misp-circl-feed/feeds/circl/misp/585b9a80-9910-4d24-a695-4ac4950d210f.json

1424 lines
No EOL
62 KiB
JSON

{
"type": "bundle",
"id": "bundle--585b9a80-9910-4d24-a695-4ac4950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:28:54.000Z",
"modified": "2016-12-22T09:28:54.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--585b9a80-9910-4d24-a695-4ac4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:28:54.000Z",
"modified": "2016-12-22T09:28:54.000Z",
"name": "OSINT - New Linux/Rakos threat: devices and servers under SSH scan (again)",
"published": "2016-12-22T09:29:15Z",
"object_refs": [
"observed-data--585b9ab7-3758-4e28-8a36-420d950d210f",
"url--585b9ab7-3758-4e28-8a36-420d950d210f",
"x-misp-attribute--585b9acb-d250-4b85-9788-454d950d210f",
"indicator--585b9b48-e214-418d-a783-4282950d210f",
"indicator--585b9b49-9dbc-48f4-805c-4440950d210f",
"indicator--585b9b49-1e04-4b8b-bf8d-4094950d210f",
"indicator--585b9b4a-ac98-421e-9bad-4177950d210f",
"indicator--585b9b4a-1170-424a-a910-47e2950d210f",
"indicator--585b9b4b-e118-4029-acad-457c950d210f",
"indicator--585b9b4b-f3e4-4409-9055-4e76950d210f",
"indicator--585b9b4c-50fc-4127-8fe1-4124950d210f",
"indicator--585b9b4d-8288-425a-b8ee-4ca7950d210f",
"indicator--585b9b4d-db34-4230-90a2-4661950d210f",
"indicator--585b9b5f-495c-448d-bf2f-453a950d210f",
"indicator--585b9b5f-a210-4acc-afcb-4dc9950d210f",
"indicator--585b9b60-ad74-4c0d-9e30-4464950d210f",
"indicator--585b9b60-8f78-45ab-a703-42a7950d210f",
"indicator--585b9b61-2478-4795-8f7f-4fd7950d210f",
"indicator--585b9b62-9ef4-47e7-b2d5-42cc950d210f",
"indicator--585b9b62-8c0c-435b-bbf7-4be8950d210f",
"indicator--585b9b63-a688-4ec8-af50-4fe8950d210f",
"indicator--585b9b63-0f50-43f1-b3e2-4e46950d210f",
"indicator--585b9b64-2a68-480f-b9e2-4241950d210f",
"indicator--585b9b64-a638-4fe0-b8ea-4b4d950d210f",
"observed-data--585b9bb7-0e94-45e9-bc34-41d4950d210f",
"url--585b9bb7-0e94-45e9-bc34-41d4950d210f",
"indicator--585b9c37-6438-41d6-949a-47cd02de0b81",
"indicator--585b9c38-6028-4ccd-b272-463302de0b81",
"observed-data--585b9c38-f430-495f-9bdf-4cb802de0b81",
"url--585b9c38-f430-495f-9bdf-4cb802de0b81",
"indicator--585b9c39-5eac-4ab3-8d4d-46aa02de0b81",
"indicator--585b9c3a-7244-475b-ab43-4a9302de0b81",
"observed-data--585b9c3b-0fbc-42f5-93d8-43c902de0b81",
"url--585b9c3b-0fbc-42f5-93d8-43c902de0b81",
"indicator--585b9c3c-1334-426d-86a9-4aca02de0b81",
"indicator--585b9c3c-33b4-45ad-baee-4b5f02de0b81",
"observed-data--585b9c3d-a0d0-4704-9c9b-46d902de0b81",
"url--585b9c3d-a0d0-4704-9c9b-46d902de0b81",
"indicator--585b9c3e-5974-4d0d-89eb-4bb802de0b81",
"indicator--585b9c3e-c5c0-404a-9afb-41c602de0b81",
"observed-data--585b9c3f-5838-4479-af90-4fdf02de0b81",
"url--585b9c3f-5838-4479-af90-4fdf02de0b81",
"indicator--585b9c40-a4c4-45ee-a6ee-4d2d02de0b81",
"indicator--585b9c41-9ce4-4657-8bf7-4add02de0b81",
"observed-data--585b9c41-1c94-44e6-93f6-440b02de0b81",
"url--585b9c41-1c94-44e6-93f6-440b02de0b81",
"indicator--585b9c42-30e0-4919-b4cc-4bd902de0b81",
"indicator--585b9c43-b8f0-4bd5-9366-4f9502de0b81",
"observed-data--585b9c44-fad4-4ea6-a16a-4b6c02de0b81",
"url--585b9c44-fad4-4ea6-a16a-4b6c02de0b81",
"indicator--585b9c44-f7d0-4d5d-bb8b-417f02de0b81",
"indicator--585b9c45-e288-4c14-9377-4e3b02de0b81",
"observed-data--585b9c46-725c-4e0a-8f2a-41d802de0b81",
"url--585b9c46-725c-4e0a-8f2a-41d802de0b81",
"indicator--585b9c46-39d0-42e2-a244-41f802de0b81",
"indicator--585b9c47-89cc-4c82-8a7e-440802de0b81",
"observed-data--585b9c47-9508-4c02-b9dd-494402de0b81",
"url--585b9c47-9508-4c02-b9dd-494402de0b81",
"indicator--585b9c48-d588-436a-b429-45e802de0b81",
"indicator--585b9c49-9cf0-478b-96a0-4bbb02de0b81",
"observed-data--585b9c49-f154-4061-9dd2-418a02de0b81",
"url--585b9c49-f154-4061-9dd2-418a02de0b81",
"indicator--585b9c4a-c2c4-4696-9479-47cf02de0b81",
"indicator--585b9c4a-ba88-4e51-9f22-4bab02de0b81",
"observed-data--585b9c4b-5124-4940-b839-484202de0b81",
"url--585b9c4b-5124-4940-b839-484202de0b81",
"indicator--585b9cd6-d508-4a59-bc68-4d69950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"ms-caro-malware:malware-platform=\"Linux\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9ab7-3758-4e28-8a36-420d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:19:51.000Z",
"modified": "2016-12-22T09:19:51.000Z",
"first_observed": "2016-12-22T09:19:51Z",
"last_observed": "2016-12-22T09:19:51Z",
"number_observed": 1,
"object_refs": [
"url--585b9ab7-3758-4e28-8a36-420d950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9ab7-3758-4e28-8a36-420d950d210f",
"value": "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--585b9acb-d250-4b85-9788-454d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:20:11.000Z",
"modified": "2016-12-22T09:20:11.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Apparently, frustrated users complain more often recently on various forums about their embedded devices being overloaded with computing and network tasks. What these particular posts have in common is the name of the process causing the problem. It is executed from a temporary directory and disguised as a part of the Java framework, namely \u00e2\u20ac\u0153.javaxxx\u00e2\u20ac\u009d. Additional names like \u00e2\u20ac\u0153.swap\u00e2\u20ac\u009d or \u00e2\u20ac\u0153kworker\u00e2\u20ac\u009d are also used. A few weeks ago, we discussed the recent Mirai incidents and Mirai-connected IoT security problems in The Hive Mind: When IoT devices go rogue and all that was written then still holds true.\r\nAttack vector\r\n\r\nThe attack is performed via brute force attempts at SSH logins, in a similar way to that in which many Linux worms operate, including Linux/Moose (which spread by attacking Telnet logins) \u00e2\u20ac\u201c also referenced here \u00e2\u20ac\u201c as analyzed by ESET since last year. The targets include both embedded devices and servers with an open SSH port and where a very weak password has been set. The obvious aim of this trojan is to assemble a list of unsecured devices and to have an opportunity to create a botnet consisting of as many zombies as possible. The scan starts with not too extensive list of IPs and spreads incrementally to more targets. Only machines that represent low-hanging fruit from the security perspective are compromised. Note that victims reported cases when they had had a strong password but they forgot their device that had online service enabled and it was reverted to a default password after a factory reset. Just a couple of hours of online exposure was enough for such a reset machine to end up compromised!"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b48-e214-418d-a783-4282950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:16.000Z",
"modified": "2016-12-22T09:22:16.000Z",
"description": "EM_X86_64 - 688",
"pattern": "[file:hashes.SHA1 = 'f80836349d6e97251030190ecd30dda0047f1ee6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b49-9dbc-48f4-805c-4440950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:17.000Z",
"modified": "2016-12-22T09:22:17.000Z",
"description": "EM_X86_64 - 694",
"pattern": "[file:hashes.SHA1 = 'def04ec688ac6b41580dd3a6e78445b56536ba34']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b49-1e04-4b8b-bf8d-4094950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:17.000Z",
"modified": "2016-12-22T09:22:17.000Z",
"description": "EM_X86_64 - 695",
"pattern": "[file:hashes.SHA1 = '3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b4a-ac98-421e-9bad-4177950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:18.000Z",
