Skip to content

Instantly share code, notes, and snippets.

@rjsmitre

rjsmitre/imddos_with_coa.json

Created July 22, 2017 01:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rjsmitre/adb54db31bc1d32a92b2613096ff32e2 to your computer and use it in GitHub Desktop.
Save rjsmitre/adb54db31bc1d32a92b2613096ff32e2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
imddos_with_coa.json
{
"type": "bundle",
"id": "bundle--77e6c97f-9744-43b5-b7bb-28208f73da3a",
"spec_version": "2.0",
"objects": [
{
"type": "marking-definition",
"id": "marking-definition--addb507a-5584-4a6e-aadc-16a9646725bc",
"created": "2017-07-22T01:40:44.781Z",
"modified": "2017-07-22T01:40:44.781Z",
"definition_type": "statement",
"definition": {
"statement": "Copyright 2010, Damballa, Inc All Rights Reserved"
}
},
{
"type": "report",
"id": "report--38d40491-e499-4e51-87ea-4224c358b428",
"created": "2017-07-22T01:40:44.783Z",
"modified": "2017-07-22T01:40:44.783Z",
"name": "IMDDOS Botnet",
"labels": [
"threat-report"
],
"description": "The newly-uncovered IMDDOS Botnet is a commercial DDOS service hosted in China.",
"published": "2010-09-13T00:00:00.000Z",
"object_refs": [
"malware--c27edb3e-6f70-492b-911e-6c821f2e9322",
"threat-actor--e089afe1-0b5d-4deb-9f36-e2726f19b0b2",
"indicator--1c205369-1038-4182-97e0-c2411759f449",
"indicator--bc9b4d08-20bd-43e1-ba0b-9f68b2ae253d",
"indicator--dd3a94f9-2175-4713-8aff-cd63d8d9842b",
"indicator--8a6c4dc8-4cf1-4d34-a69a-7765d7c5562e"
],
"object_marking_refs": [
"marking-definition--addb507a-5584-4a6e-aadc-16a9646725bc"
],
"external_references": [
{
"source_name": "Damballa, Inc.",
"url": "https://www.coresecurity.com/system/files/publications/2017/03/Damballa_Report_IMDDOS.pdf",
"hashes": {
"SHA-1": "4e0f4197d6d61f52f80a5560d78af599a37277c0"
}
}
]
},
{
"type": "malware",
"id": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322",
"created": "2017-07-22T01:40:44.783Z",
"modified": "2017-07-22T01:40:44.783Z",
"name": "IMDDOS",
"labels": [
"bot",
"ddos"
],
"description": "Once infected with this malware, a host becomes part of the IMDDOS Botnet",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "exploit"
}
]
},
{
"type": "threat-actor",
"id": "threat-actor--e089afe1-0b5d-4deb-9f36-e2726f19b0b2",
"created": "2017-07-22T01:40:44.783Z",
"modified": "2017-07-22T01:40:44.783Z",
"name": "(Unnamed) IMDDOS Threat Actor",
"labels": [
"criminal"
]
},
{
"type": "location",
"id": "location--ccaf9460-ece5-4aca-be92-7147522d46ef",
"created": "2017-07-22T01:40:44.783Z",
"modified": "2017-07-22T01:40:44.783Z",
"country": "China"
},
{
"type": "indicator",
"id": "indicator--1c205369-1038-4182-97e0-c2411759f449",
"created": "2017-07-22T01:40:44.784Z",
"modified": "2017-07-22T01:40:44.784Z",
"name": "IMDDOS TLHD",
"labels": [
"malicious-activity"
],
"description": "References to this domain are indicative of the presence of the IMDDOS malware in the environment",
"valid_from": "2010-04-01T00:00:00.000Z",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "exploit"
}
],
"pattern": "[ domain-name:value = 'imddos.my03.com' ]"
},
{
"type": "indicator",
"id": "indicator--bc9b4d08-20bd-43e1-ba0b-9f68b2ae253d",
"created": "2017-07-22T01:40:44.784Z",
"modified": "2017-07-22T01:40:44.784Z",
"name": "IMDDOS TLHD Traffic",
"labels": [
"malicious-activity"
],
"description": "Traffic to this domain indicates the source host is infected with IMDDOS malware",
"valid_from": "2010-04-01T00:00:00.000Z",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "exploit"
}
],
"pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'imddos.my03.com' AND network-traffic:dst_port = 9090 ]"
},
{
"type": "indicator",
"id": "indicator--dd3a94f9-2175-4713-8aff-cd63d8d9842b",
"created": "2017-07-22T01:40:44.784Z",
"modified": "2017-07-22T01:40:44.784Z",
"name": "IMDDOS Infected Host",
"labels": [
"malicious-activity"
],
"description": "Presence of this registry key on a host indicates it is infected with the IMDDOS malware",
"valid_from": "2010-04-01T00:00:00.000Z",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "exploit"
}
],
"pattern": "[windows-registry-key:key LIKE 'HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\SafePrec%' ]"
},
{
"type": "indicator",
"id": "indicator--8a6c4dc8-4cf1-4d34-a69a-7765d7c5562e",
"created": "2017-07-22T01:40:44.784Z",
"modified": "2017-07-22T01:40:44.784Z",
"name": "IMDDOS C2 Traffic",
"labels": [
"malicious-activity"
],
"description": "Traffic to these domains indicates that the source host is under the control of the IMDDOS malware",
"valid_from": "2010-04-01T00:00:00.000Z",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "control"
}
],
"pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value IN ('dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org', 'pk518.3322.org', 'huanjue6369029.3322.org', 'qq603535.3322.org', 'qq188588.3322.org', 'hjff.3322.org', '198600.3322.org', 'ankankan.3322.org', 'yinn.3322.org') ]"
},
{
"type": "course-of-action",
"id": "course-of-action--d3827682-7510-4831-b8d7-54a0c811d1a1",
"created": "2017-07-22T01:40:44.784Z",
"modified": "2017-07-22T01:40:44.784Z",
"name": "IMDDOS TLHD Outbound Traffic Block",
"description": "Block outbound traffic to the IMDDOS Target Listing Host Domain"
},
{
"type": "course-of-action",
"id": "course-of-action--2cf3e9f3-e546-4581-abac-9b4d2be90a44",
"created": "2017-07-22T01:40:44.784Z",
"modified": "2017-07-22T01:40:44.784Z",
"name": "IMDDOS Malware Removal",
"description": "Steps required to remove the IMDDOS Malware from a Windows system"
},
{
"type": "course-of-action",
"id": "course-of-action--80acaf03-ebf1-4c81-bc69-60d429ec1c64",
"created": "2017-07-22T01:40:44.784Z",
"modified": "2017-07-22T01:40:44.784Z",
"name": "IMDDOS C2 Outbound Traffic Block",
"description": "Block outbound traffic to the IMDDOS C2 Domains"
},
{
"type": "relationship",
"id": "relationship--60bbd629-bef3-4d09-8f70-d64d24a49b77",
"created": "2017-07-22T01:40:44.784Z",
"modified": "2017-07-22T01:40:44.784Z",
"relationship_type": "indicates",
"source_ref": "indicator--1c205369-1038-4182-97e0-c2411759f449",
"target_ref": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322"
},
{
"type": "relationship",
"id": "relationship--4b8f179a-94e2-4723-bdfd-14ee8e17296e",
"created": "2017-07-22T01:40:44.784Z",
"modified": "2017-07-22T01:40:44.784Z",
"relationship_type": "indicates",
"source_ref": "indicator--bc9b4d08-20bd-43e1-ba0b-9f68b2ae253d",
"target_ref": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322"
},
{
"type": "relationship",
"id": "relationship--9427a3bc-227a-4107-9899-cb4f6b3d530c",
"created": "2017-07-22T01:40:44.785Z",
"modified": "2017-07-22T01:40:44.785Z",
"relationship_type": "indicates",
"source_ref": "indicator--dd3a94f9-2175-4713-8aff-cd63d8d9842b",
"target_ref": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322"
},
{
"type": "relationship",
"id": "relationship--e40294fe-3a5c-4dfd-9ef8-38335e872fc4",
"created": "2017-07-22T01:40:44.785Z",
"modified": "2017-07-22T01:40:44.785Z",
"relationship_type": "indicates",
"source_ref": "indicator--8a6c4dc8-4cf1-4d34-a69a-7765d7c5562e",
"target_ref": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322"
},
{
"type": "relationship",
"id": "relationship--3c44dd9f-591a-4e0e-b7af-66a278554b38",
"created": "2017-07-22T01:40:44.785Z",
"modified": "2017-07-22T01:40:44.785Z",
"relationship_type": "located-at",
"source_ref": "threat-actor--e089afe1-0b5d-4deb-9f36-e2726f19b0b2",
"target_ref": "location--ccaf9460-ece5-4aca-be92-7147522d46ef"
},
{
"type": "relationship",
"id": "relationship--a6da1f4e-b962-4e3a-91a1-6ec4b3accdd8",
"created": "2017-07-22T01:40:44.785Z",
"modified": "2017-07-22T01:40:44.785Z",
"relationship_type": "uses",
"source_ref": "threat-actor--e089afe1-0b5d-4deb-9f36-e2726f19b0b2",
"target_ref": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322"
}
]
}
Raw
imddos_with_coa.yaml
marking-definition:
definition_type: statement
definition:
statement: "Copyright 2010, Damballa, Inc All Rights Reserved"
report:
name: IMDDOS Botnet
labels: [ threat-report ]
description: "The newly-uncovered IMDDOS Botnet is a commercial DDOS service hosted in China."
published: 2010-09-13T00:00:00Z
object_refs: [ IMDDOS, (Unnamed) IMDDOS Threat Actor, IMDDOS TLHD, IMDDOS TLHD Traffic, IMDDOS Infected Host, IMDDOS C2 Traffic ]
object_marking_refs: [ 0 ]
external_references: [ { source_name: "Damballa, Inc.", url: "https://www.coresecurity.com/system/files/publications/2017/03/Damballa_Report_IMDDOS.pdf", hashes: { SHA-1: "4e0f4197d6d61f52f80a5560d78af599a37277c0" } } ]
malware:
name: IMDDOS
labels: [ bot, ddos ]
description: "Once infected with this malware, a host becomes part of the IMDDOS Botnet"
kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "exploit" } ]
threat-actor:
name: (Unnamed) IMDDOS Threat Actor
labels: [ criminal ]
location:
country: China
indicator:
name: IMDDOS TLHD
labels: [ malicious-activity ]
description: "References to this domain are indicative of the presence of the IMDDOS malware in the environment"
valid_from: 2010-04-01T00:00:00Z
kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "exploit" } ]
pattern: "[ domain-name:value = 'imddos.my03.com' ]"
indicator:
name: IMDDOS TLHD Traffic
labels: [ malicious-activity ]
description: "Traffic to this domain indicates the source host is infected with IMDDOS malware"
valid_from: 2010-04-01T00:00:00Z
kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "exploit" } ]
pattern: "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'imddos.my03.com' AND network-traffic:dst_port = 9090 ]"
indicator:
name: IMDDOS Infected Host
labels: [ malicious-activity ]
description: "Presence of this registry key on a host indicates it is infected with the IMDDOS malware"
valid_from: 2010-04-01T00:00:00Z
kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "exploit" } ]
pattern: "[windows-registry-key:key LIKE 'HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\SafePrec%' ]"
indicator:
name: IMDDOS C2 Traffic
labels: [ malicious-activity ]
description: "Traffic to these domains indicates that the source host is under the control of the IMDDOS malware"
valid_from: 2010-04-01T00:00:00Z
kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "control" } ]
pattern: "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value IN ('dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org', 'pk518.3322.org', 'huanjue6369029.3322.org', 'qq603535.3322.org', 'qq188588.3322.org', 'hjff.3322.org', '198600.3322.org', 'ankankan.3322.org', 'yinn.3322.org') ]"
course-of-action:
name: IMDDOS TLHD Outbound Traffic Block
description: "Block outbound traffic to the IMDDOS Target Listing Host Domain"
course-of-action:
name: IMDDOS Malware Removal
description: "Steps required to remove the IMDDOS Malware from a Windows system"
course-of-action:
name: IMDDOS C2 Outbound Traffic Block
description: "Block outbound traffic to the IMDDOS C2 Domains"
relationship:
relationship_type: indicates
source_ref: IMDDOS TLHD
target_ref: IMDDOS
relationship:
relationship_type: indicates
source_ref: IMDDOS TLHD Traffic
target_ref: IMDDOS
relationship:
relationship_type: indicates
source_ref: IMDDOS Infected Host
target_ref: IMDDOS
relationship:
relationship_type: indicates
source_ref: IMDDOS C2 Traffic
target_ref: IMDDOS
relationship:
relationship_type: located-at
source_ref: 3
target_ref: 4
relationship:
relationship_type: uses
source_ref: 3
target_ref: IMDDOS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment