misp-circl-feed/feeds/circl/misp/597e0ba4-29e0-4ae1-a8a3-ae4f02de0b81.json

233 lines
No EOL
10 KiB
JSON

{
"type": "bundle",
"id": "bundle--597e0ba4-29e0-4ae1-a8a3-ae4f02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-30T16:54:23.000Z",
"modified": "2017-07-30T16:54:23.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--597e0ba4-29e0-4ae1-a8a3-ae4f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-30T16:54:23.000Z",
"modified": "2017-07-30T16:54:23.000Z",
"name": "OSINT - CowerSnail, from the creators of SambaCry",
"published": "2017-07-30T16:54:50Z",
"object_refs": [
"x-misp-attribute--597e0bba-9014-4e8e-b49d-48e4950d210f",
"indicator--597e0bd7-c6f8-4476-b5fb-4b8902de0b81",
"indicator--597e0beb-d978-430e-9a7b-425302de0b81",
"indicator--597e0dd9-2cc0-4c1d-a9e9-43a502de0b81",
"indicator--597e0dd9-6f90-4623-a8a2-4fba02de0b81",
"observed-data--597e0dd9-3114-47d0-ad5f-4e9b02de0b81",
"url--597e0dd9-3114-47d0-ad5f-4e9b02de0b81",
"x-misp-attribute--597e0f02-b4dc-4fcf-8e30-466d02de0b81",
"observed-data--597e0f19-a7f4-49b1-af72-4d2602de0b81",
"url--597e0f19-a7f4-49b1-af72-4d2602de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"CowerSnail\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--597e0bba-9014-4e8e-b49d-48e4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-30T16:48:25.000Z",
"modified": "2017-07-30T16:48:25.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "Backdoor.Win32.CowerSnail"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--597e0bd7-c6f8-4476-b5fb-4b8902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-30T16:48:25.000Z",
"modified": "2017-07-30T16:48:25.000Z",
"description": "Backdoor.Win32.CowerSnail",
"pattern": "[file:hashes.MD5 = '5460ac43725997798bab3eb6474d391f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-30T16:48:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--597e0beb-d978-430e-9a7b-425302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-30T16:48:25.000Z",
"modified": "2017-07-30T16:48:25.000Z",
"description": "On port 20480",
"pattern": "[domain-name:value = 'cl.ezreal.space']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-30T16:48:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--597e0dd9-2cc0-4c1d-a9e9-43a502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-30T16:48:25.000Z",
"modified": "2017-07-30T16:48:25.000Z",
"description": "Backdoor.Win32.CowerSnail - Xchecked via VT: 5460ac43725997798bab3eb6474d391f",
"pattern": "[file:hashes.SHA256 = '3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-30T16:48:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--597e0dd9-6f90-4623-a8a2-4fba02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-30T16:48:25.000Z",
"modified": "2017-07-30T16:48:25.000Z",
"description": "Backdoor.Win32.CowerSnail - Xchecked via VT: 5460ac43725997798bab3eb6474d391f",
"pattern": "[file:hashes.SHA1 = '08f423dd9ec9c03320377161f7d73cdac647a765']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-30T16:48:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--597e0dd9-3114-47d0-ad5f-4e9b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-30T16:48:25.000Z",
"modified": "2017-07-30T16:48:25.000Z",
"first_observed": "2017-07-30T16:48:25Z",
"last_observed": "2017-07-30T16:48:25Z",
"number_observed": 1,
"object_refs": [
"url--597e0dd9-3114-47d0-ad5f-4e9b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--597e0dd9-3114-47d0-ad5f-4e9b02de0b81",
"value": "https://www.virustotal.com/file/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1/analysis/1501280093/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--597e0f02-b4dc-4fcf-8e30-466d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-30T16:54:23.000Z",
"modified": "2017-07-30T16:54:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol. A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry. It was the common C&C server that both programs used \u00e2\u20ac\u201c cl.ezreal.space:20480 \u00e2\u20ac\u201c that suggested a relationship between them.\r\n\r\nKaspersky Lab products detect the new malicious program as Backdoor.Win32.CowerSnail. MD5: 5460AC43725997798BAB3EB6474D391F\r\n\r\nCowerSnail was compiled using Qt and linked with various libraries. This framework provides benefits such as cross-platform capability and transferability of the source code between different operating systems. This, however, has an effect on the resulting file size: the user code ends up as a small proportion of a large 3 MB file."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--597e0f19-a7f4-49b1-af72-4d2602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-30T16:54:23.000Z",
"modified": "2017-07-30T16:54:23.000Z",
"first_observed": "2017-07-30T16:54:23Z",
"last_observed": "2017-07-30T16:54:23Z",
"number_observed": 1,
"object_refs": [
"url--597e0f19-a7f4-49b1-af72-4d2602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--597e0f19-a7f4-49b1-af72-4d2602de0b81",
"value": "https://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}