"modified": "2016-12-22T09:22:18.000Z",
"description": "EM_X86_64\t- 697",
"pattern": "[file:hashes.SHA1 = 'e53c73fe6a552eab720e7ee685ea4e159ebd4fdd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b4a-1170-424a-a910-47e2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:18.000Z",
"modified": "2016-12-22T09:22:18.000Z",
"description": "EM_X86_64 - 698",
"pattern": "[file:hashes.SHA1 = 'c93bddd9cdb4f2e185b54a4931257954e25e7c37']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b4b-e118-4029-acad-457c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:19.000Z",
"modified": "2016-12-22T09:22:19.000Z",
"description": "EM_MIPS - ???",
"pattern": "[file:hashes.SHA1 = '14af6254d9ca310b4d52778d050cb8dd7a5de1d8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b4b-f3e4-4409-9055-4e76950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:19.000Z",
"modified": "2016-12-22T09:22:19.000Z",
"description": "EM_386 - 700",
"pattern": "[file:hashes.SHA1 = 'c54d50025d9f66ce2ace3361a8626aee468d94ba']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b4c-50fc-4127-8fe1-4124950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:20.000Z",
"modified": "2016-12-22T09:22:20.000Z",
"description": "EM_386 - 706",
"pattern": "[file:hashes.SHA1 = '36b2fffe98f517355425797fc242f2cb82271c0c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b4d-8288-425a-b8ee-4ca7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:21.000Z",
"modified": "2016-12-22T09:22:21.000Z",
"description": "EM_386\t - 708",
"pattern": "[file:hashes.SHA1 = 'e46e8e5e823eb0466981afb7683fd918d6fe78a9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b4d-db34-4230-90a2-4661950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:21.000Z",
"modified": "2016-12-22T09:22:21.000Z",
"description": "EM_386\t - 711",
"pattern": "[file:hashes.SHA1 = '0492e5c07c1426af9ce73ad33e00a3fd8477c6c2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b5f-495c-448d-bf2f-453a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:39.000Z",
"modified": "2016-12-22T09:22:39.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.12.208.28']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b5f-a210-4acc-afcb-4dc9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:39.000Z",
"modified": "2016-12-22T09:22:39.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.12.203.31']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b60-ad74-4c0d-9e30-4464950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:40.000Z",
"modified": "2016-12-22T09:22:40.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.169.245.68']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b60-8f78-45ab-a703-42a7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:40.000Z",
"modified": "2016-12-22T09:22:40.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.8.44.55']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b61-2478-4795-8f7f-4fd7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:41.000Z",
"modified": "2016-12-22T09:22:41.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.123.210.100']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b62-9ef4-47e7-b2d5-42cc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:41.000Z",
"modified": "2016-12-22T09:22:41.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.34.183.231']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b62-8c0c-435b-bbf7-4be8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:42.000Z",
"modified": "2016-12-22T09:22:42.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.34.180.64']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b63-a688-4ec8-af50-4fe8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:43.000Z",
"modified": "2016-12-22T09:22:43.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.82.216.125']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b63-0f50-43f1-b3e2-4e46950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:43.000Z",
"modified": "2016-12-22T09:22:43.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.14.30.78']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b64-2a68-480f-b9e2-4241950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:44.000Z",
"modified": "2016-12-22T09:22:44.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.14.29.65']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9b64-a638-4fe0-b8ea-4b4d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:22:44.000Z",
"modified": "2016-12-22T09:22:44.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.184.117']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:22:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9bb7-0e94-45e9-bc34-41d4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:24:07.000Z",
"modified": "2016-12-22T09:24:07.000Z",
"first_observed": "2016-12-22T09:24:07Z",
"last_observed": "2016-12-22T09:24:07Z",
"number_observed": 1,
"object_refs": [
"url--585b9bb7-0e94-45e9-bc34-41d4950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9bb7-0e94-45e9-bc34-41d4950d210f",
"value": "https://github.com/eset/malware-ioc/tree/master/rakos"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c37-6438-41d6-949a-47cd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:15.000Z",
"modified": "2016-12-22T09:26:15.000Z",
"description": "EM_386\t - 711 - Xchecked via VT: 0492e5c07c1426af9ce73ad33e00a3fd8477c6c2",
"pattern": "[file:hashes.SHA256 = '62f875a31c5f8541a68176d03c3b9d6d0ee6fa90cf54307d7d07aed5fc573797']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c38-6028-4ccd-b272-463302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:16.000Z",
"modified": "2016-12-22T09:26:16.000Z",
"description": "EM_386\t - 711 - Xchecked via VT: 0492e5c07c1426af9ce73ad33e00a3fd8477c6c2",
"pattern": "[file:hashes.MD5 = '7b88cf30540ab8df0ded406097c51b46']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9c38-f430-495f-9bdf-4cb802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:16.000Z",
"modified": "2016-12-22T09:26:16.000Z",
"first_observed": "2016-12-22T09:26:16Z",
"last_observed": "2016-12-22T09:26:16Z",
"number_observed": 1,
"object_refs": [
"url--585b9c38-f430-495f-9bdf-4cb802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9c38-f430-495f-9bdf-4cb802de0b81",
"value": "https://www.virustotal.com/file/62f875a31c5f8541a68176d03c3b9d6d0ee6fa90cf54307d7d07aed5fc573797/analysis/1481878860/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c39-5eac-4ab3-8d4d-46aa02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:17.000Z",
"modified": "2016-12-22T09:26:17.000Z",
"description": "EM_386\t - 708 - Xchecked via VT: e46e8e5e823eb0466981afb7683fd918d6fe78a9",
"pattern": "[file:hashes.SHA256 = '90cd3e16d6d0069e758bb7c1ec929354be24f52857bd77fdd246e20e4aaca75d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c3a-7244-475b-ab43-4a9302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:18.000Z",
"modified": "2016-12-22T09:26:18.000Z",
"description": "EM_386\t - 708 - Xchecked via VT: e46e8e5e823eb0466981afb7683fd918d6fe78a9",
"pattern": "[file:hashes.MD5 = 'ca21c63269febcfe73fec9e1041ed903']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9c3b-0fbc-42f5-93d8-43c902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:19.000Z",
"modified": "2016-12-22T09:26:19.000Z",
"first_observed": "2016-12-22T09:26:19Z",
"last_observed": "2016-12-22T09:26:19Z",
"number_observed": 1,
"object_refs": [
"url--585b9c3b-0fbc-42f5-93d8-43c902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9c3b-0fbc-42f5-93d8-43c902de0b81",
"value": "https://www.virustotal.com/file/90cd3e16d6d0069e758bb7c1ec929354be24f52857bd77fdd246e20e4aaca75d/analysis/1481878661/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c3c-1334-426d-86a9-4aca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:20.000Z",
"modified": "2016-12-22T09:26:20.000Z",
"description": "EM_386 - 706 - Xchecked via VT: 36b2fffe98f517355425797fc242f2cb82271c0c",
"pattern": "[file:hashes.SHA256 = '2a77e8d43b347c4ccf80271493eedf7b7b7f45d1e30e818e321657cf9a14f1d9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c3c-33b4-45ad-baee-4b5f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:20.000Z",
"modified": "2016-12-22T09:26:20.000Z",
"description": "EM_386 - 706 - Xchecked via VT: 36b2fffe98f517355425797fc242f2cb82271c0c",
"pattern": "[file:hashes.MD5 = '96c5ec03c20491389a240ead5cbd72fe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9c3d-a0d0-4704-9c9b-46d902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:21.000Z",
"modified": "2016-12-22T09:26:21.000Z",
"first_observed": "2016-12-22T09:26:21Z",
"last_observed": "2016-12-22T09:26:21Z",
"number_observed": 1,
"object_refs": [
"url--585b9c3d-a0d0-4704-9c9b-46d902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9c3d-a0d0-4704-9c9b-46d902de0b81",
"value": "https://www.virustotal.com/file/2a77e8d43b347c4ccf80271493eedf7b7b7f45d1e30e818e321657cf9a14f1d9/analysis/1482355624/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c3e-5974-4d0d-89eb-4bb802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:22.000Z",
"modified": "2016-12-22T09:26:22.000Z",
"description": "EM_386 - 700 - Xchecked via VT: c54d50025d9f66ce2ace3361a8626aee468d94ba",
"pattern": "[file:hashes.SHA256 = 'efedce38a1908a27115e05b3e62fab52f68fae2db5ae1c50c455f007f964c6d2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c3e-c5c0-404a-9afb-41c602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:22.000Z",
"modified": "2016-12-22T09:26:22.000Z",
"description": "EM_386 - 700 - Xchecked via VT: c54d50025d9f66ce2ace3361a8626aee468d94ba",
"pattern": "[file:hashes.MD5 = 'ce12f465f353bb1b64f790a5e4cd45af']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9c3f-5838-4479-af90-4fdf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:23.000Z",
"modified": "2016-12-22T09:26:23.000Z",
"first_observed": "2016-12-22T09:26:23Z",
"last_observed": "2016-12-22T09:26:23Z",
"number_observed": 1,
"object_refs": [
"url--585b9c3f-5838-4479-af90-4fdf02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9c3f-5838-4479-af90-4fdf02de0b81",
"value": "https://www.virustotal.com/file/efedce38a1908a27115e05b3e62fab52f68fae2db5ae1c50c455f007f964c6d2/analysis/1482355624/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c40-a4c4-45ee-a6ee-4d2d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:24.000Z",
"modified": "2016-12-22T09:26:24.000Z",
"description": "EM_MIPS - ??? - Xchecked via VT: 14af6254d9ca310b4d52778d050cb8dd7a5de1d8",
"pattern": "[file:hashes.SHA256 = 'a7ce7dc40bb8abf835efae5ebacc82cb8af2cc57b5021f0d28dc14924022c85d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c41-9ce4-4657-8bf7-4add02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:25.000Z",
"modified": "2016-12-22T09:26:25.000Z",
"description": "EM_MIPS - ??? - Xchecked via VT: 14af6254d9ca310b4d52778d050cb8dd7a5de1d8",
"pattern": "[file:hashes.MD5 = '9a0ea27a15899e47bfe6fcc7c9df36c6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9c41-1c94-44e6-93f6-440b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:25.000Z",
"modified": "2016-12-22T09:26:25.000Z",
"first_observed": "2016-12-22T09:26:25Z",
"last_observed": "2016-12-22T09:26:25Z",
"number_observed": 1,
"object_refs": [
"url--585b9c41-1c94-44e6-93f6-440b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9c41-1c94-44e6-93f6-440b02de0b81",
"value": "https://www.virustotal.com/file/a7ce7dc40bb8abf835efae5ebacc82cb8af2cc57b5021f0d28dc14924022c85d/analysis/1482355624/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c42-30e0-4919-b4cc-4bd902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:26.000Z",
"modified": "2016-12-22T09:26:26.000Z",
"description": "EM_X86_64 - 698 - Xchecked via VT: c93bddd9cdb4f2e185b54a4931257954e25e7c37",
"pattern": "[file:hashes.SHA256 = 'd59ffe12b75f596a4a30074690f96497800a6ed97be8248c573e4048adac7e05']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c43-b8f0-4bd5-9366-4f9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:27.000Z",
"modified": "2016-12-22T09:26:27.000Z",
"description": "EM_X86_64 - 698 - Xchecked via VT: c93bddd9cdb4f2e185b54a4931257954e25e7c37",
"pattern": "[file:hashes.MD5 = 'eedab74ca1303647ade4fb0b0b588a36']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9c44-fad4-4ea6-a16a-4b6c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:28.000Z",
"modified": "2016-12-22T09:26:28.000Z",
"first_observed": "2016-12-22T09:26:28Z",
"last_observed": "2016-12-22T09:26:28Z",
"number_observed": 1,
"object_refs": [
"url--585b9c44-fad4-4ea6-a16a-4b6c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9c44-fad4-4ea6-a16a-4b6c02de0b81",
"value": "https://www.virustotal.com/file/d59ffe12b75f596a4a30074690f96497800a6ed97be8248c573e4048adac7e05/analysis/1482355623/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c44-f7d0-4d5d-bb8b-417f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:28.000Z",
"modified": "2016-12-22T09:26:28.000Z",
"description": "EM_X86_64\t- 697 - Xchecked via VT: e53c73fe6a552eab720e7ee685ea4e159ebd4fdd",
"pattern": "[file:hashes.SHA256 = '3fe9e1e0a2e626ef10cc443ec1725a8c17cbfa323864e0eb9359399177998470']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c45-e288-4c14-9377-4e3b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:29.000Z",
"modified": "2016-12-22T09:26:29.000Z",
"description": "EM_X86_64\t- 697 - Xchecked via VT: e53c73fe6a552eab720e7ee685ea4e159ebd4fdd",
"pattern": "[file:hashes.MD5 = '19705141888917dddda4cac32ec8b6fc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9c46-725c-4e0a-8f2a-41d802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:30.000Z",
"modified": "2016-12-22T09:26:30.000Z",
"first_observed": "2016-12-22T09:26:30Z",
"last_observed": "2016-12-22T09:26:30Z",
"number_observed": 1,
"object_refs": [
"url--585b9c46-725c-4e0a-8f2a-41d802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9c46-725c-4e0a-8f2a-41d802de0b81",
"value": "https://www.virustotal.com/file/3fe9e1e0a2e626ef10cc443ec1725a8c17cbfa323864e0eb9359399177998470/analysis/1482355623/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c46-39d0-42e2-a244-41f802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:30.000Z",
"modified": "2016-12-22T09:26:30.000Z",
"description": "EM_X86_64 - 695 - Xchecked via VT: 3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0",
"pattern": "[file:hashes.SHA256 = 'd731ccb407a924ca56fa9b3690e0b7debd1cce61c6de8ec63ede3a992c8af33e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c47-89cc-4c82-8a7e-440802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:31.000Z",
"modified": "2016-12-22T09:26:31.000Z",
"description": "EM_X86_64 - 695 - Xchecked via VT: 3435ca5505ce8dfe8e1b22e0ebd4f41c60050cc0",
"pattern": "[file:hashes.MD5 = '1c672ba32e481faeccade0ad43ea5a08']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9c47-9508-4c02-b9dd-494402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:31.000Z",
"modified": "2016-12-22T09:26:31.000Z",
"first_observed": "2016-12-22T09:26:31Z",
"last_observed": "2016-12-22T09:26:31Z",
"number_observed": 1,
"object_refs": [
"url--585b9c47-9508-4c02-b9dd-494402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9c47-9508-4c02-b9dd-494402de0b81",
"value": "https://www.virustotal.com/file/d731ccb407a924ca56fa9b3690e0b7debd1cce61c6de8ec63ede3a992c8af33e/analysis/1482355623/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c48-d588-436a-b429-45e802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:32.000Z",
"modified": "2016-12-22T09:26:32.000Z",
"description": "EM_X86_64 - 694 - Xchecked via VT: def04ec688ac6b41580dd3a6e78445b56536ba34",
"pattern": "[file:hashes.SHA256 = '83160da5a4cb335ea2a9a72bc96c833cd7eab9df96a61c1d6f01e13668046b25']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c49-9cf0-478b-96a0-4bbb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:33.000Z",
"modified": "2016-12-22T09:26:33.000Z",
"description": "EM_X86_64 - 694 - Xchecked via VT: def04ec688ac6b41580dd3a6e78445b56536ba34",
"pattern": "[file:hashes.MD5 = '4416e7bfbfa7318f10c8c08cff3fce5d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9c49-f154-4061-9dd2-418a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:33.000Z",
"modified": "2016-12-22T09:26:33.000Z",
"first_observed": "2016-12-22T09:26:33Z",
"last_observed": "2016-12-22T09:26:33Z",
"number_observed": 1,
"object_refs": [
"url--585b9c49-f154-4061-9dd2-418a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9c49-f154-4061-9dd2-418a02de0b81",
"value": "https://www.virustotal.com/file/83160da5a4cb335ea2a9a72bc96c833cd7eab9df96a61c1d6f01e13668046b25/analysis/1482355623/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c4a-c2c4-4696-9479-47cf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:34.000Z",
"modified": "2016-12-22T09:26:34.000Z",
"description": "EM_X86_64 - 688 - Xchecked via VT: f80836349d6e97251030190ecd30dda0047f1ee6",
"pattern": "[file:hashes.SHA256 = 'ce4bb2ce2bf66ab721b808acf9d74a7a8afddd03cbaa6aa56c7788ff7b7251bb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9c4a-ba88-4e51-9f22-4bab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:34.000Z",
"modified": "2016-12-22T09:26:34.000Z",
"description": "EM_X86_64 - 688 - Xchecked via VT: f80836349d6e97251030190ecd30dda0047f1ee6",
"pattern": "[file:hashes.MD5 = '841eac692e4c5fb09f18c229c59a3fcb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:26:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--585b9c4b-5124-4940-b839-484202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:26:35.000Z",
"modified": "2016-12-22T09:26:35.000Z",
"first_observed": "2016-12-22T09:26:35Z",
"last_observed": "2016-12-22T09:26:35Z",
"number_observed": 1,
"object_refs": [
"url--585b9c4b-5124-4940-b839-484202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--585b9c4b-5124-4940-b839-484202de0b81",
"value": "https://www.virustotal.com/file/ce4bb2ce2bf66ab721b808acf9d74a7a8afddd03cbaa6aa56c7788ff7b7251bb/analysis/1482247676/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--585b9cd6-d508-4a59-bc68-4d69950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-22T09:28:54.000Z",
"modified": "2016-12-22T09:28:54.000Z",
"pattern": "[rule linux_rakos\r\n{\r\n meta:\r\n description = \"Linux/Rakos.A executable\"\r\n author = \"Peter K\u00c3\u00a1lnai\"\r\n date = \"2016-12-13\"\r\n reference = \"http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/\"\r\n version = \"1\"\r\n contact = \"threatintel@eset.com\"\r\n license = \"BSD 2-Clause\"\r\n\r\n\r\n strings:\r\n $ = \"upgrade/vars.yaml\"\r\n $ = \"MUTTER\"\r\n $ = \"/tmp/.javaxxx\"\r\n $ = \"uckmydi\"\r\n\r\n condition:\r\n 3 of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2016-12-22T09:28:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}