1189 lines
No EOL
54 KiB
JSON
1189 lines
No EOL
54 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--2ebc21a4-5635-4a7d-9553-ec5f58be0ee6",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--2ebc21a4-5635-4a7d-9553-ec5f58be0ee6",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"name": "OSINT - Kobalos \u2013 A complex Linux threat to high performance computing infrastructure",
|
|
"published": "2021-02-02T13:11:55Z",
|
|
"object_refs": [
|
|
"observed-data--07103d07-aa9a-4694-a89c-5cd4fc94221e",
|
|
"url--07103d07-aa9a-4694-a89c-5cd4fc94221e",
|
|
"observed-data--fd42b022-1d71-4dda-ab1f-3f9e4a49e663",
|
|
"url--fd42b022-1d71-4dda-ab1f-3f9e4a49e663",
|
|
"x-misp-object--f35188ee-2150-4d49-940a-16d588cf7562",
|
|
"x-misp-object--026c0bbe-8e18-47ff-9069-0ce387459a39",
|
|
"indicator--bbc90dca-7637-45a0-a897-e5832580635e",
|
|
"indicator--59711fce-1669-416e-a863-282972f05a30",
|
|
"indicator--ce16efd3-b989-4fdb-9cad-3cb622be8c92",
|
|
"x-misp-object--96edf472-61bf-4f3c-81ce-932eb0329136",
|
|
"indicator--143c7525-68f6-4367-97a8-4540bdffa019",
|
|
"indicator--422f962e-0a08-4bf4-9d95-406422b35bcb",
|
|
"indicator--56810ac9-e525-446d-b903-62fa770ae06a",
|
|
"indicator--394bf3c8-c3a2-412d-828c-d5e2b0c6811f",
|
|
"indicator--0fa4cd2e-4304-4657-99ad-962f7eb548f0",
|
|
"x-misp-object--5564a28d-f2a5-41da-9339-6b72f64c6832",
|
|
"indicator--683e6644-bb2e-4ae9-b1e4-139453b8402e",
|
|
"x-misp-object--f10e10ba-0d66-4505-a4d5-1689c9f5e25b",
|
|
"indicator--84bd6b39-8189-4eee-8fef-6d9ee06306a1",
|
|
"x-misp-object--b2a8b157-a04f-484f-8d88-549ede5b0068",
|
|
"indicator--68ac0130-82b6-4709-ae98-cee6fe7fb4ed",
|
|
"indicator--d4f9f303-b8b7-421a-b1bc-b2ad6f0396c6",
|
|
"x-misp-object--fe1474ac-d0a1-4792-8936-e25686ad6662",
|
|
"indicator--1e04dc6e-de14-441d-a7f6-09a5d54f0667",
|
|
"indicator--137efbb9-75cd-46e9-8dba-7d8e36a983b5",
|
|
"x-misp-object--6743c14d-5278-41a1-a8d2-678f94f59d6d",
|
|
"indicator--cd4a56fb-10a5-46f9-868e-2d2d9cee93c5",
|
|
"x-misp-object--5d93ad07-c377-43cc-b9e4-1b0ab3d0da83",
|
|
"indicator--bb8fc68e-77a6-4115-abf5-3fc14c1039dd",
|
|
"x-misp-object--a9cacc5a-a03f-463a-95a1-854718064bb3",
|
|
"x-misp-object--8dc33498-4ead-4457-a3eb-e85032df1405",
|
|
"indicator--b4f748c5-41f0-4a59-bf7a-069086896c94",
|
|
"x-misp-object--5b93ec98-7b27-4038-b9ca-6c8ae8ae44da",
|
|
"indicator--577cde70-7de9-4776-975b-9c0100ceae5e",
|
|
"x-misp-object--977fbf1c-4163-45ce-a014-4f58536d3703",
|
|
"indicator--9a711583-6ce7-4265-aba8-7350383961b6",
|
|
"x-misp-object--3f558b7a-d342-4090-92a2-82e2210b68e7",
|
|
"relationship--ad44ea65-909e-41a5-8725-de45cefa54d8",
|
|
"relationship--f6242472-e158-4382-956c-b7f6382ed60e",
|
|
"relationship--8b08d00b-d6f5-4939-842b-343192e434d4",
|
|
"relationship--9aca85e7-101c-4336-8579-e3af4507c099",
|
|
"relationship--8563ab2e-388b-4039-a41f-2c7b804ff697",
|
|
"relationship--2d9795e1-802a-40c9-8b64-997ad973b375",
|
|
"relationship--410675f0-b7c9-4b73-80cd-526e64d42979",
|
|
"relationship--871f8591-e619-47c4-9a86-d62e1fe5c731",
|
|
"relationship--785b9204-7d53-4276-a7fc-1a45067231df",
|
|
"relationship--d9488286-2d44-4c90-8158-b3dafa1aae88",
|
|
"relationship--ac1a99f1-908a-403f-a95d-21d931338608",
|
|
"relationship--e4958db3-eb6a-49ca-8ba1-e81b612efe30",
|
|
"relationship--b59b54aa-1e63-4c73-a90a-cddda95125cb",
|
|
"relationship--b1b4bb68-3d5d-447d-bd49-ec37a82bfe5c",
|
|
"relationship--11dd2d0d-cc9e-481b-8446-cc34c244a165"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"estimative-language:confidence-in-analytic-judgment=\"high\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Compromise Client Software Binary - T1554\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Traffic Signaling - T1205\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Clear Command History - T1070.003\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Timestomp - T1070.006\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--07103d07-aa9a-4694-a89c-5cd4fc94221e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:02:20.000Z",
|
|
"modified": "2021-02-02T13:02:20.000Z",
|
|
"first_observed": "2021-02-02T13:02:20Z",
|
|
"last_observed": "2021-02-02T13:02:20Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--07103d07-aa9a-4694-a89c-5cd4fc94221e"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--07103d07-aa9a-4694-a89c-5cd4fc94221e",
|
|
"value": "https://github.com/eset/malware-ioc/blob/master/kobalos/README.adoc"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--fd42b022-1d71-4dda-ab1f-3f9e4a49e663",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:02:20.000Z",
|
|
"modified": "2021-02-02T13:02:20.000Z",
|
|
"first_observed": "2021-02-02T13:02:20Z",
|
|
"last_observed": "2021-02-02T13:02:20Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--fd42b022-1d71-4dda-ab1f-3f9e4a49e663"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--fd42b022-1d71-4dda-ab1f-3f9e4a49e663",
|
|
"value": "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--f35188ee-2150-4d49-940a-16d588cf7562",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T11:07:49.000Z",
|
|
"modified": "2021-02-02T11:07:49.000Z",
|
|
"labels": [
|
|
"misp:name=\"crypto-material\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "RC4",
|
|
"category": "Other",
|
|
"uuid": "02240c3f-3379-48bc-ac66-849be8ab76ba"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "generic-symmetric-key",
|
|
"value": "AE0E05090F3AC2B50B1BC6E91D2FE3CE",
|
|
"category": "Other",
|
|
"uuid": "809ba87e-5329-498a-86ae-66755abaf2e9"
|
|
}
|
|
],
|
|
"x_misp_comment": "Static RC4 key for strings",
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "crypto-material"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--026c0bbe-8e18-47ff-9069-0ce387459a39",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T11:08:40.000Z",
|
|
"modified": "2021-02-02T11:08:40.000Z",
|
|
"labels": [
|
|
"misp:name=\"crypto-material\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "RSA",
|
|
"category": "Other",
|
|
"uuid": "2b4462a4-6d51-4f69-8e02-6308c444d046"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "public",
|
|
"value": "-----BEGIN PUBLIC KEY-----\r\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOUgD8sEF1kZ04QxCd60HrB+TxWnLQED\r\nwzb0sZ8vMMD6xnUAJspdYzSVDnRnKYjTOM43qtLNcJOwVj6cuC1uHHMCAwEAAQ==\r\n-----END PUBLIC KEY-----",
|
|
"category": "Other",
|
|
"uuid": "6030c4fb-79de-4652-9e2c-cda3a0dca7b4"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "crypto-material"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--bbc90dca-7637-45a0-a897-e5832580635e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T11:09:49.000Z",
|
|
"modified": "2021-02-02T11:09:49.000Z",
|
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '151.80.57.191') AND network-traffic:dst_port = '7070']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T11:09:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"ip-port\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59711fce-1669-416e-a863-282972f05a30",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"description": "Stand-alone binary - (Debian OS) - Connects to 151.80.57.191:7070",
|
|
"pattern": "[file:hashes.SHA1 = '479f470e83f9a5b66363fba5547fdfcf727949da' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T13:09:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--ce16efd3-b989-4fdb-9cad-3cb622be8c92",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T11:12:06.000Z",
|
|
"modified": "2021-02-02T11:12:06.000Z",
|
|
