-4327-bcc6-4e1a02de0b81",
"indicator--58538ce6-3e80-4e94-8ab8-46fe02de0b81",
"indicator--58538ce8-2d7c-49ca-89ae-48bd02de0b81",
"indicator--58538cea-d9f0-4ef3-8d22-453e02de0b81",
"indicator--58538cea-4fe0-4dca-b42e-450802de0b81",
"indicator--58538ceb-a834-43a4-aa47-4a9802de0b81",
"indicator--58538d21-bb20-4511-b10a-4a7402de0b81",
"indicator--58538d8d-0888-4b53-a42a-4a4102de0b81",
"indicator--58538da1-7b68-45ed-abb7-436b02de0b81",
"observed-data--58538dae-a6d8-4f69-bc5c-4fa502de0b81",
"url--58538dae-a6d8-4f69-bc5c-4fa502de0b81",
"indicator--58538dfd-53a0-4703-ad4e-4e0e02de0b81",
"indicator--58538dfe-0c74-4137-aa72-4db102de0b81",
"observed-data--58538dfe-0750-4380-83c4-448802de0b81",
"url--58538dfe-0750-4380-83c4-448802de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"enisa:nefarious-activity-abuse=\"exploits-exploit-kits\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58538c1d-82a0-4d24-867d-41a202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:39:25.000Z",
"modified": "2016-12-16T06:39:25.000Z",
"first_observed": "2016-12-16T06:39:25Z",
"last_observed": "2016-12-16T06:39:25Z",
"number_observed": 1,
"object_refs": [
"url--58538c1d-82a0-4d24-867d-41a202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58538c1d-82a0-4d24-867d-41a202de0b81",
"value": "https://isc.sans.edu/forums/diary/One+if+by+email+and+two+if+by+EK+The+Cerbers+are+coming/21823"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58538c3f-4960-4980-bab9-4c6b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:39:59.000Z",
"modified": "2016-12-16T06:39:59.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "As I've discussed before, EKs are merely a method to distribute malware. Criminal groups establish campaigns utilizing EKs to distribute their malware. I often see indicators of campaigns that use Magnitude EK or Rig EK to distribute Cerber ransomware.\r\n\r\nIn my lab environment, I generally don't generate much Magnitude EK. Why? Because Magnitude usually happens through a malvertising campaign, and that's quite difficult to replicate. By the time any particular malvertisement's indicators are known, the criminals have moved to a new malvertisement.\r\n\r\nSince early October 2016, I've typically seen Cerber ransomware from the pseudoDarkleech campaign using Rig EK. PseudoDarkleech currently uses a variant of Rig EK that researcher Kafeine has designated as Rig-V, because it's a \"vip\" version that's evolved from the old Rig EK.\r\n\r\nEITest is another major campaign that utilizes EKs to distribute malware. Although EITest distributes a variety of malware, I'll occasionally see Cerber sent by this campaign."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538ce3-601c-4716-bb6f-417b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:42:43.000Z",
"modified": "2016-12-16T06:42:43.000Z",
"description": "Rig-V from the EITest campaign",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.133.49.182']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:42:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538ce4-7814-4334-8180-418102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:42:44.000Z",
"modified": "2016-12-16T06:42:44.000Z",
"description": "Rig-V from the EITest campaign",
"pattern": "[domain-name:value = 'hit.thincoachmd.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:42:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538ce4-7bec-4498-b89a-445302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:42:44.000Z",
"modified": "2016-12-16T06:42:44.000Z",
"description": "Rig-V from the pseudoDarkleech campaign",
"pattern": "[domain-name:value = 'new.slimcoachmd.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:42:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538ce5-3240-4327-bcc6-4e1a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:42:45.000Z",
"modified": "2016-12-16T06:42:45.000Z",
"description": "1.11.32.0 to 1.11.32.31 (1.11.32.0/27) UDP port 6892 - Cerber post-infection UDP traffic",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '1.11.32.0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:42:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538ce6-3e80-4e94-8ab8-46fe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:42:46.000Z",
"modified": "2016-12-16T06:42:46.000Z",
"description": "1.11.32.0 to 1.11.32.31 (1.11.32.0/27) UDP port 6892 - Cerber post-infection UDP traffic",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '55.15.15.0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:42:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538ce8-2d7c-49ca-89ae-48bd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:42:48.000Z",
"modified": "2016-12-16T06:42:48.000Z",
"description": "194.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.165.16.0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:42:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538cea-d9f0-4ef3-8d22-453e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:42:50.000Z",
"modified": "2016-12-16T06:42:50.000Z",
"description": "attempted HTTP connections by Cerber from pseudoDarkleech campaign",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.45.192.155']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:42:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538cea-4fe0-4dca-b42e-450802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:42:50.000Z",
"modified": "2016-12-16T06:42:50.000Z",
"pattern": "[domain-name:value = 'ftoxmpdipwobp4qy.19dmua.top']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:42:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538ceb-a834-43a4-aa47-4a9802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:42:51.000Z",
"modified": "2016-12-16T06:42:51.000Z",
"description": "attempted HTTP connections by Cerber from EITest campaign",
"pattern": "[domain-name:value = 'ffoqr3ug7m726zou.19dmua.top']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:42:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538d21-bb20-4511-b10a-4a7402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:43:45.000Z",
"modified": "2016-12-16T06:43:45.000Z",
"description": "Rig-V Flash exploit seen on 2016-12-15",
"pattern": "[file:hashes.SHA256 = 'df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:43:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538d8d-0888-4b53-a42a-4a4102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:45:33.000Z",
"modified": "2016-12-16T06:45:33.000Z",
"description": "C:\\Users\\[username]\\AppData\\Local\\Temp\\rad8AA1F.tmp.exe",
"pattern": "[file:hashes.SHA256 = '4e877be5523d5ab453342695fef1d03adb854d215bde2cff647421bd3d583060']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:45:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538da1-7b68-45ed-abb7-436b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:45:53.000Z",
"modified": "2016-12-16T06:45:53.000Z",
"description": "C:\\Users\\[username]\\AppData\\Local\\Temp\\rad8DE79.tmp.exe",
"pattern": "[file:hashes.SHA256 = '0e395c547547a79bd29280ea7f918a0559058a58ffc789940ceb4caf7a708610']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:45:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58538dae-a6d8-4f69-bc5c-4fa502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:46:06.000Z",
"modified": "2016-12-16T06:46:06.000Z",
"first_observed": "2016-12-16T06:46:06Z",
"last_observed": "2016-12-16T06:46:06Z",
"number_observed": 1,
"object_refs": [
"url--58538dae-a6d8-4f69-bc5c-4fa502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58538dae-a6d8-4f69-bc5c-4fa502de0b81",
"value": "http://www.malware-traffic-analysis.net/2016/12/16/index.html"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538dfd-53a0-4703-ad4e-4e0e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:47:25.000Z",
"modified": "2016-12-16T06:47:25.000Z",
"description": "Rig-V Flash exploit seen on 2016-12-15 - Xchecked via VT: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf",
"pattern": "[file:hashes.SHA1 = '9284df1374b35d929f07e010e88b78a8495c0cfd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:47:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58538dfe-0c74-4137-aa72-4db102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:47:26.000Z",
"modified": "2016-12-16T06:47:26.000Z",
"description": "Rig-V Flash exploit seen on 2016-12-15 - Xchecked via VT: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf",
"pattern": "[file:hashes.MD5 = '2b3e5fa9c8932e27531dd26dc92c81f8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-16T06:47:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58538dfe-0750-4380-83c4-448802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-16T06:47:26.000Z",
"modified": "2016-12-16T06:47:26.000Z",
"first_observed": "2016-12-16T06:47:26Z",
"last_observed": "2016-12-16T06:47:26Z",
"number_observed": 1,
"object_refs": [
"url--58538dfe-0750-4380-83c4-448802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58538dfe-0750-4380-83c4-448802de0b81",
"value": "https://www.virustotal.com/file/df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf/analysis/1481853351/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}