misp-circl-feed/feeds/circl/misp/596724b6-83dc-417f-962a-4cc8950d210f.json

307 lines
No EOL
13 KiB
JSON

{
"type": "bundle",
"id": "bundle--596724b6-83dc-417f-962a-4cc8950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:31.000Z",
"modified": "2017-07-13T08:17:31.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--596724b6-83dc-417f-962a-4cc8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:31.000Z",
"modified": "2017-07-13T08:17:31.000Z",
"name": "OSINT - LockPoS Joins the Flock",
"published": "2017-07-13T08:17:56Z",
"object_refs": [
"observed-data--5967252b-5fe0-4a7d-8d4d-44ff950d210f",
"url--5967252b-5fe0-4a7d-8d4d-44ff950d210f",
"x-misp-attribute--5967254e-9ac8-45bc-8b14-417b950d210f",
"x-misp-attribute--59672c22-9c8c-4123-a747-4ad1950d210f",
"indicator--59672c3f-6678-412c-a543-436b950d210f",
"indicator--59672c67-e798-4996-9533-45a1950d210f",
"indicator--59672c87-d8d0-4cf5-92ac-427002de0b81",
"indicator--59672c87-8068-45a5-8285-472102de0b81",
"observed-data--59672c88-e380-4b6f-9a68-4ec202de0b81",
"url--59672c88-e380-4b6f-9a68-4ec202de0b81",
"indicator--59672c88-67fc-4e04-9113-4f1302de0b81",
"indicator--59672c88-c918-456d-b4d4-4ab202de0b81",
"observed-data--59672c88-d000-4c09-b3e8-464002de0b81",
"url--59672c88-d000-4c09-b3e8-464002de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5967252b-5fe0-4a7d-8d4d-44ff950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:31.000Z",
"modified": "2017-07-13T08:17:31.000Z",
"first_observed": "2017-07-13T08:17:31Z",
"last_observed": "2017-07-13T08:17:31Z",
"number_observed": 1,
"object_refs": [
"url--5967252b-5fe0-4a7d-8d4d-44ff950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5967252b-5fe0-4a7d-8d4d-44ff950d210f",
"value": "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5967254e-9ac8-45bc-8b14-417b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:31.000Z",
"modified": "2017-07-13T08:17:31.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "While revisiting a Flokibot campaign that was targeting point of sale (PoS) systems in Brazil earlier this year, we discovered something interesting. One of the command and control (C2) servers that had been dormant for quite some time had suddenly woken up and started distributing what looks to be a new PoS malware family we\u00e2\u20ac\u2122re calling LockPoS. This post opens the lock up and takes a look inside."
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59672c22-9c8c-4123-a747-4ad1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:11.000Z",
"modified": "2017-07-13T08:17:11.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pdb",
"x_misp_value": "%USERPROFILE%\\Desktop\\key\\dropper\\Release\\dropper.pdb"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59672c3f-6678-412c-a543-436b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:11.000Z",
"modified": "2017-07-13T08:17:11.000Z",
"pattern": "[file:hashes.SHA256 = 'a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-13T08:17:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59672c67-e798-4996-9533-45a1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:11.000Z",
"modified": "2017-07-13T08:17:11.000Z",
"pattern": "[file:hashes.SHA256 = '93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-13T08:17:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59672c87-d8d0-4cf5-92ac-427002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:11.000Z",
"modified": "2017-07-13T08:17:11.000Z",
"description": "- Xchecked via VT: a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa",
"pattern": "[file:hashes.SHA1 = 'f9484baf6f7194248a388d41dfd06543b3dc5d26']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-13T08:17:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59672c87-8068-45a5-8285-472102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:11.000Z",
"modified": "2017-07-13T08:17:11.000Z",
"description": "- Xchecked via VT: a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa",
"pattern": "[file:hashes.MD5 = '624f84a9d8979789c630327a6b08c7c6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-13T08:17:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59672c88-e380-4b6f-9a68-4ec202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:12.000Z",
"modified": "2017-07-13T08:17:12.000Z",
"first_observed": "2017-07-13T08:17:12Z",
"last_observed": "2017-07-13T08:17:12Z",
"number_observed": 1,
"object_refs": [
"url--59672c88-e380-4b6f-9a68-4ec202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59672c88-e380-4b6f-9a68-4ec202de0b81",
"value": "https://www.virustotal.com/file/a970842fc7c221fade06c54551c000c0bc494e9e188deb9c570be7c6f95284fa/analysis/1499924910/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59672c88-67fc-4e04-9113-4f1302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:12.000Z",
"modified": "2017-07-13T08:17:12.000Z",
"description": "- Xchecked via VT: 93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488",
"pattern": "[file:hashes.SHA1 = '419311da2ef6b2a9ca27dba3241a0d62a4e25848']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-13T08:17:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59672c88-c918-456d-b4d4-4ab202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:12.000Z",
"modified": "2017-07-13T08:17:12.000Z",
"description": "- Xchecked via VT: 93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488",
"pattern": "[file:hashes.MD5 = '3d0f6367f1fedfc08734b35200c7abf9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-13T08:17:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59672c88-d000-4c09-b3e8-464002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-13T08:17:12.000Z",
"modified": "2017-07-13T08:17:12.000Z",
"first_observed": "2017-07-13T08:17:12Z",
"last_observed": "2017-07-13T08:17:12Z",
"number_observed": 1,
"object_refs": [
"url--59672c88-d000-4c09-b3e8-464002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59672c88-d000-4c09-b3e8-464002de0b81",
"value": "https://www.virustotal.com/file/93c11f9b87b2b04f8dadb6a579e2046a69073a244fd4a71a10b1f1fbff36c488/analysis/1499919639/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}