misp-circl-feed/feeds/circl/misp/587fc1b5-fd10-42e7-8184-637702de0b81.json

760 lines
No EOL
36 KiB
JSON

{
"type": "bundle",
"id": "bundle--587fc1b5-fd10-42e7-8184-637702de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:33:59.000Z",
"modified": "2017-01-18T19:33:59.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--587fc1b5-fd10-42e7-8184-637702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:33:59.000Z",
"modified": "2017-01-18T19:33:59.000Z",
"name": "OSINT - New Mac backdoor using antiquated code",
"published": "2017-01-18T19:35:00Z",
"object_refs": [
"x-misp-attribute--587fc232-0348-4488-a667-45b502de0b81",
"observed-data--587fc240-a794-46ce-ac59-4b0a02de0b81",
"url--587fc240-a794-46ce-ac59-4b0a02de0b81",
"indicator--587fc25c-5fe0-40f7-84df-638002de0b81",
"indicator--587fc25d-0a48-44dc-a196-638002de0b81",
"indicator--587fc272-e8ac-4372-83b6-4b2402de0b81",
"indicator--587fc273-ecb8-47bc-ba0d-4aa102de0b81",
"indicator--587fc2a4-29fc-4bd5-bf7a-637a02de0b81",
"indicator--587fc2c0-2688-4d0a-8264-637f02de0b81",
"indicator--587fc2e0-9bec-4f9e-ade8-b06d02de0b81",
"indicator--587fc2e1-bcbc-4de8-a6d6-b06d02de0b81",
"x-misp-attribute--587fc2fd-7a88-4b6d-afb0-b06b02de0b81",
"indicator--587fc327-b678-4803-b15f-b06d02de0b81",
"indicator--587fc327-ffb8-420f-9174-b06d02de0b81",
"observed-data--587fc328-feec-43dc-800c-b06d02de0b81",
"url--587fc328-feec-43dc-800c-b06d02de0b81",
"indicator--587fc329-9298-4b1c-ac87-b06d02de0b81",
"indicator--587fc32a-4528-458c-91a0-b06d02de0b81",
"observed-data--587fc32a-60a0-48d1-89d1-b06d02de0b81",
"url--587fc32a-60a0-48d1-89d1-b06d02de0b81",
"indicator--587fc32b-fcdc-4cec-b22d-b06d02de0b81",
"indicator--587fc32c-27ec-4800-bc47-b06d02de0b81",
"observed-data--587fc32d-132c-4c51-9085-b06d02de0b81",
"url--587fc32d-132c-4c51-9085-b06d02de0b81",
"indicator--587fc32d-c1e0-4edb-8e5d-b06d02de0b81",
"indicator--587fc32e-7b7c-4acc-a7d4-b06d02de0b81",
"observed-data--587fc32f-b3c8-442a-9cda-b06d02de0b81",
"url--587fc32f-b3c8-442a-9cda-b06d02de0b81",
"indicator--587fc330-7248-49ef-ae67-b06d02de0b81",
"indicator--587fc330-2b6c-4b22-bc05-b06d02de0b81",
"observed-data--587fc331-05c4-482c-ad41-b06d02de0b81",
"url--587fc331-05c4-482c-ad41-b06d02de0b81",
"indicator--587fc332-6d4c-4786-a7d2-b06d02de0b81",
"indicator--587fc332-1ae4-4394-8893-b06d02de0b81",
"observed-data--587fc333-f574-41dc-9c50-b06d02de0b81",
"url--587fc333-f574-41dc-9c50-b06d02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"ms-caro-malware:malware-platform=\"MacOS_X\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--587fc232-0348-4488-a667-45b502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:29:54.000Z",
"modified": "2017-01-18T19:29:54.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac. This led to the discovery of a piece of malware unlike anything I\u00e2\u20ac\u2122ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--587fc240-a794-46ce-ac59-4b0a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:30:08.000Z",
"modified": "2017-01-18T19:30:08.000Z",
"first_observed": "2017-01-18T19:30:08Z",
"last_observed": "2017-01-18T19:30:08Z",
"number_observed": 1,
"object_refs": [
"url--587fc240-a794-46ce-ac59-4b0a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--587fc240-a794-46ce-ac59-4b0a02de0b81",
"value": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc25c-5fe0-40f7-84df-638002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:30:36.000Z",
"modified": "2017-01-18T19:30:36.000Z",
"description": "~/.client",
"pattern": "[file:hashes.SHA256 = 'ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:30:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc25d-0a48-44dc-a196-638002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:30:37.000Z",
"modified": "2017-01-18T19:30:37.000Z",
"description": "~/Library/LaunchAgents/com.client.client.plist",
"pattern": "[file:hashes.SHA256 = '83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:30:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc272-e8ac-4372-83b6-4b2402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:30:58.000Z",
"modified": "2017-01-18T19:30:58.000Z",
"description": "The perl script, among other things, communicates with the following command and control (C&C) servers:",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '99.153.29.240']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:30:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc273-ecb8-47bc-ba0d-4aa102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:30:59.000Z",
"modified": "2017-01-18T19:30:59.000Z",
"description": "The perl script, among other things, communicates with the following command and control (C&C) servers:",
"pattern": "[domain-name:value = 'eidk.hopto.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:30:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc2a4-29fc-4bd5-bf7a-637a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:31:48.000Z",
"modified": "2017-01-18T19:31:48.000Z",
"description": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network",
