Skip to content

Instantly share code, notes, and snippets.

@tahaconfiant
Last active July 31, 2020 02:29
Show Gist options
  • Save tahaconfiant/4bc2d5a50b37692b3b9c7ab7f8ea782d to your computer and use it in GitHub Desktop.
Save tahaconfiant/4bc2d5a50b37692b3b9c7ab7f8ea782d to your computer and use it in GitHub Desktop.
darkhotel_IOCs STIX v2.1
{
"type": "bundle",
"id": "bundle--7dca0b30-9c3f-4978-8b2a-b83851bfc37a",
"objects": [
{
"type": "ipv4-addr",
"id": "ipv4-addr--94f94345-3a11-5654-aacd-61496d6f5409",
"value": "103.224.82.234",
"spec_version": "2.1"
},
{
"type": "ipv4-addr",
"id": "ipv4-addr--0f081cf6-a185-5303-aa45-c8ff0d8b4663",
"value": "202.122.128.28",
"spec_version": "2.1"
},
{
"type": "domain-name",
"id": "domain-name--06a3aed0-94ff-5d9b-9103-f75858ca2494",
"value": "last.tax-lab.net",
"spec_version": "2.1"
},
{
"type": "infrastructure",
"id": "infrastructure--749a2105-2375-4165-82df-8a46dddb3535",
"created": "2020-07-13T05:53:37.076194Z",
"modified": "2020-07-13T05:53:37.076194Z",
"spec_version": "2.1",
"name": "DarkHotel APT Infrastructure",
"infrastructure_types": [
"staging"
]
},
{
"type": "indicator",
"id": "indicator--5a10e004-1c61-4c09-90c3-dc4434f7ce44",
"created": "2020-07-13T05:53:37.04084Z",
"modified": "2020-07-13T05:53:37.04084Z",
"spec_version": "2.1",
"name": "File hash for CVE-2019\u20131367 exploit payload",
"indicator_types": [
"malicious-activity"
],
"pattern": "[file:hashes.'SHA-256' = '06254c3a5037e5b119bdff1d67ab1570ce69c53ed92ed3ec59492192703b2165'] OR [file:hashes.'SHA-256' = '2912c5badf6431ca907120c5759fff31ca026cacbaf1fa1817bd745f4e6515ac'] OR [file:hashes.'SHA-256' = 'd96ddba198ce6ba381d643d527b1f0ec77d17b582c0fa58e43372daaea8413d8'] OR [file:hashes.'SHA-256' = 'bf44d0aab77b25fb4e8ec94e44db616a9a1b109592d1682adad9be3a4a9e4235'] OR [file:hashes.'SHA-256' = 'c845eaca9e3cddf79a436b53d83707654f2df61b49b09cb31359765b57326c32'] OR [file:hashes.'SHA-256' = 'a86a6d0b85aeab3ba2384cd73a32e09998aa033b74ee7a7c36d832fe64082b62'] OR [file:hashes.'SHA-256' = '6239f6f7e5c7f8b73af455e485ef3010dc8d7f6bc4646ce8cc69baf7af771133'] OR [file:hashes.'SHA-256' = '1a235d485642fb3b8d7b88f03329dd427b9084d74360a471902fb4d54352fc55'] OR [file:hashes.'SHA-256' = '7d7297d793900760eec793f42f977ba6b27559d245ddb926a0c8f51746a9224e'] OR [file:hashes.'SHA-256' = '81d4a0cef321b94e1b4ec93d2b2f7270b9a4c9cd1901bb7b0d5c26a76d2640ac'] OR [file:hashes.'SHA-256' = '5b600d2740f12c73c78150156879a1c815aa8388a7ed099ed51eef7022cee45b'] OR [file:hashes.'SHA-256' = '1a61b40424f88a79e89b4627cea45461eb9a2dd9aba10d71a750c97e235490b1'] OR [file:hashes.'SHA-256' = 'd2a674f0be88864d722d4d785d9a635c62be79304a98625cad1fd045653f97ed'] OR [file:hashes.'SHA-256' = '9a59f65d697fec65a190832badc79708a41ae184f1ad7b7422c985a2d8388b24'] OR [file:hashes.'SHA-256' = 'fb24fdead900952242a1d0dd6b8620da600abfe579e757716cc70432829fff76'] OR [file:hashes.'SHA-256' = '576b01135e1f8be20978fde73f4aef25b9bc56e7387f59a8569e5cf42b45f64c'] OR [file:hashes.'SHA-256' = '0ea1fa195d29602ad48dc4c1ad0b0f2ef6942ceb2fb386fcfa6358a409e10962'] OR [file:hashes.'SHA-256' = 'be8fdfce55ea701e19ab5dd90ce4104ff11ee3b4890b292c46567d9670b63b82'] OR [file:hashes.'SHA-256' = 'b3a26272f2cd60644001c949f5bf959e4b2068d02e9e51aa5317d5920d9e9f44'] OR [file:hashes.'SHA-256' = 'f9e494f8b5abd2527fccf868dcbe62452de0fa7d3cba3a78e918c582ee03b7af'] OR [file:hashes.'SHA-256' = '3ffb70b586c59ad3cd5edd4de0ed5b58c663d2048a3af1014c6185e05338d129'] OR [file:hashes.'SHA-256' = '5c701186cb13bb9d920500edda316f7fd20beb2db31f0ac371530d5d104095b0'] OR [file:hashes.'SHA-256' = '7728ef94a1a8856a063a30840cc507f9a343547625fb30b0b906d996795cd4c0'] OR [file:hashes.'SHA-256' = 'b3f9639afb271ab9a8861a35f0a4811ca1f0ac3d7f7d1119a329c52b34ee48f0'] OR [file:hashes.'SHA-256' = 'e4eeac5567b24dc3435b4233b9d766720f5c3ac5c658701336050fb343287c9d'] OR [file:hashes.'SHA-256' = 'dc1b1ea14f36a51d1386d81426f4c70eeadb3ab517fccbc183670e07829bfcca'] OR [file:hashes.'SHA-256' = '1ad754caa89e08bb10ce538257879d0775bddd8a74b8ff14aaa3d92a2c35b543']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-07-13T09:00:00Z"
},
{
"type": "indicator",
"id": "indicator--d520e81e-d73d-4fc5-b62e-7cba40f88793",
"created": "2020-07-13T05:53:37.075063Z",
"modified": "2020-07-13T05:53:37.075063Z",
"spec_version": "2.1",
"name": "File hash for CVE-2019\u20131367 dropped malware",
"indicator_types": [
"malicious-activity"
],
"pattern": "[file:hashes.'SHA-256' = '2a141023ae8c6fb15371a7cbfe47f88b15563e7f7e7e506bac439901b98c67e8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-07-13T09:00:00Z"
},
{
"type": "threat-actor",
"id": "threat-actor--abaa4b93-7def-4335-a1b4-ad46b504630f",
"created": "2020-07-13T05:53:37.039923Z",
"modified": "2020-07-13T05:53:37.039923Z",
"spec_version": "2.1",
"name": "DarkHotel APT",
"description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi\u2011Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing",
"threat_actor_types": [
"nation-state"
],
"sophistication": "['innovator', 'strategic']"
},
{
"type": "malware",
"id": "malware--d8ea56f5-a795-4658-9edb-169efc45f618",
"created": "2020-07-13T05:53:37.040334Z",
"modified": "2020-07-13T05:53:37.040334Z",
"spec_version": "2.1",
"name": "CVE-2019\u20131367 exploit",
"malware_types": [
"exploit-kit"
],
"is_family": false,
"kill_chain_phases": [
{
"kill_chain_name": "confiant-attack-lifecycle-model",
"phase_name": "initial-access"
}
]
},
{
"type": "malware",
"id": "malware--509f33c7-06f2-40c6-b0a0-7e8bc610c591",
"created": "2020-07-13T05:53:37.040492Z",
"modified": "2020-07-13T05:53:37.040492Z",
"spec_version": "2.1",
"name": "CVE-2019\u20131367 dropped malware",
"malware_types": [
"remote-access-trojan"
],
"is_family": false,
"kill_chain_phases": [
{
"kill_chain_name": "confiant-attack-lifecycle-model",
"phase_name": "initial-access"
}
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--5962bb81-127d-425a-92f4-c3dc93f49ab5",
"created": "2020-07-13T05:53:37.040668Z",
"modified": "2020-07-13T05:53:37.040668Z",
"spec_version": "2.1",
"name": "CVE-2019\u20131367 in the wild exploitation",
"description": "redirect attack delivering CVE-2019\u20131367 exploit",
"kill_chain_phases": [
{
"kill_chain_name": "confiant-attack-lifecycle-model",
"phase_name": "initial-access"
}
],
"external_references": [
{
"source_name": "confiant",
"description": "Internet Explorer CVE-2019\u20131367 In the wild Exploitation",
"url": "https://blog.confiant.com/internet-explorer-cve-2019-1367-in-the-wild-exploitation-prelude-ef546f19cd30"
}
]
},
{
"type": "relationship",
"id": "relationship--8d0aacde-4233-4560-87e9-25b999941d79",
"created": "2020-07-13T05:53:37.077975Z",
"modified": "2020-07-13T05:53:37.077975Z",
"spec_version": "2.1",
"relationship_type": "delivers",
"source_ref": "attack-pattern--5962bb81-127d-425a-92f4-c3dc93f49ab5",
"target_ref": "malware--509f33c7-06f2-40c6-b0a0-7e8bc610c591"
},
{
"type": "relationship",
"id": "relationship--47416006-ba67-49b4-be84-b14a8569657a",
"created": "2020-07-13T05:53:37.07679Z",
"modified": "2020-07-13T05:53:37.07679Z",
"spec_version": "2.1",
"relationship_type": "uses",
"source_ref": "threat-actor--abaa4b93-7def-4335-a1b4-ad46b504630f",
"target_ref": "attack-pattern--5962bb81-127d-425a-92f4-c3dc93f49ab5"
},
{
"type": "relationship",
"id": "relationship--aa022ff9-6cad-47bc-9932-3c6cfb8472f7",
"created": "2020-07-13T05:53:37.076964Z",
"modified": "2020-07-13T05:53:37.076964Z",
"spec_version": "2.1",
"relationship_type": "delivers",
"source_ref": "attack-pattern--5962bb81-127d-425a-92f4-c3dc93f49ab5",
"target_ref": "malware--d8ea56f5-a795-4658-9edb-169efc45f618"
},
{
"type": "relationship",
"id": "relationship--1ae3bdd4-87cd-4039-925e-fbfd36dd60d8",
"created": "2020-07-13T05:53:37.077087Z",
"modified": "2020-07-13T05:53:37.077087Z",
"spec_version": "2.1",
"relationship_type": "exploits",
"source_ref": "malware--d8ea56f5-a795-4658-9edb-169efc45f618",
"target_ref": "vulnerability--c51d40bb-3a56-41c1-bb55-d4da191f8ac5"
},
{
"type": "relationship",
"id": "relationship--8f085127-de86-416a-ac47-6ac99846676f",
"created": "2020-07-13T05:53:37.077201Z",
"modified": "2020-07-13T05:53:37.077201Z",
"spec_version": "2.1",
"relationship_type": "indicates",
"source_ref": "indicator--5a10e004-1c61-4c09-90c3-dc4434f7ce44",
"target_ref": "malware--d8ea56f5-a795-4658-9edb-169efc45f618"
},
{
"type": "relationship",
"id": "relationship--fb8763f5-65f5-440f-8736-c1289936f79d",
"created": "2020-07-13T05:53:37.077313Z",
"modified": "2020-07-13T05:53:37.077313Z",
"spec_version": "2.1",
"relationship_type": "consists-of",
"source_ref": "infrastructure--749a2105-2375-4165-82df-8a46dddb3535",
"target_ref": "domain-name--06a3aed0-94ff-5d9b-9103-f75858ca2494"
},
{
"type": "relationship",
"id": "relationship--27c27f9a-2c45-4eb5-9743-60de0b85924b",
"created": "2020-07-13T05:53:37.077536Z",
"modified": "2020-07-13T05:53:37.077536Z",
"spec_version": "2.1",
"relationship_type": "consists-of",
"source_ref": "infrastructure--749a2105-2375-4165-82df-8a46dddb3535",
"target_ref": "ipv4-addr--94f94345-3a11-5654-aacd-61496d6f5409"
},
{
"type": "relationship",
"id": "relationship--a1ebf54d-1ae0-4c84-aa38-7e6ccaaf51c8",
"created": "2020-07-13T05:53:37.077647Z",
"modified": "2020-07-13T05:53:37.077647Z",
"spec_version": "2.1",
"relationship_type": "consists-of",
"source_ref": "infrastructure--749a2105-2375-4165-82df-8a46dddb3535",
"target_ref": "ipv4-addr--0f081cf6-a185-5303-aa45-c8ff0d8b4663"
},
{
"type": "relationship",
"id": "relationship--38ef00be-4622-49fb-8209-f954e9cfde73",
"created": "2020-07-13T05:53:37.077757Z",
"modified": "2020-07-13T05:53:37.077757Z",
"spec_version": "2.1",
"relationship_type": "uses",
"source_ref": "threat-actor--abaa4b93-7def-4335-a1b4-ad46b504630f",
"target_ref": "infrastructure--749a2105-2375-4165-82df-8a46dddb3535"
},
{
"type": "relationship",
"id": "relationship--091d3773-a7ec-4509-aa8e-ff7359db0526",
"created": "2020-07-13T05:53:37.077866Z",
"modified": "2020-07-13T05:53:37.077866Z",
"spec_version": "2.1",
"relationship_type": "indicates",
"source_ref": "indicator--d520e81e-d73d-4fc5-b62e-7cba40f88793",
"target_ref": "malware--509f33c7-06f2-40c6-b0a0-7e8bc610c591"
},
{
"type": "domain-name",
"id": "domain-name--e25c5d75-4cb7-5503-a3c7-1dd05cb5360d",
"value": "largeurlcache.com",
"spec_version": "2.1"
},
{
"type": "relationship",
"id": "relationship--c859cd96-7b8a-4518-bab7-37d6ba98cfee",
"created": "2020-07-13T05:53:37.077426Z",
"modified": "2020-07-13T05:53:37.077426Z",
"spec_version": "2.1",
"relationship_type": "consists-of",
"source_ref": "infrastructure--749a2105-2375-4165-82df-8a46dddb3535",
"target_ref": "domain-name--e25c5d75-4cb7-5503-a3c7-1dd05cb5360d"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment