misp-circl-feed/feeds/circl/stix-2.1/5df8df26-fe0e-4858-94a7-6cf71d9519c9.json

1783 lines
No EOL
77 KiB
JSON

{
"type": "bundle",
"id": "bundle--5df8df26-fe0e-4858-94a7-6cf71d9519c9",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:47:38.000Z",
"modified": "2021-11-19T15:47:38.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5df8df26-fe0e-4858-94a7-6cf71d9519c9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:47:38.000Z",
"modified": "2021-11-19T15:47:38.000Z",
"name": "UEFI threats moving to the ESP: Introducing ESPecter bootkit",
"published": "2021-11-19T15:49:17Z",
"object_refs": [
"x-misp-attribute--2a49a854-10b5-4365-91e9-3f4a585eaf42",
"x-misp-attribute--e4f416a2-85e2-43fd-a0d0-f282188e291e",
"x-misp-attribute--0e1708e4-f25e-4ebe-acc7-e77dc5a906dd",
"indicator--a74af413-79fa-4909-9c0e-5da293a89d14",
"indicator--ddf93926-3645-4e64-8e21-e3cadcb42dbe",
"indicator--4822dadc-6680-4b7b-948b-5eb0eecf329c",
"indicator--cd507edf-d207-4fc8-ab5a-981f43ba2a51",
"indicator--8ce804d8-0129-47b2-aadb-e794772944d9",
"indicator--6f4ef921-6bf4-4692-bbad-e48ce05eb228",
"indicator--c2f4e331-a13d-49b0-a01a-bc053da56769",
"indicator--043a8bb1-1a42-4737-b72c-26c5701aa7f8",
"x-misp-attribute--c3972c5b-f600-426b-8a03-2b82bad6fedb",
"x-misp-attribute--053dfa99-3d2f-4498-ab6a-544bdd2f06f1",
"x-misp-attribute--604f4489-cfe4-48b6-a71e-4115cc6e1686",
"x-misp-attribute--a41f57f0-b112-4bac-be5d-d079b1ef3654",
"x-misp-attribute--a727a6a4-d692-46a6-a471-ca8438b99206",
"x-misp-attribute--6bb145ae-a23b-4186-98e6-4af2afe63a85",
"x-misp-attribute--36eab666-2303-41b4-86db-d2d4630b1c4b",
"x-misp-attribute--5daed22d-ca0c-49d0-af03-d71fc869467b",
"x-misp-attribute--e7adc49c-33af-4fc7-9111-d8a7a5479dce",
"x-misp-attribute--53a6c33c-ba99-4e25-9741-bac2877adfe0",
"x-misp-attribute--387b69b7-6336-4b2f-aaf2-61ca43c12dbf",
"x-misp-attribute--f134b566-0efa-4e8d-a0c2-983ab1a10951",
"x-misp-attribute--f9fc7f74-52ed-4b13-aa18-cb696b3f71b2",
"x-misp-attribute--f07e6d67-1608-4ecf-841a-beebc4d55450",
"x-misp-attribute--81db953f-ae79-4e07-95cf-86c9aa5f315b",
"indicator--3de8d0d9-4538-4295-86c4-4a8c2115d031",
"indicator--a1e4283a-d00f-4c04-b605-19b4df73fa29",
"indicator--d3624e94-1ce5-439d-800d-b14cde62ca8c",
"indicator--7ed3898f-469c-4503-9ced-31ef0edc4598",
"indicator--bdfbf198-91a4-4e34-87fa-20ffbcb938cb",
"indicator--44ecfdbb-15ad-4da5-ae60-ae9e86a8fcbd",
"indicator--7c8585c7-f16d-4160-b518-f64330929a65",
"indicator--6e6295bb-4caa-4c86-9c3b-7982df4b1579",
"indicator--8434d591-d6d9-4043-a68b-b7f7aa7632cb",
"indicator--3a91a09d-baab-4f83-b313-f17e83e6225b",
"indicator--8f23b33c-1f63-4a59-88d5-f1913185f8c2",
"indicator--5076da52-2497-4dcd-b7eb-6b13bd387df5",
"indicator--313ae7bc-b8cb-4fc6-b646-8379f9fb0917",
"indicator--0ac2f3e6-37a7-4ad6-ab4b-b6d20c19e775",
"indicator--8cb316d8-7c13-4d62-ae36-65336aaa80fb",
"indicator--d24fb77d-e776-4d2b-9480-4c430733a2d9",
"indicator--3bae573d-d93e-468a-8406-47b55de6e76f",
"indicator--436005da-d100-4543-9329-6939546bcd98",
"indicator--59c35d4e-4420-4266-992f-1aa58906e157",
"indicator--2f941274-cb1e-4499-8407-1af90a163231",
"indicator--0e48addd-4a98-4045-9725-3d43918787c9",
"indicator--28c3fa40-019d-4de0-b203-eb3b4921cf08",
"indicator--bf9c1674-2f1d-4a0c-8fa6-7efa805f8dd6",
"indicator--e2c5cac5-a603-44ad-a47a-e4e11795d57b",
"indicator--a88b2df4-d1c2-4ad3-8f92-bca70dca1cc5",
"indicator--83cd3826-3f69-48e2-b91d-c319ecd366be",
"indicator--5d3cc885-69a8-44b6-942d-76a205b5b9bf",
"indicator--c3680318-bdc8-4e35-9722-7401eac56247",
"indicator--92800ef6-15f8-48b7-90ea-e8a819affda4",
"indicator--4897f3a4-3ae7-45e3-82a3-b14314cbfc29",
"indicator--2fe0f668-8003-49d9-98e8-d5123f12a56d",
"x-misp-object--00757583-07b5-44cf-aaf0-7e71aebf60ff",
"x-misp-object--704e5969-5b1d-4325-b7fc-4a6d923bbda5",
"indicator--a9021b55-afc0-437c-b972-3079eab113d1",
"x-misp-object--7ef11d83-1085-4d24-910e-5f66372ed7ef",
"indicator--31bcc06e-f214-4193-bd07-83a32e27ad7d",
"x-misp-object--aad7d8b5-905e-4cf6-9e67-6182ce4de562",
"indicator--e69670e4-f98d-4be6-953c-933b681d802b",
"x-misp-object--3e418ab5-d67d-46cd-b630-f40b287784b7",
"indicator--0ce970ae-28ab-457c-a377-d083e527e699",
"x-misp-object--9c96483f-0733-4016-80cf-7e5a090da564",
"indicator--b9b484e5-731d-432a-b5eb-6013142e1fb7",
"x-misp-object--6587653a-065f-49f1-958a-83869a219db6",
"relationship--5c584f12-fade-4aee-908d-9244a748ea04",
"relationship--543bfbbb-475f-4444-af8c-e206383ff211",
"relationship--672fb3d7-d103-43f1-ae9f-4abbda83f950",
"relationship--62dfae1b-93be-4b2e-ab7c-6b46bc0540f0",
"relationship--eaa5f046-875a-44fe-84d8-d2dc6223cd1a"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"",
"misp-galaxy:mitre-attack-pattern=\"Pre-OS Boot - T1542\"",
"misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"",
"misp-galaxy:mitre-attack-pattern=\"Dynamic-link Library Injection - T1055.001\"",
"misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"",
"misp-galaxy:mitre-attack-pattern=\"Hidden File System - T1564.005\"",
"misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
"misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"",
"misp-galaxy:mitre-attack-pattern=\"Rename System Utilities - T1036.003\"",
"misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"",
"misp-galaxy:mitre-attack-pattern=\"Patch System Image - T1601.001\"",
"misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1406\"",
"misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"",
"misp-galaxy:mitre-attack-pattern=\"Bootkit - T1542.003\"",
"misp-galaxy:mitre-attack-pattern=\"Code Signing Policy Modification - T1553.006\"",
"misp-galaxy:mitre-attack-pattern=\"Time Based Evasion - T1497.003\"",
"misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"",
"misp-galaxy:mitre-attack-pattern=\"Application Window Discovery - T1010\"",
"misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"",
"misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1420\"",
"misp-galaxy:mitre-attack-pattern=\"Peripheral Device Discovery - T1120\"",
"misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1424\"",
"misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"",
"misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1426\"",
"misp-galaxy:mitre-attack-pattern=\"System Time Discovery - T1124\"",
"misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"",
"misp-galaxy:mitre-attack-pattern=\"Data from Removable Media - T1025\"",
"misp-galaxy:mitre-attack-pattern=\"Local Data Staging - T1074.001\"",
"misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\"",
"misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"",
"misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1513\"",
"misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"",
"misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"",
"misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"",
"misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"",
"misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"",
"misp-galaxy:mitre-attack-pattern=\"Multi-Stage Channels - T1104\"",
"misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"",
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"",
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"",
"misp-galaxy:mitre-attack-pattern=\"Scheduled Transfer - T1029\"",
"misp-galaxy:tool=\"ESPecter bootkit\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--2a49a854-10b5-4365-91e9-3f4a585eaf42",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-11T14:08:22.000Z",
"modified": "2021-11-11T14:08:22.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Artifacts dropped\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "text",
"x_misp_value": "EFI/Rootkit.ESPecter"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--e4f416a2-85e2-43fd-a0d0-f282188e291e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-11T14:08:22.000Z",
"modified": "2021-11-11T14:08:22.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Artifacts dropped\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "text",
"x_misp_value": "Win32/Rootkit.ESPecter"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--0e1708e4-f25e-4ebe-acc7-e77dc5a906dd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-11T14:08:22.000Z",
"modified": "2021-11-11T14:08:22.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Artifacts dropped\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "text",
"x_misp_value": "Win64/Rootkit.ESPecter"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a74af413-79fa-4909-9c0e-5da293a89d14",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-11T14:46:40.000Z",
"modified": "2021-11-11T14:46:40.000Z",
"description": "C&C from configurations",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '196.1.2.111']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-11T14:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ddf93926-3645-4e64-8e21-e3cadcb42dbe",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-11T14:46:40.000Z",
"modified": "2021-11-11T14:46:40.000Z",
"description": "C&C from configurations",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.212.69.175']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-11T14:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4822dadc-6680-4b7b-948b-5eb0eecf329c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-11T14:46:40.000Z",
"modified": "2021-11-11T14:46:40.000Z",
"description": "C&C from configurations",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '183.90.187.65']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-11T14:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cd507edf-d207-4fc8-ab5a-981f43ba2a51",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-11T14:46:40.000Z",
"modified": "2021-11-11T14:46:40.000Z",
"description": "C&C from configurations",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '61.178.79.69']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-11T14:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8ce804d8-0129-47b2-aadb-e794772944d9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-11T14:46:40.000Z",
"modified": "2021-11-11T14:46:40.000Z",
"description": "C&C from configurations",
"pattern": "[domain-name:value = 'swj02.gicp.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-11T14:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6f4ef921-6bf4-4692-bbad-e48ce05eb228",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-11T14:46:40.000Z",
"modified": "2021-11-11T14:46:40.000Z",
"description": "C&C from configurations",
"pattern": "[domain-name:value = 'server.microsoftassistant.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-11T14:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c2f4e331-a13d-49b0-a01a-bc053da56769",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-11T14:46:40.000Z",
"modified": "2021-11-11T14:46:40.000Z",
"description": "C&C from configurations",
"pattern": "[domain-name:value = 'yspark.justdied.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-11T14:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--043a8bb1-1a42-4737-b72c-26c5701aa7f8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-11T14:46:40.000Z",
"modified": "2021-11-11T14:46:40.000Z",
"description": "C&C from configurations",
"pattern": "[domain-name:value = 'crystalnba.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-11T14:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--c3972c5b-f600-426b-8a03-2b82bad6fedb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T08:51:37.000Z",
"modified": "2021-11-12T08:51:37.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Configuration file path",
"x_misp_type": "text",
"x_misp_value": "%windir%\\Temp\\syslog"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--053dfa99-3d2f-4498-ab6a-544bdd2f06f1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T09:46:13.000Z",
"modified": "2021-11-12T09:46:13.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Base directory for the collected data (%BaseDir%)",
"x_misp_type": "text",
"x_misp_value": "%sysdir%\\Media\\NPCSJDLFSD"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--604f4489-cfe4-48b6-a71e-4115cc6e1686",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T09:46:13.000Z",
"modified": "2021-11-12T09:46:13.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Base directory for the collected data (%BaseDir%)",
"x_misp_type": "text",
"x_misp_value": "%windir%\\Temp\\NPCSJDLFSD"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--a41f57f0-b112-4bac-be5d-d079b1ef3654",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:18:01.000Z",
"modified": "2021-11-12T10:18:01.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Screenshots directory",
"x_misp_type": "text",
"x_misp_value": "%BaseDir%\\SSQWCVBER"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--a727a6a4-d692-46a6-a471-ca8438b99206",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:18:36.000Z",
"modified": "2021-11-12T10:18:36.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Stolen documents directory",
"x_misp_type": "text",
"x_misp_value": "%BaseDir%\\UTXZCZXQ"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--6bb145ae-a23b-4186-98e6-4af2afe63a85",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:19:05.000Z",
"modified": "2021-11-12T10:19:05.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Intercepted keyboard logs directory",
"x_misp_type": "text",
"x_misp_value": "%BaseDir%\\KLACVSWER"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--36eab666-2303-41b4-86db-d2d4630b1c4b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:19:35.000Z",
"modified": "2021-11-12T10:19:35.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Encrypted user-mode payloads files",
"x_misp_type": "text",
"x_misp_value": "%windir%\\Temp\\dd_vcredist"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5daed22d-ca0c-49d0-af03-d71fc869467b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:19:35.000Z",
"modified": "2021-11-12T10:19:35.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Encrypted user-mode payloads files",
"x_misp_type": "text",
"x_misp_value": "%windir%\\Temp\\memlog"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--e7adc49c-33af-4fc7-9111-d8a7a5479dce",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:19:35.000Z",
"modified": "2021-11-12T10:19:35.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Encrypted user-mode payloads files",
"x_misp_type": "text",
"x_misp_value": "%windir%\\Temp\\vmmmlog"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--53a6c33c-ba99-4e25-9741-bac2877adfe0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:19:35.000Z",
"modified": "2021-11-12T10:19:35.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Encrypted user-mode payloads files",
"x_misp_type": "text",
"x_misp_value": "%windir%\\Temp\\vmmmmlog"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--387b69b7-6336-4b2f-aaf2-61ca43c12dbf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:19:59.000Z",
"modified": "2021-11-12T10:19:59.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Decrypted user-mode payloads files",
"x_misp_type": "text",
"x_misp_value": "%windir%\\Temp\\vmmmlog.exe"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--f134b566-0efa-4e8d-a0c2-983ab1a10951",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:19:59.000Z",
"modified": "2021-11-12T10:19:59.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Decrypted user-mode payloads files",
"x_misp_type": "text",
"x_misp_value": "%windir%\\Temp\\vmmmmlog.exe"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--f9fc7f74-52ed-4b13-aa18-cb696b3f71b2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:19:59.000Z",
"modified": "2021-11-12T10:19:59.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Decrypted user-mode payloads files",
"x_misp_type": "text",
"x_misp_value": "\\SystemRoot\\System32\\Client.dll"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--f07e6d67-1608-4ecf-841a-beebc4d55450",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:19:59.000Z",
"modified": "2021-11-12T10:19:59.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Decrypted user-mode payloads files",
"x_misp_type": "text",
"x_misp_value": "\\SystemRoot\\System32\\WinSys.dll"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--81db953f-ae79-4e07-95cf-86c9aa5f315b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:20:24.000Z",
"modified": "2021-11-12T10:20:24.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "Backed up clean null.sys or beep.sys driver path",
"x_misp_type": "text",
"x_misp_value": "%windir%\\\\Help\\\\intel.chm"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3de8d0d9-4538-4295-86c4-4a8c2115d031",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:24:19.000Z",
"modified": "2021-11-12T10:24:19.000Z",
"pattern": "[file:hashes.SHA1 = '6b2ad6114029d60f7c40f306271669b3a69ea270' AND file:name = 'WinSys.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:24:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a1e4283a-d00f-4c04-b605-19b4df73fa29",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:24:01.000Z",
"modified": "2021-11-12T10:24:01.000Z",
"pattern": "[file:hashes.SHA1 = '0a97efa15a62e90d71f643b693b3dd3cf2657b9f' AND file:name = 'WinSys.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:24:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d3624e94-1ce5-439d-800d-b14cde62ca8c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:22:26.000Z",
"modified": "2021-11-12T10:22:26.000Z",
"pattern": "[file:hashes.SHA1 = '7f501aeb51ce3232a979ccf0e11278346f746d1f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:22:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7ed3898f-469c-4503-9ced-31ef0edc4598",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:23:44.000Z",
"modified": "2021-11-12T10:23:44.000Z",
"pattern": "[file:hashes.SHA1 = '81e6d19865647dc160861e2154d6903fc78c7dfb' AND file:name = 'WinSys.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:23:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bdfbf198-91a4-4e34-87fa-20ffbcb938cb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:22:48.000Z",
"modified": "2021-11-12T10:22:48.000Z",
"pattern": "[file:hashes.SHA1 = 'cae4b2c049542fd28667ca6e9afa440b3f0138f9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:22:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--44ecfdbb-15ad-4da5-ae60-ae9e86a8fcbd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:24:37.000Z",
"modified": "2021-11-12T10:24:37.000Z",
"pattern": "[file:hashes.SHA1 = '09f0f17aeccdef5cb1112bc9bef0fe4f828d6d3b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:24:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7c8585c7-f16d-4160-b518-f64330929a65",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:24:53.000Z",
"modified": "2021-11-12T10:24:53.000Z",
"pattern": "[file:hashes.SHA1 = '99dc33bedf4cb9bdbdf04cc60e1da55cfbeadc09']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:24:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6e6295bb-4caa-4c86-9c3b-7982df4b1579",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:25:14.000Z",
"modified": "2021-11-12T10:25:14.000Z",
"pattern": "[file:hashes.SHA1 = 'c06eeb1600cf4e8aac91730e00dd7c169738afde']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:25:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8434d591-d6d9-4043-a68b-b7f7aa7632cb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:25:25.000Z",
"modified": "2021-11-12T10:25:25.000Z",
"pattern": "[file:hashes.SHA1 = 'dcd42b04705b784ad62bb36e17305b6e6414f033']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:25:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3a91a09d-baab-4f83-b313-f17e83e6225b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:25:39.000Z",
"modified": "2021-11-12T10:25:39.000Z",
"pattern": "[file:hashes.SHA1 = '374d1a399ef44472ee088563d621df28221cbcce']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:25:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8f23b33c-1f63-4a59-88d5-f1913185f8c2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:25:57.000Z",
"modified": "2021-11-12T10:25:57.000Z",
"pattern": "[file:hashes.SHA1 = '8ab33e432c8bee54ae759dfb5346d21387f26902']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:25:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5076da52-2497-4dcd-b7eb-6b13bd387df5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:26:14.000Z",
"modified": "2021-11-12T10:26:14.000Z",
"pattern": "[file:hashes.SHA1 = '656c263fa004bb3e6f3ee6ef6767d101869c7f7c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:26:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--313ae7bc-b8cb-4fc6-b646-8379f9fb0917",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T10:26:35.000Z",
"modified": "2021-11-12T10:26:35.000Z",
"pattern": "[file:hashes.SHA1 = '1d75bfb18ffc0b820cb36acf8707343fa6679863']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T10:26:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0ac2f3e6-37a7-4ad6-ab4b-b6d20c19e775",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:09:42.000Z",
"modified": "2021-11-12T12:09:42.000Z",
"pattern": "[file:hashes.SHA1 = '865f5b87b5f6fb75f3ec68ca05a21cc36446812f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:09:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8cb316d8-7c13-4d62-ae36-65336aaa80fb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:10:00.000Z",
"modified": "2021-11-12T12:10:00.000Z",
"pattern": "[file:hashes.SHA1 = '9f6df0a011748160b0c18fb2b44ebe9fa9d517e9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:10:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d24fb77d-e776-4d2b-9480-4c430733a2d9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:10:28.000Z",
"modified": "2021-11-12T12:10:28.000Z",
"pattern": "[file:hashes.SHA1 = '2c22ae243fdc08b84b38d9580900a9a9e3823acf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:10:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3bae573d-d93e-468a-8406-47b55de6e76f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:10:42.000Z",
"modified": "2021-11-12T12:10:42.000Z",
"pattern": "[file:hashes.SHA1 = 'abc03a234233c63330c744fda784385273af395b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:10:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--436005da-d100-4543-9329-6939546bcd98",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:12:44.000Z",
"modified": "2021-11-12T12:12:44.000Z",
"pattern": "[file:hashes.SHA1 = '7ad4442d3c02fa145bef9bf18c9464c3e4449224']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:12:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59c35d4e-4420-4266-992f-1aa58906e157",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:12:58.000Z",
"modified": "2021-11-12T12:12:58.000Z",
"pattern": "[file:hashes.SHA1 = 'a8b4fe8a421c86eae060bb8bf525ef1e1fc133b2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:12:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2f941274-cb1e-4499-8407-1af90a163231",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:13:23.000Z",
"modified": "2021-11-12T12:13:23.000Z",
"pattern": "[file:hashes.SHA1 = '08077d940f2b385fbd287d84edb58493136c8391']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:13:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0e48addd-4a98-4045-9725-3d43918787c9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:15:37.000Z",
"modified": "2021-11-12T12:15:37.000Z",
"pattern": "[file:hashes.SHA1 = '27ad0a8a88eab01e2b48ba19d2aaabf360ece5b8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:15:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--28c3fa40-019d-4de0-b203-eb3b4921cf08",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:16:48.000Z",
"modified": "2021-11-12T12:16:48.000Z",
"pattern": "[file:hashes.SHA1 = '3ac6f9458a4a1a16390379621fdd230c656fc444']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:16:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bf9c1674-2f1d-4a0c-8fa6-7efa805f8dd6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:17:32.000Z",
"modified": "2021-11-12T12:17:32.000Z",
"pattern": "[file:hashes.SHA1 = '37e49dbceb1354d508319548a7efbd149bfa0e8d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:17:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e2c5cac5-a603-44ad-a47a-e4e11795d57b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:17:50.000Z",
"modified": "2021-11-12T12:17:50.000Z",
"pattern": "[file:hashes.SHA1 = 'ca19347287fce93f2c675efdf88c8b0db4910929']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:17:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a88b2df4-d1c2-4ad3-8f92-bca70dca1cc5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:23:33.000Z",
"modified": "2021-11-12T12:23:33.000Z",
"pattern": "[file:hashes.SHA1 = 'c8c2c127ec6af87d96b058ff023b534f1237215c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:23:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--83cd3826-3f69-48e2-b91d-c319ecd366be",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:36:30.000Z",
"modified": "2021-11-12T12:36:30.000Z",
"pattern": "[file:hashes.SHA1 = 'c7fe86e5981b39927275873c3a386cb1d8c93a6b' AND file:name = 'WinSys.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:36:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d3cc885-69a8-44b6-942d-76a205b5b9bf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:39:33.000Z",
"modified": "2021-11-12T12:39:33.000Z",
"pattern": "[file:hashes.SHA1 = '180b0e6a4a3334aaa4249b3d631695a31eb45d7a' AND file:name = 'WinSys.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:39:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c3680318-bdc8-4e35-9722-7401eac56247",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:40:03.000Z",
"modified": "2021-11-12T12:40:03.000Z",
"pattern": "[file:hashes.SHA1 = '030b97860ed5a3089c5e8efb8edd7cc359134124' AND file:name = 'WinSys.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:40:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--92800ef6-15f8-48b7-90ea-e8a819affda4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T13:07:58.000Z",
"modified": "2021-11-12T13:07:58.000Z",
"pattern": "[file:hashes.SHA1 = '26f7757602000bcc3c18a887dbc7416ae43bf61a' AND file:name = 'WinSys.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T13:07:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4897f3a4-3ae7-45e3-82a3-b14314cbfc29",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T13:07:08.000Z",
"modified": "2021-11-12T13:07:08.000Z",
"pattern": "[file:hashes.SHA1 = 'abb410a4f863b101c218990664981914d14f1e58' AND file:name = 'WinSys.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T13:07:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2fe0f668-8003-49d9-98e8-d5123f12a56d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T12:36:04.000Z",
"modified": "2021-11-12T12:36:04.000Z",
"pattern": "[file:hashes.SHA1 = '0a8a388911a7a368fc1cf111fb26ba92a19fed3e' AND file:name = 'WinSys.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-12T12:36:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--00757583-07b5-44cf-aaf0-7e71aebf60ff",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-12T13:20:18.000Z",
"modified": "2021-11-12T13:20:18.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/",
"category": "External analysis",
"uuid": "0421b6c2-5056-4448-9950-199a346cada2"
},
{
"type": "text",
"object_relation": "summary",
"value": "ESET researchers have analyzed a previously undocumented, real-world UEFI bootkit that persists on the EFI System Partition (ESP). The bootkit, which we\u2019ve named ESPecter, can bypass Windows Driver Signature Enforcement to load its own unsigned driver, which facilitates its espionage activities. Alongside Kaspersky\u2019s recent discovery of the unrelated FinSpy bootkit, it is now safe to say that real-world UEFI threats are no longer limited to SPI flash implants, as used by Lojax.",
"category": "Other",
"uuid": "6eb32b17-8975-4ca9-994f-21f4e10f2203"
},
{
"type": "text",
"object_relation": "type",
"value": "Online Article",
"category": "Other",
"uuid": "66228cc7-a06e-41fe-bc32-f278038eb512"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--704e5969-5b1d-4325-b7fc-4a6d923bbda5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T08:11:44.000Z",
"modified": "2021-11-19T08:11:44.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://github.com/eset/malware-ioc/tree/master/especter",
"category": "External analysis",
"uuid": "d1c1cf4e-6d05-4e71-8e8f-fa03cf3a7ae8"
},
{
"type": "text",
"object_relation": "type",
"value": "Report",
"category": "Other",
"uuid": "b86f621a-6a55-4335-85b1-3d118630e883"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a9021b55-afc0-437c-b972-3079eab113d1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"pattern": "[file:hashes.MD5 = '6d1a47574ef7598017c13d64769cccfb' AND file:hashes.SHA1 = '1d75bfb18ffc0b820cb36acf8707343fa6679863' AND file:hashes.SHA256 = 'd61417d72a054d45ee33e395079e9d674f891a42ed0ec5357b5a8d91c69858a6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-19T15:31:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--7ef11d83-1085-4d24-910e-5f66372ed7ef",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-10-23T06:24:22+00:00",
"category": "Other",
"comment": "Legacy BIOS version installers",
"uuid": "05c8364f-3b9f-43a2-bbfa-bc5ec545ceda"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/d61417d72a054d45ee33e395079e9d674f891a42ed0ec5357b5a8d91c69858a6/detection/f-d61417d72a054d45ee33e395079e9d674f891a42ed0ec5357b5a8d91c69858a6-1634970262",
"category": "Payload delivery",
"comment": "Legacy BIOS version installers",
"uuid": "517a0bfc-2991-4230-8f32-53ae840b286d"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "51/68",
"category": "Payload delivery",
"comment": "Legacy BIOS version installers",
"uuid": "381a6904-7917-4045-abb1-d935df6f7bde"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--31bcc06e-f214-4193-bd07-83a32e27ad7d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"pattern": "[file:hashes.MD5 = '3846c93e3f937b2ba156d28943be1bc9' AND file:hashes.SHA1 = '2c22ae243fdc08b84b38d9580900a9a9e3823acf' AND file:hashes.SHA256 = '021ec918c30a65a9f93919cedf57e8c935df3e773e03b74704d14fabcab89c5b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-19T15:31:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--aad7d8b5-905e-4cf6-9e67-6182ce4de562",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-10-27T13:27:29+00:00",
"category": "Other",
"comment": "Legacy BIOS version installers",
"uuid": "30970fd5-8c1f-400d-a782-c6fd7f440cf8"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/021ec918c30a65a9f93919cedf57e8c935df3e773e03b74704d14fabcab89c5b/detection/f-021ec918c30a65a9f93919cedf57e8c935df3e773e03b74704d14fabcab89c5b-1635341249",
"category": "Payload delivery",
"comment": "Legacy BIOS version installers",
"uuid": "dea2c8bd-664a-4cfb-91dc-925ed568a53e"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "57/68",
"category": "Payload delivery",
"comment": "Legacy BIOS version installers",
"uuid": "fc178cf5-6ef6-4bf9-9647-bf9ad621c001"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e69670e4-f98d-4be6-953c-933b681d802b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"pattern": "[file:hashes.MD5 = '73ba4d13914f30dd8b36bc2fd561c0df' AND file:hashes.SHA1 = 'c7fe86e5981b39927275873c3a386cb1d8c93a6b' AND file:hashes.SHA256 = 'e2bb96b57fa337e3ee2f7d26b1710a80e89449c41c77ff58073cd386dbf83b63']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-19T15:31:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--3e418ab5-d67d-46cd-b630-f40b287784b7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-10-23T05:15:58+00:00",
"category": "Other",
"uuid": "42d04113-0f63-403b-a40e-bae622212d24"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/e2bb96b57fa337e3ee2f7d26b1710a80e89449c41c77ff58073cd386dbf83b63/detection/f-e2bb96b57fa337e3ee2f7d26b1710a80e89449c41c77ff58073cd386dbf83b63-1634966158",
"category": "Payload delivery",
"uuid": "96171dfc-6935-4a36-ac21-57f3bab010e4"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "50/65",
"category": "Payload delivery",
"uuid": "3adb1480-8bc7-40cc-a306-c0a1f6ffd0ea"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0ce970ae-28ab-457c-a377-d083e527e699",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"pattern": "[file:hashes.MD5 = '2025cc89204d851a57c02a9fd441b619' AND file:hashes.SHA1 = '7f501aeb51ce3232a979ccf0e11278346f746d1f' AND file:hashes.SHA256 = '5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-19T15:31:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--9c96483f-0733-4016-80cf-7e5a090da564",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-10-27T13:33:01+00:00",
"category": "Other",
"comment": "Legacy BIOS version installers",
"uuid": "32a4ae15-59c8-4768-b6fc-8beb9fbf0ce0"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a/detection/f-5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a-1635341581",
"category": "Payload delivery",
"comment": "Legacy BIOS version installers",
"uuid": "f4b1d9c6-bb59-4700-8263-7855d059bdeb"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "56/67",
"category": "Payload delivery",
"comment": "Legacy BIOS version installers",
"uuid": "1d400c2b-d36d-4506-b05c-897f203ca794"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b9b484e5-731d-432a-b5eb-6013142e1fb7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"pattern": "[file:hashes.MD5 = '64e1aa6f5dca669ba51678157058d54b' AND file:hashes.SHA1 = '9f6df0a011748160b0c18fb2b44ebe9fa9d517e9' AND file:hashes.SHA256 = '6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-11-19T15:31:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6587653a-065f-49f1-958a-83869a219db6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-10-23T05:36:39+00:00",
"category": "Other",
"comment": "Legacy BIOS version installers",
"uuid": "f97edadd-688f-4cfb-8fb2-b69a83e217f1"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286/detection/f-6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286-1634967399",
"category": "Payload delivery",
"comment": "Legacy BIOS version installers",
"uuid": "3e1531f7-83ed-4473-b620-1096d22a40a6"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "52/68",
"category": "Payload delivery",
"comment": "Legacy BIOS version installers",
"uuid": "b5145342-6351-4be6-ac1b-b467ff01969d"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5c584f12-fade-4aee-908d-9244a748ea04",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--a9021b55-afc0-437c-b972-3079eab113d1",
"target_ref": "x-misp-object--7ef11d83-1085-4d24-910e-5f66372ed7ef"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--543bfbbb-475f-4444-af8c-e206383ff211",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--31bcc06e-f214-4193-bd07-83a32e27ad7d",
"target_ref": "x-misp-object--aad7d8b5-905e-4cf6-9e67-6182ce4de562"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--672fb3d7-d103-43f1-ae9f-4abbda83f950",
"created": "2021-11-19T15:31:04.000Z",
"modified": "2021-11-19T15:31:04.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--e69670e4-f98d-4be6-953c-933b681d802b",
"target_ref": "x-misp-object--3e418ab5-d67d-46cd-b630-f40b287784b7"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--62dfae1b-93be-4b2e-ab7c-6b46bc0540f0",
"created": "2021-11-19T15:31:05.000Z",
"modified": "2021-11-19T15:31:05.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--0ce970ae-28ab-457c-a377-d083e527e699",
"target_ref": "x-misp-object--9c96483f-0733-4016-80cf-7e5a090da564"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--eaa5f046-875a-44fe-84d8-d2dc6223cd1a",
"created": "2021-11-19T15:31:05.000Z",
"modified": "2021-11-19T15:31:05.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--b9b484e5-731d-432a-b5eb-6013142e1fb7",
"target_ref": "x-misp-object--6587653a-065f-49f1-958a-83869a219db6"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}