"pattern": "[file:hashes.SHA256 = 'bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:31:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc2c0-2688-4d0a-8264-637f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:32:16.000Z",
"modified": "2017-01-18T19:32:16.000Z",
"description": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d,",
"pattern": "[file:hashes.SHA256 = 'b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:32:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc2e0-9bec-4f9e-ade8-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:32:48.000Z",
"modified": "2017-01-18T19:32:48.000Z",
"description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names.",
"pattern": "[file:hashes.SHA256 = '94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:32:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc2e1-bcbc-4de8-a6d6-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:32:49.000Z",
"modified": "2017-01-18T19:32:49.000Z",
"description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names.",
"pattern": "[file:hashes.SHA256 = '694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:32:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--587fc2fd-7a88-4b6d-afb0-b06b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:33:17.000Z",
"modified": "2017-01-18T19:33:17.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "OSX.Backdoor.Quimitchin"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc327-b678-4803-b15f-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:33:59.000Z",
"modified": "2017-01-18T19:33:59.000Z",
"description": "~/.client - Xchecked via VT: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044",
"pattern": "[file:hashes.SHA1 = '18957d7549b4e296fcaeb122ff241d9799804fa3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:33:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc327-ffb8-420f-9174-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:33:59.000Z",
"modified": "2017-01-18T19:33:59.000Z",
"description": "~/.client - Xchecked via VT: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044",
"pattern": "[file:hashes.MD5 = 'e4744b9f927dc8048a19dca15590660c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:33:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--587fc328-feec-43dc-800c-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:00.000Z",
"modified": "2017-01-18T19:34:00.000Z",
"first_observed": "2017-01-18T19:34:00Z",
"last_observed": "2017-01-18T19:34:00Z",
"number_observed": 1,
"object_refs": [
"url--587fc328-feec-43dc-800c-b06d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--587fc328-feec-43dc-800c-b06d02de0b81",
"value": "https://www.virustotal.com/file/ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044/analysis/1484569121/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc329-9298-4b1c-ac87-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:01.000Z",
"modified": "2017-01-18T19:34:01.000Z",
"description": "~/Library/LaunchAgents/com.client.client.plist - Xchecked via VT: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3",
"pattern": "[file:hashes.SHA1 = 'cd42b88569faa946a4b9d6f7408b958dcbcf7554']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:34:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc32a-4528-458c-91a0-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:02.000Z",
"modified": "2017-01-18T19:34:02.000Z",
"description": "~/Library/LaunchAgents/com.client.client.plist - Xchecked via VT: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3",
"pattern": "[file:hashes.MD5 = '9d9cca200dd0e5f9d59225131d5269b0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:34:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--587fc32a-60a0-48d1-89d1-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:02.000Z",
"modified": "2017-01-18T19:34:02.000Z",
"first_observed": "2017-01-18T19:34:02Z",
"last_observed": "2017-01-18T19:34:02Z",
"number_observed": 1,
"object_refs": [
"url--587fc32a-60a0-48d1-89d1-b06d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--587fc32a-60a0-48d1-89d1-b06d02de0b81",
"value": "https://www.virustotal.com/file/83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3/analysis/1484177653/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc32b-fcdc-4cec-b22d-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:03.000Z",
"modified": "2017-01-18T19:34:03.000Z",
"description": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55",
"pattern": "[file:hashes.SHA1 = '66e520e18accd92abb4722a6cd6a285981ac5bd1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:34:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc32c-27ec-4800-bc47-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:04.000Z",
"modified": "2017-01-18T19:34:04.000Z",
"description": "afpscan - Another file downloaded from the C&C server was named \u00e2\u20ac\u0153afpscan\u00e2\u20ac\u009d, and it seems to try to connect to other devices on the network - Xchecked via VT: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55",
"pattern": "[file:hashes.MD5 = '7bb4f5d962a5b3bb18db9ce08c0b6cbf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:34:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--587fc32d-132c-4c51-9085-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:05.000Z",
"modified": "2017-01-18T19:34:05.000Z",
"first_observed": "2017-01-18T19:34:05Z",
"last_observed": "2017-01-18T19:34:05Z",
"number_observed": 1,
"object_refs": [
"url--587fc32d-132c-4c51-9085-b06d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--587fc32d-132c-4c51-9085-b06d02de0b81",
"value": "https://www.virustotal.com/file/bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55/analysis/1484082473/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc32d-c1e0-4edb-8e5d-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:05.000Z",
"modified": "2017-01-18T19:34:05.000Z",
"description": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0",
"pattern": "[file:hashes.SHA1 = '3c4904832392e70e415b0520d45ff7a1c93c2c4e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:34:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc32e-7b7c-4acc-a7d4-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:06.000Z",
"modified": "2017-01-18T19:34:06.000Z",
"description": "quimitchin-java-class We also observed the malware downloading a perl script, named \u00e2\u20ac\u0153macsvc\u00e2\u20ac\u009d, - Xchecked via VT: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0",
"pattern": "[file:hashes.MD5 = 'f8e3c8e43593ecbd9b62f6e18c8d6474']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:34:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--587fc32f-b3c8-442a-9cda-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:07.000Z",
"modified": "2017-01-18T19:34:07.000Z",
"first_observed": "2017-01-18T19:34:07Z",
"last_observed": "2017-01-18T19:34:07Z",
"number_observed": 1,
"object_refs": [
"url--587fc32f-b3c8-442a-9cda-b06d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--587fc32f-b3c8-442a-9cda-b06d02de0b81",
"value": "https://www.virustotal.com/file/b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0/analysis/1484326500/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc330-7248-49ef-ae67-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:08.000Z",
"modified": "2017-01-18T19:34:08.000Z",
"description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647",
"pattern": "[file:hashes.SHA1 = '03ab5fdb40db260dbc35aadba202e920e57eb348']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:34:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc330-2b6c-4b22-bc05-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:08.000Z",
"modified": "2017-01-18T19:34:08.000Z",
"description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647",
"pattern": "[file:hashes.MD5 = '3adf6025eb710f2bf1918ee2f116153d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:34:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--587fc331-05c4-482c-ad41-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:09.000Z",
"modified": "2017-01-18T19:34:09.000Z",
"first_observed": "2017-01-18T19:34:09Z",
"last_observed": "2017-01-18T19:34:09Z",
"number_observed": 1,
"object_refs": [
"url--587fc331-05c4-482c-ad41-b06d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--587fc331-05c4-482c-ad41-b06d02de0b81",
"value": "https://www.virustotal.com/file/94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647/analysis/1484177008/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc332-6d4c-4786-a7d2-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:10.000Z",
"modified": "2017-01-18T19:34:10.000Z",
"description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26",
"pattern": "[file:hashes.SHA1 = '1e493ebde7fa77d5ae503aa7758fac87d11da116']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:34:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--587fc332-1ae4-4394-8893-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:10.000Z",
"modified": "2017-01-18T19:34:10.000Z",
"description": "We were able to locate a couple Windows executable files on VirusTotal that communicate with the same C&C server. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and are only detected by a few engines under generic names. - Xchecked via VT: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26",
"pattern": "[file:hashes.MD5 = 'd4a14a1516d5ec9452a29de24ba85d0e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-18T19:34:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--587fc333-f574-41dc-9c50-b06d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-18T19:34:11.000Z",
"modified": "2017-01-18T19:34:11.000Z",
"first_observed": "2017-01-18T19:34:11Z",
"last_observed": "2017-01-18T19:34:11Z",
"number_observed": 1,
"object_refs": [
"url--587fc333-f574-41dc-9c50-b06d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--587fc333-f574-41dc-9c50-b06d02de0b81",
"value": "https://www.virustotal.com/file/694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26/analysis/1484177158/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}