misp-circl-feed/feeds/circl/misp/5a2cec1b-7f7c-4e23-bd7f-40be02de0b81.json

671 lines
No EOL
29 KiB
JSON

{
"type": "bundle",
"id": "bundle--5a2cec1b-7f7c-4e23-bd7f-40be02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:39:48.000Z",
"modified": "2017-12-10T08:39:48.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5a2cec1b-7f7c-4e23-bd7f-40be02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:39:48.000Z",
"modified": "2017-12-10T08:39:48.000Z",
"name": "OSINT - StrongPity2 spyware replaces FinFisher in MitM campaign \u00e2\u20ac\u201c ISP involved?",
"published": "2017-12-10T13:54:57Z",
"object_refs": [
"observed-data--5a2cec6d-e9c4-4cd0-9bca-4cf602de0b81",
"url--5a2cec6d-e9c4-4cd0-9bca-4cf602de0b81",
"x-misp-attribute--5a2cec8f-ad7c-4132-924a-4fb002de0b81",
"indicator--5a2cecbf-c70c-43e7-b987-4c9502de0b81",
"indicator--5a2cecc0-f914-4007-9a3f-45ec02de0b81",
"indicator--5a2cecc0-ff28-4fb3-b316-42f002de0b81",
"indicator--5a2cecc0-8c7c-4f26-a5ff-4bfc02de0b81",
"indicator--5a2cecc0-df50-4b03-8eab-4b7102de0b81",
"indicator--5a2cecc0-251c-4d8f-b820-476802de0b81",
"indicator--5a2cecc0-5528-4690-9081-4f5502de0b81",
"indicator--5a2cecc0-c908-4983-aef9-461d02de0b81",
"indicator--5a2cecc0-7fd8-4ea2-838a-423602de0b81",
"indicator--5a2cece5-f034-425c-bdb3-467d02de0b81",
"indicator--5a2cedb1-0d68-45fb-82f6-4f3102de0b81",
"indicator--5a2cedb1-e590-4697-aaf9-43f802de0b81",
"observed-data--5a2cedb1-8828-4342-8688-48e702de0b81",
"url--5a2cedb1-8828-4342-8688-48e702de0b81",
"indicator--5a2cedb2-b11c-481d-b598-467f02de0b81",
"indicator--5a2cedb3-ff88-455a-add9-455702de0b81",
"observed-data--5a2cedb3-18ec-487b-92e5-46ca02de0b81",
"url--5a2cedb3-18ec-487b-92e5-46ca02de0b81",
"indicator--5a2cedb3-c700-4050-9092-479802de0b81",
"indicator--5a2cedb3-3538-46e4-b83c-489602de0b81",
"observed-data--5a2cedb3-769c-4574-81d2-434f02de0b81",
"url--5a2cedb3-769c-4574-81d2-434f02de0b81",
"indicator--5a2ceddf-183c-4fea-a9cd-4b9e02de0b81",
"indicator--5a2cede0-524c-483d-983a-4f2902de0b81",
"indicator--5a2cede1-2874-4fac-9a9c-4a2702de0b81",
"indicator--5a2cedf2-4948-4937-823a-492b02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:threat-actor=\"PROMETHIUM\"",
"misp-galaxy:tool=\"StrongPity2\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a2cec6d-e9c4-4cd0-9bca-4cf602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:51.000Z",
"modified": "2017-12-10T08:17:51.000Z",
"first_observed": "2017-12-10T08:17:51Z",
"last_observed": "2017-12-10T08:17:51Z",
"number_observed": 1,
"object_refs": [
"url--5a2cec6d-e9c4-4cd0-9bca-4cf602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"osint:certainty=\"93\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a2cec6d-e9c4-4cd0-9bca-4cf602de0b81",
"value": "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a2cec8f-ad7c-4132-924a-4fb002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:52.000Z",
"modified": "2017-12-10T08:17:52.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"osint:certainty=\"93\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Continuing our research into FinFisher \u00e2\u20ac\u201c the infamous spyware known also as FinSpy and sold to governments and their agencies worldwide \u00e2\u20ac\u201c we noticed that the FinFisher malware in our previously-documented campaign, which had strong indicators of internet service provider (ISP) involvement, had been replaced by different spyware. Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the group called StrongPity. As well as detecting and blocking this threat, all ESET products \u00e2\u20ac\u201c including the free ESET Online Scanner \u00e2\u20ac\u201c thoroughly clean systems compromised by StrongPity2.\r\n\r\nAs we reported in September, in campaigns we detected in two different countries, Man-in-the-Middle (MitM) attacks had been used to spread FinFisher, with the \u00e2\u20ac\u0153man\u00e2\u20ac\u009d in both cases most likely operating at the ISP level. According to our telemetry, those campaigns were terminated on 21 September 2017 \u00e2\u20ac\u201c the very day we published our research.\r\n\r\nOn 8 October 2017, the same campaign resurfaced in one of those two countries, using the same (and very uncommon) structure of HTTP redirects to achieve \u00e2\u20ac\u0153on-the-fly\u00e2\u20ac\u009d browser redirection, only this time distributing Win32/StrongPity2 instead of FinFisher. We analyzed the new spyware and immediately noticed several similarities to malware allegedly operated by the StrongPity group in the past."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cecbf-c70c-43e7-b987-4c9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:52.000Z",
"modified": "2017-12-10T08:17:52.000Z",
"description": "Hashes of analyzed samples:",
"pattern": "[file:hashes.SHA1 = '4ad3ecc01d3aa73b97f53e317e3441244cf60cbd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cecc0-f914-4007-9a3f-45ec02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:52.000Z",
"modified": "2017-12-10T08:17:52.000Z",
"description": "Hashes of analyzed samples:",
"pattern": "[file:hashes.SHA1 = '8b33b11991e1e94b7a1b03d6fb20541c012be0e3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cecc0-ff28-4fb3-b316-42f002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:52.000Z",
"modified": "2017-12-10T08:17:52.000Z",
"description": "Hashes of analyzed samples:",
"pattern": "[file:hashes.SHA1 = '49c2bcae30a537454ad0b9344b38a04a0465a0b5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cecc0-8c7c-4f26-a5ff-4bfc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:52.000Z",
"modified": "2017-12-10T08:17:52.000Z",
"description": "Hashes of analyzed samples:",
"pattern": "[file:hashes.SHA1 = 'e17b5e71d26b2518871c73e8b1459e85fb922814']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cecc0-df50-4b03-8eab-4b7102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:52.000Z",
"modified": "2017-12-10T08:17:52.000Z",
"description": "Hashes of analyzed samples:",
"pattern": "[file:hashes.SHA1 = '76fc68607a608018277afa74ee09d5053623ff36']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cecc0-251c-4d8f-b820-476802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:53.000Z",
"modified": "2017-12-10T08:17:53.000Z",
"description": "Hashes of analyzed samples:",
"pattern": "[file:hashes.SHA1 = '87a38a8c357f549b695541d603de30073035043d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cecc0-5528-4690-9081-4f5502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:53.000Z",
"modified": "2017-12-10T08:17:53.000Z",
"description": "Hashes of analyzed samples:",
"pattern": "[file:hashes.SHA1 = '9f2d9d2131eff6220abaf97e2acd1bbb5c66f4e0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cecc0-c908-4983-aef9-461d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:53.000Z",
"modified": "2017-12-10T08:17:53.000Z",
"description": "Hashes of analyzed samples:",
"pattern": "[file:hashes.SHA1 = 'f8009ef802a28c2e21bce76b31094ed4a16e70d6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cecc0-7fd8-4ea2-838a-423602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:53.000Z",
"modified": "2017-12-10T08:17:53.000Z",
"description": "Hashes of analyzed samples:",
"pattern": "[file:hashes.SHA1 = 'a0437a2c8c50b8748ca3344c38bc80279779add7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cece5-f034-425c-bdb3-467d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:53.000Z",
"modified": "2017-12-10T08:17:53.000Z",
"description": "Domain serving the software packages trojanized by Win32/StrongPity2",
"pattern": "[url:value = 'https://downloading.internetdownloading.co']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cedb1-0d68-45fb-82f6-4f3102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:53.000Z",
"modified": "2017-12-10T08:17:53.000Z",
"description": "Hashes of analyzed samples: - Xchecked via VT: a0437a2c8c50b8748ca3344c38bc80279779add7",
"pattern": "[file:hashes.SHA256 = '0ef8d249a2e8cb096b69c7f2cae46a073681bd43fcabc9c50eb5df454c71baea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cedb1-e590-4697-aaf9-43f802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:53.000Z",
"modified": "2017-12-10T08:17:53.000Z",
"description": "Hashes of analyzed samples: - Xchecked via VT: a0437a2c8c50b8748ca3344c38bc80279779add7",
"pattern": "[file:hashes.MD5 = '5f8dd1a37ad2b36b178777d6bbf8a35b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a2cedb1-8828-4342-8688-48e702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:53.000Z",
"modified": "2017-12-10T08:17:53.000Z",
"first_observed": "2017-12-10T08:17:53Z",
"last_observed": "2017-12-10T08:17:53Z",
"number_observed": 1,
"object_refs": [
"url--5a2cedb1-8828-4342-8688-48e702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a2cedb1-8828-4342-8688-48e702de0b81",
"value": "https://www.virustotal.com/file/0ef8d249a2e8cb096b69c7f2cae46a073681bd43fcabc9c50eb5df454c71baea/analysis/1512879477/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cedb2-b11c-481d-b598-467f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:54.000Z",
"modified": "2017-12-10T08:17:54.000Z",
"description": "Hashes of analyzed samples: - Xchecked via VT: f8009ef802a28c2e21bce76b31094ed4a16e70d6",
"pattern": "[file:hashes.SHA256 = '462e85023952d23b74d697911653604b40497424e7a6fe505366addae6c375f7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cedb3-ff88-455a-add9-455702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:55.000Z",
"modified": "2017-12-10T08:17:55.000Z",
"description": "Hashes of analyzed samples: - Xchecked via VT: f8009ef802a28c2e21bce76b31094ed4a16e70d6",
"pattern": "[file:hashes.MD5 = 'be6f2a03dfddbaf1166854730961d13c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a2cedb3-18ec-487b-92e5-46ca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:55.000Z",
"modified": "2017-12-10T08:17:55.000Z",
"first_observed": "2017-12-10T08:17:55Z",
"last_observed": "2017-12-10T08:17:55Z",
"number_observed": 1,
"object_refs": [
"url--5a2cedb3-18ec-487b-92e5-46ca02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a2cedb3-18ec-487b-92e5-46ca02de0b81",
"value": "https://www.virustotal.com/file/462e85023952d23b74d697911653604b40497424e7a6fe505366addae6c375f7/analysis/1512864532/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cedb3-c700-4050-9092-479802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:55.000Z",
"modified": "2017-12-10T08:17:55.000Z",
"description": "Hashes of analyzed samples: - Xchecked via VT: e17b5e71d26b2518871c73e8b1459e85fb922814",
"pattern": "[file:hashes.SHA256 = '57da6fa244402a7fe5d4f8f8abf2acbc08db3817faee93dd8ccdc8a2a3554245']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cedb3-3538-46e4-b83c-489602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:55.000Z",
"modified": "2017-12-10T08:17:55.000Z",
"description": "Hashes of analyzed samples: - Xchecked via VT: e17b5e71d26b2518871c73e8b1459e85fb922814",
"pattern": "[file:hashes.MD5 = '08d971f5f4707ae6ea56ed2f243c38b7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:17:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a2cedb3-769c-4574-81d2-434f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:17:55.000Z",
"modified": "2017-12-10T08:17:55.000Z",
"first_observed": "2017-12-10T08:17:55Z",
"last_observed": "2017-12-10T08:17:55Z",
"number_observed": 1,
"object_refs": [
"url--5a2cedb3-769c-4574-81d2-434f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a2cedb3-769c-4574-81d2-434f02de0b81",
"value": "https://www.virustotal.com/file/57da6fa244402a7fe5d4f8f8abf2acbc08db3817faee93dd8ccdc8a2a3554245/analysis/1512862923/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2ceddf-183c-4fea-a9cd-4b9e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:18:39.000Z",
"modified": "2017-12-10T08:18:39.000Z",
"description": "URLs used to exfiltrate stolen data",
"pattern": "[url:value = 'https://updserv-east-cdn3.com/s3s3sxhxTuDSrkBQb88wE99Q.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:18:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cede0-524c-483d-983a-4f2902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:18:40.000Z",
"modified": "2017-12-10T08:18:40.000Z",
"description": "URLs used to exfiltrate stolen data",
"pattern": "[url:value = 'https://updserv-east-cdn3.com/kU2QLsNB6TzexJv5vGdunVXT.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:18:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cede1-2874-4fac-9a9c-4a2702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:18:41.000Z",
"modified": "2017-12-10T08:18:41.000Z",
"description": "URLs used to exfiltrate stolen data",
"pattern": "[url:value = 'https://updserv-east-cdn3.com/p55C3xhxTuD5rkBQbB8wE99Q.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a2cedf2-4948-4937-823a-492b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-10T08:19:15.000Z",
"modified": "2017-12-10T08:19:15.000Z",
"description": "Folder created by the malware to store its components",
"pattern": "[file:name = '\\\\%temp\\\\%\\\\lang_be29c9f3-83we']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-10T08:19:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}