"pattern": "[file:hashes.MD5 = '2c693d26ba9df26edf77557c1a709528' AND file:hashes.SHA1 = '479f470e83f9a5b66363fba5547fdfcf727949da' AND file:hashes.SHA256 = '73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T11:12:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--96edf472-61bf-4f3c-81ce-932eb0329136",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T11:12:07.000Z",
|
|
"modified": "2021-02-02T11:12:07.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2021-02-01T18:56:46+00:00",
|
|
"category": "Other",
|
|
"uuid": "35baa849-71a0-4406-a3b8-7135a4442667"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58/detection/f-73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58-1612205806",
|
|
"category": "Payload delivery",
|
|
"uuid": "b451437f-a3ad-4026-a74f-ed19ae19bce1"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "3/62",
|
|
"category": "Payload delivery",
|
|
"uuid": "1b93b043-b92b-489d-8372-2c0df9f680f2"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--143c7525-68f6-4367-97a8-4540bdffa019",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T11:14:55.000Z",
|
|
"modified": "2021-02-02T11:14:55.000Z",
|
|
"description": "RHEL\r\n\t\r\n\r\nsshd\r\n\t\r\n\r\nWait for connection from source port 55201",
|
|
"pattern": "[file:hashes.SHA1 = 'fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T11:14:55Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--422f962e-0a08-4bf4-9d95-406422b35bcb",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T11:17:54.000Z",
|
|
"modified": "2021-02-02T11:17:54.000Z",
|
|
"description": "FreeBSD\r\n\t\r\n\r\nsshd Wait for connection from source port 55201",
|
|
"pattern": "[file:hashes.SHA1 = 'affa12cc94578d63a8b178ae19f6601d5c8bb224' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T11:17:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56810ac9-e525-446d-b903-62fa770ae06a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T11:18:39.000Z",
|
|
"modified": "2021-02-02T11:18:39.000Z",
|
|
"description": "Ubuntu\r\n\t\r\n\r\nsshd\r\n\t\r\n\r\nWait for connection from source port 55201",
|
|
"pattern": "[file:hashes.SHA1 = '325f24e8f5d56db43d6914d9234c08c888cdae50' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T11:18:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--394bf3c8-c3a2-412d-828c-d5e2b0c6811f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T11:19:54.000Z",
|
|
"modified": "2021-02-02T11:19:54.000Z",
|
|
"description": "Arch Linux\r\n\t\r\n\r\nsshd\r\n\t\r\n\r\nWait for connection from source port 55201",
|
|
"pattern": "[file:hashes.SHA1 = 'a4050a8171b0fa3ae9031e0f8b7272facf04a3aa' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T11:19:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--0fa4cd2e-4304-4657-99ad-962f7eb548f0",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T12:49:26.000Z",
|
|
"modified": "2021-02-02T12:49:26.000Z",
|
|
"description": "SSH credential stealer ",
|
|
"pattern": "[file:hashes.SHA1 = '6616de799b5105ee2eb83bbe25c7f4433420dff7' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T12:49:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5564a28d-f2a5-41da-9339-6b72f64c6832",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T11:22:41.000Z",
|
|
"modified": "2021-02-02T11:22:41.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "fullpath",
|
|
"value": "/var/run/nscd/ns.pid",
|
|
"category": "Other",
|
|
"uuid": "ce3d187a-ca3b-4be6-9cc4-74a7169a1868"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--683e6644-bb2e-4ae9-b1e4-139453b8402e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T12:51:48.000Z",
|
|
"modified": "2021-02-02T12:51:48.000Z",
|
|
"description": "SSH credential stealer ",
|
|
"pattern": "[file:hashes.SHA1 = 'e094dd02cc954b6104791925e0d1880782b046cf' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T12:51:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--f10e10ba-0d66-4505-a4d5-1689c9f5e25b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T12:51:24.000Z",
|
|
"modified": "2021-02-02T12:51:24.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "fullpath",
|
|
"value": "/var/run/udev/ud.pid",
|
|
"category": "Other",
|
|
"uuid": "bf6ee019-dcf4-465b-9897-6c9752b717d3"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--84bd6b39-8189-4eee-8fef-6d9ee06306a1",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T12:56:24.000Z",
|
|
"modified": "2021-02-02T12:56:24.000Z",
|
|
"description": "SSH credential stealer FreeBSD",
|
|
"pattern": "[file:hashes.SHA1 = '1dd0edc5744d63a731db8c3b42efbd09d91fed78' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T12:56:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--b2a8b157-a04f-484f-8d88-549ede5b0068",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T12:55:48.000Z",
|
|
"modified": "2021-02-02T12:55:48.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "fullpath",
|
|
"value": "/var/run/udevd.pid",
|
|
"category": "Other",
|
|
"uuid": "364d8668-bf3b-4cf1-8841-e38c9a1c8b15"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--68ac0130-82b6-4709-ae98-cee6fe7fb4ed",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T12:57:50.000Z",
|
|
"modified": "2021-02-02T12:57:50.000Z",
|
|
"description": "SSH credential stealer ",
|
|
"pattern": "[file:hashes.SHA1 = 'c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T12:57:50Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d4f9f303-b8b7-421a-b1bc-b2ad6f0396c6",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T12:59:16.000Z",
|
|
"modified": "2021-02-02T12:59:16.000Z",
|
|
"description": "SSH credential stealer ",
|
|
"pattern": "[file:hashes.SHA1 = '659cbdf9288137937bb71146b6f722ffcda1c5fe' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T12:59:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--fe1474ac-d0a1-4792-8936-e25686ad6662",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T12:58:51.000Z",
|
|
"modified": "2021-02-02T12:58:51.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "fullpath",
|
|
"value": "/var/run/sshd/sshd.pid",
|
|
"category": "Other",
|
|
"uuid": "2940c1e1-451c-40a0-ab8b-bf02d05bec56"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--1e04dc6e-de14-441d-a7f6-09a5d54f0667",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:00:20.000Z",
|
|
"modified": "2021-02-02T13:00:20.000Z",
|
|
"pattern": "rule kobalos\r\n{\r\n meta:\r\n description = \\\\\"Kobalos malware\\\\\"\r\n author = \\\\\"Marc-Etienne M.L\u00e9veill\u00e9\\\\\"\r\n date = \\\\\"2020-11-02\\\\\"\r\n reference = \\\\\"http://www.welivesecurity.com\\\\\"\r\n source = \\\\\"https://github.com/eset/malware-ioc/\\\\\"\r\n license = \\\\\"BSD 2-Clause\\\\\"\r\n version = \\\\\"1\\\\\"\r\n\r\n strings:\r\n $encrypted_strings_sizes = {\r\n 05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00\r\n 08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00\r\n 01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00\r\n 05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00\r\n }\r\n $password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C }\r\n $rsa_512_mod_header = { 10 11 02 00 09 02 00 }\r\n $strings_rc4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE }\r\n\r\n condition:\r\n any of them\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T13:00:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
],
|
|
"x_misp_context": "all"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--137efbb9-75cd-46e9-8dba-7d8e36a983b5",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:00:55.000Z",
|
|
"modified": "2021-02-02T13:00:55.000Z",
|
|
"pattern": "rule kobalos_ssh_credential_stealer {\r\n meta:\r\n description = \\\\\"Kobalos SSH credential stealer seen in OpenSSH client\\\\\"\r\n author = \\\\\"Marc-Etienne M.L\u00e9veill\u00e9\\\\\"\r\n date = \\\\\"2020-11-02\\\\\"\r\n reference = \\\\\"http://www.welivesecurity.com\\\\\"\r\n source = \\\\\"https://github.com/eset/malware-ioc/\\\\\"\r\n license = \\\\\"BSD 2-Clause\\\\\"\r\n version = \\\\\"1\\\\\"\r\n\r\n strings:\r\n $ = \\\\\"user: \\\\%.128s host: \\\\%.128s port \\\\%05d user: \\\\%.128s password: \\\\%.128s\\\\\"\r\n\r\n condition:\r\n any of them\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T13:00:55Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
],
|
|
"x_misp_context": "all"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--6743c14d-5278-41a1-a8d2-678f94f59d6d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:03:24.000Z",
|
|
"modified": "2021-02-02T13:03:24.000Z",
|
|
"labels": [
|
|
"misp:name=\"report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "summary",
|
|
"value": "ESET researchers have analyzed malware that has been targeting high performance computing (HPC) clusters, among other high-profile targets. We reverse engineered this small, yet complex, malware that is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows. We have named this malware Kobalos for its tiny code size and many tricks; in Greek mythology, a Kobalos is a small, mischievous creature. Today we publish a paper titled \u201cA wild Kobalos appears: Tricksy Linux malware goes after HPCs\u201d describing the inner working of this threat.",
|
|
"category": "Other",
|
|
"uuid": "de941abb-8360-41fd-88b8-14ab18906b30"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--cd4a56fb-10a5-46f9-868e-2d2d9cee93c5",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"pattern": "[file:hashes.MD5 = '4e52980f06f211668df959175d6c3d58' AND file:hashes.SHA1 = 'e094dd02cc954b6104791925e0d1880782b046cf' AND file:hashes.SHA256 = '75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T13:09:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5d93ad07-c377-43cc-b9e4-1b0ab3d0da83",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2020-03-04T18:41:56+00:00",
|
|
"category": "Other",
|
|
"uuid": "8135e42c-4a36-47da-b8ad-595dcda6a2e6"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45/detection/f-75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45-1583347316",
|
|
"category": "Payload delivery",
|
|
"uuid": "e5a8ebcf-af6e-444f-adc6-f8465fae0676"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "0/61",
|
|
"category": "Payload delivery",
|
|
"uuid": "4ff0afc9-cac1-44be-b730-67fe00f15bef"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--bb8fc68e-77a6-4115-abf5-3fc14c1039dd",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"pattern": "[file:hashes.MD5 = '87837cc81c346e2a38ab1fe5e4826af2' AND file:hashes.SHA1 = '6616de799b5105ee2eb83bbe25c7f4433420dff7' AND file:hashes.SHA256 = '6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T13:09:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--a9cacc5a-a03f-463a-95a1-854718064bb3",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2021-02-02T11:56:14+00:00",
|
|
"category": "Other",
|
|
"uuid": "a1c31bf0-5438-4d5b-b6df-f13319a1cc84"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a/detection/f-6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a-1612266974",
|
|
"category": "Payload delivery",
|
|
"uuid": "6299cd4c-b13d-42a4-94b3-6254cfd7fd59"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "1/62",
|
|
"category": "Payload delivery",
|
|
"uuid": "2eeeaca5-5c72-4ea2-8c76-591780ddab71"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--8dc33498-4ead-4457-a3eb-e85032df1405",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2021-02-01T18:56:46+00:00",
|
|
"category": "Other",
|
|
"uuid": "40f30083-4b87-42ab-b515-9f8e07055145"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58/detection/f-73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58-1612205806",
|
|
"category": "Payload delivery",
|
|
"uuid": "fc710595-3fb3-4fcf-87b0-daa1a5f69423"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "3/62",
|
|
"category": "Payload delivery",
|
|
"uuid": "bf6548e5-2428-455c-929d-3a342ec0f4bf"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--b4f748c5-41f0-4a59-bf7a-069086896c94",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"pattern": "[file:hashes.MD5 = '7538d0ec96869fd53d7c613a108846c0' AND file:hashes.SHA1 = 'fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe' AND file:hashes.SHA256 = 'd51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T13:09:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5b93ec98-7b27-4038-b9ca-6c8ae8ae44da",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2021-02-02T08:05:42+00:00",
|
|
"category": "Other",
|
|
"uuid": "7f072142-4e7c-490a-9f1d-7c5c3f563499"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/d51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983/detection/f-d51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983-1612253142",
|
|
"category": "Payload delivery",
|
|
"uuid": "88f8d78d-9e9e-4931-a826-85529a90ccfa"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "1/62",
|
|
"category": "Payload delivery",
|
|
"uuid": "d11eb3b0-2889-45d8-8f90-f7021df6568c"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--577cde70-7de9-4776-975b-9c0100ceae5e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'f54ba4ac2eeb5c12a513872acabecbc6' AND file:hashes.SHA1 = 'affa12cc94578d63a8b178ae19f6601d5c8bb224' AND file:hashes.SHA256 = '9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T13:09:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--977fbf1c-4163-45ce-a014-4f58536d3703",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2021-02-01T18:58:25+00:00",
|
|
"category": "Other",
|
|
"uuid": "cae3f6bb-2b69-48eb-9099-658fc16919d7"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74/detection/f-9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74-1612205905",
|
|
"category": "Payload delivery",
|
|
"uuid": "4bf2aad3-5dc1-4a81-8c15-4f74538f9c8e"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "1/61",
|
|
"category": "Payload delivery",
|
|
"uuid": "66364ddf-d38e-4d5a-8082-ba0682f6eb3b"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--9a711583-6ce7-4265-aba8-7350383961b6",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'bc49dd3da0b2cb1425a466a3d2f0ed41' AND file:hashes.SHA1 = '1dd0edc5744d63a731db8c3b42efbd09d91fed78' AND file:hashes.SHA256 = '13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-02-02T13:09:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--3f558b7a-d342-4090-92a2-82e2210b68e7",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-02-02T13:09:20.000Z",
|
|
"modified": "2021-02-02T13:09:20.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2020-03-09T08:44:44+00:00",
|
|
"category": "Other",
|
|
"uuid": "2b6ecaa2-bbe1-4903-b28b-8672896fb4d5"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a/detection/f-13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a-1583743484",
|
|
"category": "Payload delivery",
|
|
"uuid": "99713b59-7b94-4c9f-9223-84190b6f00d3"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "0/59",
|
|
"category": "Payload delivery",
|
|
"uuid": "227fe71f-0426-4338-b83e-890fc2a5e5ef"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--ad44ea65-909e-41a5-8725-de45cefa54d8",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "connects-to",
|
|
"source_ref": "indicator--59711fce-1669-416e-a863-282972f05a30",
|
|
"target_ref": "indicator--bbc90dca-7637-45a0-a897-e5832580635e"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--f6242472-e158-4382-956c-b7f6382ed60e",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--59711fce-1669-416e-a863-282972f05a30",
|
|
"target_ref": "x-misp-object--8dc33498-4ead-4457-a3eb-e85032df1405"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--8b08d00b-d6f5-4939-842b-343192e434d4",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--ce16efd3-b989-4fdb-9cad-3cb622be8c92",
|
|
"target_ref": "x-misp-object--96edf472-61bf-4f3c-81ce-932eb0329136"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--9aca85e7-101c-4336-8579-e3af4507c099",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "writes",
|
|
"source_ref": "indicator--0fa4cd2e-4304-4657-99ad-962f7eb548f0",
|
|
"target_ref": "x-misp-object--5564a28d-f2a5-41da-9339-6b72f64c6832"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--8563ab2e-388b-4039-a41f-2c7b804ff697",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "writes",
|
|
"source_ref": "indicator--683e6644-bb2e-4ae9-b1e4-139453b8402e",
|
|
"target_ref": "x-misp-object--f10e10ba-0d66-4505-a4d5-1689c9f5e25b"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--2d9795e1-802a-40c9-8b64-997ad973b375",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "writes",
|
|
"source_ref": "indicator--84bd6b39-8189-4eee-8fef-6d9ee06306a1",
|
|
"target_ref": "x-misp-object--b2a8b157-a04f-484f-8d88-549ede5b0068"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--410675f0-b7c9-4b73-80cd-526e64d42979",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "writes",
|
|
"source_ref": "indicator--68ac0130-82b6-4709-ae98-cee6fe7fb4ed",
|
|
"target_ref": "x-misp-object--5564a28d-f2a5-41da-9339-6b72f64c6832"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--871f8591-e619-47c4-9a86-d62e1fe5c731",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "writes",
|
|
"source_ref": "indicator--d4f9f303-b8b7-421a-b1bc-b2ad6f0396c6",
|
|
"target_ref": "x-misp-object--fe1474ac-d0a1-4792-8936-e25686ad6662"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--785b9204-7d53-4276-a7fc-1a45067231df",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "references",
|
|
"source_ref": "x-misp-object--6743c14d-5278-41a1-a8d2-678f94f59d6d",
|
|
"target_ref": "observed-data--07103d07-aa9a-4694-a89c-5cd4fc94221e"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--d9488286-2d44-4c90-8158-b3dafa1aae88",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "references",
|
|
"source_ref": "x-misp-object--6743c14d-5278-41a1-a8d2-678f94f59d6d",
|
|
"target_ref": "observed-data--fd42b022-1d71-4dda-ab1f-3f9e4a49e663"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--ac1a99f1-908a-403f-a95d-21d931338608",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--cd4a56fb-10a5-46f9-868e-2d2d9cee93c5",
|
|
"target_ref": "x-misp-object--5d93ad07-c377-43cc-b9e4-1b0ab3d0da83"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--e4958db3-eb6a-49ca-8ba1-e81b612efe30",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--bb8fc68e-77a6-4115-abf5-3fc14c1039dd",
|
|
"target_ref": "x-misp-object--a9cacc5a-a03f-463a-95a1-854718064bb3"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--b59b54aa-1e63-4c73-a90a-cddda95125cb",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--b4f748c5-41f0-4a59-bf7a-069086896c94",
|
|
"target_ref": "x-misp-object--5b93ec98-7b27-4038-b9ca-6c8ae8ae44da"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--b1b4bb68-3d5d-447d-bd49-ec37a82bfe5c",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--577cde70-7de9-4776-975b-9c0100ceae5e",
|
|
"target_ref": "x-misp-object--977fbf1c-4163-45ce-a014-4f58536d3703"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--11dd2d0d-cc9e-481b-8446-cc34c244a165",
|
|
"created": "1970-01-01T00:00:00.000Z",
|
|
"modified": "1970-01-01T00:00:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--9a711583-6ce7-4265-aba8-7350383961b6",
|
|
"target_ref": "x-misp-object--3f558b7a-d342-4090-92a2-82e2210b68e7"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |