488 lines
No EOL
21 KiB
JSON
488 lines
No EOL
21 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5ede1810-6cfc-4a01-adb0-470902de0b81",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:59:18.000Z",
|
|
"modified": "2020-06-08T10:59:18.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5ede1810-6cfc-4a01-adb0-470902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:59:18.000Z",
|
|
"modified": "2020-06-08T10:59:18.000Z",
|
|
"name": "OSINT - New Cyber Operation Targets Italy: Digging Into the Netwire Attack Chai",
|
|
"published": "2020-06-08T10:59:27Z",
|
|
"object_refs": [
|
|
"observed-data--5ede181f-f798-45c0-a074-4e8802de0b81",
|
|
"url--5ede181f-f798-45c0-a074-4e8802de0b81",
|
|
"indicator--5ede1831-67d4-4f13-9438-4929e387cbd9",
|
|
"indicator--5ede1831-1b50-4630-b338-46c5e387cbd9",
|
|
"indicator--5ede1831-4dd0-48ed-bcfd-47fde387cbd9",
|
|
"indicator--5ede1831-7178-468c-a00e-42d2e387cbd9",
|
|
"indicator--5ede1831-9d98-43a1-8264-449ee387cbd9",
|
|
"indicator--5ede1856-22c0-4d4a-84c0-4371e387cbd9",
|
|
"indicator--5ede1891-e434-48d0-901a-4ba0e387cbd9",
|
|
"indicator--5ede18bc-9744-4008-97ed-4d1a950d210f",
|
|
"indicator--93f556f4-1c4b-42f6-b34b-36acac26b2d5",
|
|
"x-misp-object--7516cd9d-c920-44fa-92f2-d0e72a9c5e8b",
|
|
"indicator--8643d2ab-58e2-4f2a-8bdf-775e51e94e83",
|
|
"x-misp-object--ac7894f1-8369-4475-858b-5e0d797603fa",
|
|
"indicator--1436bace-be80-4f0c-a165-497411872a06",
|
|
"x-misp-object--21d4379f-ea7d-47d6-8179-136db3b0a8d9",
|
|
"relationship--076a3b3c-dd60-41d8-b609-d50fa1064d27",
|
|
"relationship--bc4bc843-840c-4ab3-8acc-8bd9ba64e08b",
|
|
"relationship--4186f8fa-7271-4403-afdb-6ff08d96697c"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\"",
|
|
"misp-galaxy:rat=\"Netwire\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5ede181f-f798-45c0-a074-4e8802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:11.000Z",
|
|
"modified": "2020-06-08T10:51:11.000Z",
|
|
"first_observed": "2020-06-08T10:51:11Z",
|
|
"last_observed": "2020-06-08T10:51:11Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5ede181f-f798-45c0-a074-4e8802de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5ede181f-f798-45c0-a074-4e8802de0b81",
|
|
"value": "https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5ede1831-67d4-4f13-9438-4929e387cbd9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:29.000Z",
|
|
"modified": "2020-06-08T10:51:29.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'ce7b8394cdc66149f91ed39ce6c047ee']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-08T10:51:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5ede1831-1b50-4630-b338-46c5e387cbd9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:29.000Z",
|
|
"modified": "2020-06-08T10:51:29.000Z",
|
|
"pattern": "[file:hashes.MD5 = '4e4001c6c47d09009eb24ce636bf5906']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-08T10:51:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5ede1831-4dd0-48ed-bcfd-47fde387cbd9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:29.000Z",
|
|
"modified": "2020-06-08T10:51:29.000Z",
|
|
"pattern": "[file:hashes.MD5 = '4b8e4d05092389216f947e980ac8a7b9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-08T10:51:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5ede1831-7178-468c-a00e-42d2e387cbd9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:29.000Z",
|
|
"modified": "2020-06-08T10:51:29.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'ad066878659d1f2d0aee06546d3e500b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-08T10:51:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5ede1831-9d98-43a1-8264-449ee387cbd9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:29.000Z",
|
|
"modified": "2020-06-08T10:51:29.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'ebe4a3f4ceb6d8f1a0485e3ce4333a7c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-08T10:51:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5ede1856-22c0-4d4a-84c0-4371e387cbd9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:52:06.000Z",
|
|
"modified": "2020-06-08T10:52:06.000Z",
|
|
"description": "dropsite",
|
|
"pattern": "[domain-name:value = 'cloudservices-archive.best']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-08T10:52:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5ede1891-e434-48d0-901a-4ba0e387cbd9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:53:05.000Z",
|
|
"modified": "2020-06-08T10:53:05.000Z",
|
|
"description": "C2",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.140.53.48']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-08T10:53:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5ede18bc-9744-4008-97ed-4d1a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:53:48.000Z",
|
|
"modified": "2020-06-08T10:53:48.000Z",
|
|
"pattern": "[windows-registry-key:key = 'HKCU\\\\Software\\\\NetWire']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-08T10:53:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Persistence mechanism"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"regkey\"",
|
|
"misp:category=\"Persistence mechanism\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--93f556f4-1c4b-42f6-b34b-36acac26b2d5",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:40.000Z",
|
|
"modified": "2020-06-08T10:51:40.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'ad066878659d1f2d0aee06546d3e500b' AND file:hashes.SHA1 = 'fb7f0880acc174e0c89728783c348cba69315b08' AND file:hashes.SHA256 = '48d9c8293d94c851dec10832b2ef6800dc91669e8fef96d8763d17d6b225e42c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-08T10:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--7516cd9d-c920-44fa-92f2-d0e72a9c5e8b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:40.000Z",
|
|
"modified": "2020-06-08T10:51:40.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2020-06-08T02:32:26+00:00",
|
|
"category": "Other",
|
|
"uuid": "496eac0e-698f-4ea0-ab26-4bc466225bb6"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/48d9c8293d94c851dec10832b2ef6800dc91669e8fef96d8763d17d6b225e42c/detection/f-48d9c8293d94c851dec10832b2ef6800dc91669e8fef96d8763d17d6b225e42c-1591583546",
|
|
"category": "Payload delivery",
|
|
"uuid": "54756807-9746-4083-b6ec-55f6dcc03d9c"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "30/71",
|
|
"category": "Payload delivery",
|
|
"uuid": "98064a88-4e53-446c-a5bb-197eb881c9b2"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--8643d2ab-58e2-4f2a-8bdf-775e51e94e83",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:40.000Z",
|
|
"modified": "2020-06-08T10:51:40.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'ce7b8394cdc66149f91ed39ce6c047ee' AND file:hashes.SHA1 = '2e0003aeda533f10ef3a69cb6217dbc1da980b9e' AND file:hashes.SHA256 = 'b7e95d0dcedd77ab717a33163af23ab2fd2dc6d07cdf81c5e4cfe080b0946b79']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-08T10:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--ac7894f1-8369-4475-858b-5e0d797603fa",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:40.000Z",
|
|
"modified": "2020-06-08T10:51:40.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2020-06-02T17:10:55+00:00",
|
|
"category": "Other",
|
|
"uuid": "75f593f3-25bf-4602-b637-0b6422e543c3"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/b7e95d0dcedd77ab717a33163af23ab2fd2dc6d07cdf81c5e4cfe080b0946b79/detection/f-b7e95d0dcedd77ab717a33163af23ab2fd2dc6d07cdf81c5e4cfe080b0946b79-1591117855",
|
|
"category": "Payload delivery",
|
|
"uuid": "5c188649-b2d1-4765-9f41-b6ff4c233eca"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "37/64",
|
|
"category": "Payload delivery",
|
|
"uuid": "e11599e7-9145-400f-99a4-2ef1ef9ffdf0"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--1436bace-be80-4f0c-a165-497411872a06",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:40.000Z",
|
|
"modified": "2020-06-08T10:51:40.000Z",
|
|
"pattern": "[file:hashes.MD5 = '4b8e4d05092389216f947e980ac8a7b9' AND file:hashes.SHA1 = '42b1a3e7891c78f026a9773fad96931ebf8e08cf' AND file:hashes.SHA256 = '818fa737f4041136cde620c3fa3bac5124f60506ef1a64bbc2f8472218039db5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-08T10:51:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--21d4379f-ea7d-47d6-8179-136db3b0a8d9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2020-06-08T10:51:41.000Z",
|
|
"modified": "2020-06-08T10:51:41.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2020-06-07T09:15:48+00:00",
|
|
"category": "Other",
|
|
"uuid": "236726a3-1637-4980-978e-8941bd88c278"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/818fa737f4041136cde620c3fa3bac5124f60506ef1a64bbc2f8472218039db5/detection/f-818fa737f4041136cde620c3fa3bac5124f60506ef1a64bbc2f8472218039db5-1591521348",
|
|
"category": "Payload delivery",
|
|
"uuid": "c36149ad-2fd7-4274-8f24-2c86b7e57a04"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "21/59",
|
|
"category": "Payload delivery",
|
|
"uuid": "8e4840ee-7871-45d2-b843-6391332b12a8"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--076a3b3c-dd60-41d8-b609-d50fa1064d27",
|
|
"created": "2020-06-08T10:51:41.000Z",
|
|
"modified": "2020-06-08T10:51:41.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--93f556f4-1c4b-42f6-b34b-36acac26b2d5",
|
|
"target_ref": "x-misp-object--7516cd9d-c920-44fa-92f2-d0e72a9c5e8b"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--bc4bc843-840c-4ab3-8acc-8bd9ba64e08b",
|
|
"created": "2020-06-08T10:51:41.000Z",
|
|
"modified": "2020-06-08T10:51:41.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--8643d2ab-58e2-4f2a-8bdf-775e51e94e83",
|
|
"target_ref": "x-misp-object--ac7894f1-8369-4475-858b-5e0d797603fa"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--4186f8fa-7271-4403-afdb-6ff08d96697c",
|
|
"created": "2020-06-08T10:51:41.000Z",
|
|
"modified": "2020-06-08T10:51:41.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--1436bace-be80-4f0c-a165-497411872a06",
|
|
"target_ref": "x-misp-object--21d4379f-ea7d-47d6-8179-136db3b0a8d9"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |