adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5b1a247e-2ca0-4132-9210-4b5c950d210f.json

576 lines
No EOL
25 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--5b1a247e-2ca0-4132-9210-4b5c950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-13T12:09:19.000Z",
"modified": "2018-06-13T12:09:19.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5b1a247e-2ca0-4132-9210-4b5c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-13T12:09:19.000Z",
"modified": "2018-06-13T12:09:19.000Z",
"name": "OSINT - PLEAD Downloader Used by BlackTech",
"published": "2018-06-13T15:38:35Z",
"object_refs": [
"observed-data--5b1a2875-c1a4-4f26-bd0e-4114950d210f",
"url--5b1a2875-c1a4-4f26-bd0e-4114950d210f",
"x-misp-attribute--5b1a288c-3f38-4fe7-ae67-4bf8950d210f",
"indicator--5b1a3368-3038-4087-9526-48ad950d210f",
"indicator--5b1a3369-e80c-44c4-9aea-4ac3950d210f",
"indicator--5b1a336a-8174-4113-8e83-40b1950d210f",
"indicator--5b1a336b-1bac-43b5-a0b3-4d10950d210f",
"indicator--5b1a336c-85bc-4802-b014-4eda950d210f",
"x-misp-object--5b1a2658-b030-445a-a759-4d35950d210f",
"indicator--5b1a2d6a-5750-4781-8f5b-4851950d210f",
"indicator--5b1a2da7-ed88-444a-89e2-4906950d210f",
"indicator--5b1a306c-bd54-4540-a856-45c0950d210f",
"indicator--5b1a30f7-6900-4a9a-bbb4-4302950d210f",
"indicator--5b1a3296-49dc-44e9-92a5-49e3950d210f",
"x-misp-object--a0d856e3-b418-4bb2-b43d-6d49deb9ad90",
"x-misp-object--73db3348-942a-4a3d-b49c-2b583a468f0e",
"x-misp-object--4219f752-d15a-432c-a61f-96110776542c",
"x-misp-object--14f64b5c-4b8f-466f-adb7-6ae747ea8d3a",
"x-misp-object--b1043de8-cbda-4643-ba40-b859674fcb3b",
"x-misp-object--94567159-8daf-424a-931c-a92997695b6e",
"x-misp-object--e31dadf4-722b-4f28-aae2-7970b10d50f7",
"x-misp-object--12242c4a-f4d9-444f-abd3-27deff5869a1",
"relationship--c947eef3-d508-4c4e-a11d-c86646069c56",
"relationship--c3921172-f2bd-4c6b-aed3-bde38d91cf88",
"relationship--bb93ea38-18d7-4fd6-9382-8f9cbfdcfec7",
"relationship--9b796613-18ff-405c-b6d6-1a53c9b0c0c8"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:incident-classification=\"malware\"",
"osint:source-type=\"blog-post\"",
"ms-caro-malware:malware-type=\"RemoteAccess\"",
"misp-galaxy:tool=\"PLEAD Downloader\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b1a2875-c1a4-4f26-bd0e-4114950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T06:56:20.000Z",
"modified": "2018-06-08T06:56:20.000Z",
"first_observed": "2018-06-08T06:56:20Z",
"last_observed": "2018-06-08T06:56:20Z",
"number_observed": 1,
"object_refs": [
"url--5b1a2875-c1a4-4f26-bd0e-4114950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b1a2875-c1a4-4f26-bd0e-4114950d210f",
"value": "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b1a288c-3f38-4fe7-ae67-4bf8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T06:56:28.000Z",
"modified": "2018-06-08T06:56:28.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "In a past article, we introduced TSCookie, malware which seems to be used by BlackTech[1]. It has been revealed that this actor also uses another type of malware \u00e2\u20ac\u0153PLEAD\u00e2\u20ac\u009d. (\u00e2\u20ac\u0153PLEAD\u00e2\u20ac\u009d is referred to both as a name of malware including TSCookie and its attack campaign [2]. In this article, we refer to \u00e2\u20ac\u0153PLEAD\u00e2\u20ac\u009d as a type malware apart from TSCookie.) PLEAD has two kinds \u00e2\u20ac\u201c RAT (Remote Access Tool) and downloader. The RAT operates based on commands that are provided from C&C servers.\u00e3\u20ac\u20ac(Please refer to a blog post from LAC for more information [3].) On the other hand, PLEAD downloader downloads modules and runs it on memory in the same way as TSCookie does.\r\n\r\nThis article presents behaviour of PLEAD downloader in detail."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b1a3368-3038-4087-9526-48ad950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T07:42:32.000Z",
"modified": "2018-06-08T07:42:32.000Z",
"description": "C&C Servers",
"pattern": "[domain-name:value = 'em.totalpople.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-08T07:42:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b1a3369-e80c-44c4-9aea-4ac3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T07:42:33.000Z",
"modified": "2018-06-08T07:42:33.000Z",
"description": "C&C Servers",
"pattern": "[domain-name:value = 'office.panasocin.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-08T07:42:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b1a336a-8174-4113-8e83-40b1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T07:42:34.000Z",
"modified": "2018-06-08T07:42:34.000Z",
"description": "C&C Servers",
"pattern": "[domain-name:value = 'gstrap.jkub.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-08T07:42:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b1a336b-1bac-43b5-a0b3-4d10950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T07:42:35.000Z",
"modified": "2018-06-08T07:42:35.000Z",
"description": "C&C Servers",
"pattern": "[domain-name:value = 'woc.yasonbin.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-08T07:42:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b1a336c-85bc-4802-b014-4eda950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T07:42:36.000Z",
"modified": "2018-06-08T07:42:36.000Z",
"description": "C&C Servers",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '210.71.209.206']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-08T07:42:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5b1a2658-b030-445a-a759-4d35950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T06:46:48.000Z",
"modified": "2018-06-08T06:46:48.000Z",
"labels": [
"misp:name=\"microblog\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "post",
"value": "New Blog Post: PLEAD Downloader Used by BlackTech ^ST",
"category": "Other",
"uuid": "5b1a2658-cc14-4c7f-8628-4f2d950d210f"
},
{
"type": "text",
"object_relation": "type",
"value": "Twitter",
"category": "Other",
"uuid": "5b1a2658-532c-44e0-a108-4a3e950d210f"
},
{
"type": "url",
"object_relation": "url",
"value": "https://mobile.twitter.com/jpcert_en/status/1004964546195279872",
"category": "Network activity",
"to_ids": true,
"uuid": "5b1a2658-2a94-4db5-8438-4423950d210f"
},
{
"type": "url",
"object_relation": "link",
"value": "https://t.co/keNYZ2kyzs?amp=1",
"category": "Network activity",
"to_ids": true,
"uuid": "5b1a2659-9eb4-47eb-8195-4a47950d210f"
},
{
"type": "url",
"object_relation": "link",
"value": "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5b1a2659-8ef8-4001-a42a-444c950d210f"
},
{
"type": "datetime",
"object_relation": "creation-date",
"value": "2018-06-08T07:53:00",
"category": "Other",
"uuid": "5b1a265a-f408-4e74-ae87-4927950d210f"
},
{
"type": "text",
"object_relation": "username",
"value": "@jpcert_en",
"category": "Other",
"uuid": "5b1a265a-d9d0-486b-8a42-4f6c950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "microblog"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b1a2d6a-5750-4781-8f5b-4851950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T07:16:58.000Z",
"modified": "2018-06-08T07:16:58.000Z",
"description": "PLEAD",
"pattern": "[file:hashes.SHA256 = 'bc2c8cc9896cdd5816509f43cb5dca7433198251d754a997a70db7e8ed5cca40' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-08T07:16:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b1a2da7-ed88-444a-89e2-4906950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T07:17:59.000Z",
"modified": "2018-06-08T07:17:59.000Z",
"description": "PLEAD",
"pattern": "[file:hashes.SHA256 = 'a26df4f62ada084a596bf0f603691bc9c02024be98abec4a9872f0ff0085f940' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-08T07:17:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b1a306c-bd54-4540-a856-45c0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T07:29:48.000Z",
"modified": "2018-06-08T07:29:48.000Z",
"description": "PLEAD",
"pattern": "[file:hashes.SHA256 = '2ddb2030ab3373b9438102b541aa4623b7dfee972850dcef05742ecbe8982e22' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-08T07:29:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b1a30f7-6900-4a9a-bbb4-4302950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T07:32:07.000Z",
"modified": "2018-06-08T07:32:07.000Z",
"description": "PLEAD",
"pattern": "[file:hashes.SHA256 = 'eec3f761f7eabe9ed569f39e896be24c9bbb8861b15dbde1b3d539505cd9dd8d' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-08T07:32:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b1a3296-49dc-44e9-92a5-49e3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-08T07:39:02.000Z",
"modified": "2018-06-08T07:39:02.000Z",
"description": "PLEAD Module",
"pattern": "[file:hashes.SHA256 = '23f554cc5bea9d4ccd62b0bbccaa4599f225ebce4ad956a576cc1a9b2a73dc15' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-06-08T07:39:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a0d856e3-b418-4bb2-b43d-6d49deb9ad90",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-13T07:29:29.000Z",
"modified": "2018-06-13T07:29:29.000Z",
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\""
],
"x_misp_meta_category": "file",
"x_misp_name": "file"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--73db3348-942a-4a3d-b49c-2b583a468f0e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-13T07:29:27.000Z",
"modified": "2018-06-13T07:29:27.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--4219f752-d15a-432c-a61f-96110776542c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-13T07:29:31.000Z",
"modified": "2018-06-13T07:29:31.000Z",
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\""
],
"x_misp_meta_category": "file",
"x_misp_name": "file"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--14f64b5c-4b8f-466f-adb7-6ae747ea8d3a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-13T07:29:29.000Z",
"modified": "2018-06-13T07:29:29.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--b1043de8-cbda-4643-ba40-b859674fcb3b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-13T07:29:33.000Z",
"modified": "2018-06-13T07:29:33.000Z",
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\""
],
"x_misp_meta_category": "file",
"x_misp_name": "file"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--94567159-8daf-424a-931c-a92997695b6e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-13T07:29:32.000Z",
"modified": "2018-06-13T07:29:32.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e31dadf4-722b-4f28-aae2-7970b10d50f7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-13T07:29:36.000Z",
"modified": "2018-06-13T07:29:36.000Z",
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\""
],
"x_misp_meta_category": "file",
"x_misp_name": "file"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--12242c4a-f4d9-444f-abd3-27deff5869a1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-06-13T07:29:34.000Z",
"modified": "2018-06-13T07:29:34.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c947eef3-d508-4c4e-a11d-c86646069c56",
"created": "2018-06-13T07:29:35.000Z",
"modified": "2018-06-13T07:29:35.000Z",
"relationship_type": "analysed-with",
"source_ref": "x-misp-object--a0d856e3-b418-4bb2-b43d-6d49deb9ad90",
"target_ref": "x-misp-object--73db3348-942a-4a3d-b49c-2b583a468f0e"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c3921172-f2bd-4c6b-aed3-bde38d91cf88",
"created": "2018-06-13T07:29:35.000Z",
"modified": "2018-06-13T07:29:35.000Z",
"relationship_type": "analysed-with",
"source_ref": "x-misp-object--4219f752-d15a-432c-a61f-96110776542c",
"target_ref": "x-misp-object--14f64b5c-4b8f-466f-adb7-6ae747ea8d3a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bb93ea38-18d7-4fd6-9382-8f9cbfdcfec7",
"created": "2018-06-13T07:29:35.000Z",
"modified": "2018-06-13T07:29:35.000Z",
"relationship_type": "analysed-with",
"source_ref": "x-misp-object--b1043de8-cbda-4643-ba40-b859674fcb3b",
"target_ref": "x-misp-object--94567159-8daf-424a-931c-a92997695b6e"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9b796613-18ff-405c-b6d6-1a53c9b0c0c8",
"created": "2018-06-13T07:29:35.000Z",
"modified": "2018-06-13T07:29:35.000Z",
"relationship_type": "analysed-with",
"source_ref": "x-misp-object--e31dadf4-722b-4f28-aae2-7970b10d50f7",
"target_ref": "x-misp-object--12242c4a-f4d9-444f-abd3-27deff5869a1"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink