373 lines
No EOL
16 KiB
JSON
373 lines
No EOL
16 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5a54ca42-e9a0-4d71-a9e6-4f9b950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-16T03:00:30.000Z",
|
|
"modified": "2018-01-16T03:00:30.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5a54ca42-e9a0-4d71-a9e6-4f9b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-16T03:00:30.000Z",
|
|
"modified": "2018-01-16T03:00:30.000Z",
|
|
"name": "OSINT - Experts analyzed an Advanced \"all in memory\" CryptoWorm",
|
|
"published": "2018-02-16T08:50:36Z",
|
|
"object_refs": [
|
|
"observed-data--5a54ca53-f374-44ba-9475-455f950d210f",
|
|
"url--5a54ca53-f374-44ba-9475-455f950d210f",
|
|
"x-misp-attribute--5a5c5cdc-dd14-4415-8ce3-4ae3950d210f",
|
|
"indicator--5a5c5d76-21e8-42fd-8b34-4d39950d210f",
|
|
"indicator--5a5c5d76-59e8-46ee-88b7-4240950d210f",
|
|
"x-misp-attribute--5a5c5dfd-aaac-4c47-9eff-417d950d210f",
|
|
"indicator--5a5c5e0f-4364-483b-98c3-4fad950d210f",
|
|
"indicator--5a5c5e0f-0dac-46db-b486-4cbb950d210f",
|
|
"indicator--5a5c5e62-827c-4ed3-94d6-4de0950d210f",
|
|
"indicator--ef15fe55-96db-4f8e-a563-90107aa04fd8",
|
|
"x-misp-object--f12256d2-41cd-4eb1-bbd1-fb0128573238",
|
|
"indicator--d932fbce-6248-4955-bf1c-ddbd669a67b3",
|
|
"x-misp-object--c46c80e3-a03a-497f-87ee-816333479203",
|
|
"relationship--d8005533-2650-4fcf-9820-f1e41391be5f",
|
|
"relationship--66ee002e-ec77-4f0c-adb0-8028ac8ae9c5"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5a54ca53-f374-44ba-9475-455f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:34:09.000Z",
|
|
"modified": "2018-01-15T09:34:09.000Z",
|
|
"first_observed": "2018-01-15T09:34:09Z",
|
|
"last_observed": "2018-01-15T09:34:09Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5a54ca53-f374-44ba-9475-455f950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5a54ca53-f374-44ba-9475-455f950d210f",
|
|
"value": "http://securityaffairs.co/wordpress/63488/malware/advanced-memory-cryptoworm.html"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5a5c5cdc-dd14-4415-8ce3-4ae3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:34:10.000Z",
|
|
"modified": "2018-01-15T09:34:10.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Today I want to share a nice Malware analysis having an interesting flow. The \u00e2\u20ac\u0153interesting\u00e2\u20ac\u009d adjective comes from the abilities the given sample owns. Capabilities of exploiting, hard obfuscations and usage of advanced techniques to steal credentials and run commands.\r\n\r\nThe analyzed sample has been provided by a colleague of mine (Alessandro) who received the first stage by eMail. A special thanks to Luca and Edoardo for having recognized XMRig during the last infection stage."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c5d76-21e8-42fd-8b34-4d39950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:34:10.000Z",
|
|
"modified": "2018-01-15T09:34:10.000Z",
|
|
"pattern": "[file:name = 'info6.ps1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:34:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c5d76-59e8-46ee-88b7-4240950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:34:10.000Z",
|
|
"modified": "2018-01-15T09:34:10.000Z",
|
|
"pattern": "[url:value = 'http://118.184.48.95:8000/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:34:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5a5c5dfd-aaac-4c47-9eff-417d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:34:11.000Z",
|
|
"modified": "2018-01-15T09:34:11.000Z",
|
|
"labels": [
|
|
"misp:type=\"other\"",
|
|
"misp:category=\"Financial fraud\""
|
|
],
|
|
"x_misp_category": "Financial fraud",
|
|
"x_misp_comment": "Monero Address",
|
|
"x_misp_type": "other",
|
|
"x_misp_value": "46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c5e0f-4364-483b-98c3-4fad950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T07:53:51.000Z",
|
|
"modified": "2018-01-15T07:53:51.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T07:53:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c5e0f-0dac-46db-b486-4cbb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T07:53:51.000Z",
|
|
"modified": "2018-01-15T07:53:51.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T07:53:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c5e62-827c-4ed3-94d6-4de0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:34:11.000Z",
|
|
"modified": "2018-01-15T09:34:11.000Z",
|
|
"pattern": "[file:name = 'y1.bat']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:34:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--ef15fe55-96db-4f8e-a563-90107aa04fd8",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:34:14.000Z",
|
|
"modified": "2018-01-15T09:34:14.000Z",
|
|
"pattern": "[file:hashes.MD5 = '9ac3bdb9378cd1fafbb8e08def738481' AND file:hashes.SHA1 = '8da156580747bf9ef8fa4d1c42ee112ab743da69' AND file:hashes.SHA256 = '038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:34:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--f12256d2-41cd-4eb1-bbd1-fb0128573238",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:34:13.000Z",
|
|
"modified": "2018-01-15T09:34:13.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309/analysis/1513112352/",
|
|
"category": "External analysis",
|
|
"uuid": "5a5c7595-db48-49f6-84da-459f02de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "47/67",
|
|
"category": "Other",
|
|
"uuid": "5a5c7595-4a78-4b7d-b6d0-422f02de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-12T20:59:12",
|
|
"category": "Other",
|
|
"uuid": "5a5c7596-3728-4530-b061-411f02de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d932fbce-6248-4955-bf1c-ddbd669a67b3",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:34:17.000Z",
|
|
"modified": "2018-01-15T09:34:17.000Z",
|
|
"pattern": "[file:hashes.MD5 = '8365158c74008879df00a9d49e61aaea' AND file:hashes.SHA1 = '686761aff5e4efedbc5b2931c0f214d8ba7b9463' AND file:hashes.SHA256 = '19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:34:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--c46c80e3-a03a-497f-87ee-816333479203",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:34:15.000Z",
|
|
"modified": "2018-01-15T09:34:15.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc/analysis/1513112312/",
|
|
"category": "External analysis",
|
|
"uuid": "5a5c7598-efc4-400f-9451-4f2502de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "30/65",
|
|
"category": "Other",
|
|
"uuid": "5a5c7599-bbfc-49f5-bf91-417d02de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-12T20:58:32",
|
|
"category": "Other",
|
|
"uuid": "5a5c7599-ce88-4d2a-9ccd-446c02de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--d8005533-2650-4fcf-9820-f1e41391be5f",
|
|
"created": "2018-02-16T08:50:36.000Z",
|
|
"modified": "2018-02-16T08:50:36.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--ef15fe55-96db-4f8e-a563-90107aa04fd8",
|
|
"target_ref": "x-misp-object--f12256d2-41cd-4eb1-bbd1-fb0128573238"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--66ee002e-ec77-4f0c-adb0-8028ac8ae9c5",
|
|
"created": "2018-02-16T08:50:36.000Z",
|
|
"modified": "2018-02-16T08:50:36.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--d932fbce-6248-4955-bf1c-ddbd669a67b3",
|
|
"target_ref": "x-misp-object--c46c80e3-a03a-497f-87ee-816333479203"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |