Created
July 22, 2017 01:48
-
-
Save rjsmitre/adb54db31bc1d32a92b2613096ff32e2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"type": "bundle", | |
"id": "bundle--77e6c97f-9744-43b5-b7bb-28208f73da3a", | |
"spec_version": "2.0", | |
"objects": [ | |
{ | |
"type": "marking-definition", | |
"id": "marking-definition--addb507a-5584-4a6e-aadc-16a9646725bc", | |
"created": "2017-07-22T01:40:44.781Z", | |
"modified": "2017-07-22T01:40:44.781Z", | |
"definition_type": "statement", | |
"definition": { | |
"statement": "Copyright 2010, Damballa, Inc All Rights Reserved" | |
} | |
}, | |
{ | |
"type": "report", | |
"id": "report--38d40491-e499-4e51-87ea-4224c358b428", | |
"created": "2017-07-22T01:40:44.783Z", | |
"modified": "2017-07-22T01:40:44.783Z", | |
"name": "IMDDOS Botnet", | |
"labels": [ | |
"threat-report" | |
], | |
"description": "The newly-uncovered IMDDOS Botnet is a commercial DDOS service hosted in China.", | |
"published": "2010-09-13T00:00:00.000Z", | |
"object_refs": [ | |
"malware--c27edb3e-6f70-492b-911e-6c821f2e9322", | |
"threat-actor--e089afe1-0b5d-4deb-9f36-e2726f19b0b2", | |
"indicator--1c205369-1038-4182-97e0-c2411759f449", | |
"indicator--bc9b4d08-20bd-43e1-ba0b-9f68b2ae253d", | |
"indicator--dd3a94f9-2175-4713-8aff-cd63d8d9842b", | |
"indicator--8a6c4dc8-4cf1-4d34-a69a-7765d7c5562e" | |
], | |
"object_marking_refs": [ | |
"marking-definition--addb507a-5584-4a6e-aadc-16a9646725bc" | |
], | |
"external_references": [ | |
{ | |
"source_name": "Damballa, Inc.", | |
"url": "https://www.coresecurity.com/system/files/publications/2017/03/Damballa_Report_IMDDOS.pdf", | |
"hashes": { | |
"SHA-1": "4e0f4197d6d61f52f80a5560d78af599a37277c0" | |
} | |
} | |
] | |
}, | |
{ | |
"type": "malware", | |
"id": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322", | |
"created": "2017-07-22T01:40:44.783Z", | |
"modified": "2017-07-22T01:40:44.783Z", | |
"name": "IMDDOS", | |
"labels": [ | |
"bot", | |
"ddos" | |
], | |
"description": "Once infected with this malware, a host becomes part of the IMDDOS Botnet", | |
"kill_chain_phases": [ | |
{ | |
"kill_chain_name": "lockheed-martin-cyber-kill-chain", | |
"phase_name": "exploit" | |
} | |
] | |
}, | |
{ | |
"type": "threat-actor", | |
"id": "threat-actor--e089afe1-0b5d-4deb-9f36-e2726f19b0b2", | |
"created": "2017-07-22T01:40:44.783Z", | |
"modified": "2017-07-22T01:40:44.783Z", | |
"name": "(Unnamed) IMDDOS Threat Actor", | |
"labels": [ | |
"criminal" | |
] | |
}, | |
{ | |
"type": "location", | |
"id": "location--ccaf9460-ece5-4aca-be92-7147522d46ef", | |
"created": "2017-07-22T01:40:44.783Z", | |
"modified": "2017-07-22T01:40:44.783Z", | |
"country": "China" | |
}, | |
{ | |
"type": "indicator", | |
"id": "indicator--1c205369-1038-4182-97e0-c2411759f449", | |
"created": "2017-07-22T01:40:44.784Z", | |
"modified": "2017-07-22T01:40:44.784Z", | |
"name": "IMDDOS TLHD", | |
"labels": [ | |
"malicious-activity" | |
], | |
"description": "References to this domain are indicative of the presence of the IMDDOS malware in the environment", | |
"valid_from": "2010-04-01T00:00:00.000Z", | |
"kill_chain_phases": [ | |
{ | |
"kill_chain_name": "lockheed-martin-cyber-kill-chain", | |
"phase_name": "exploit" | |
} | |
], | |
"pattern": "[ domain-name:value = 'imddos.my03.com' ]" | |
}, | |
{ | |
"type": "indicator", | |
"id": "indicator--bc9b4d08-20bd-43e1-ba0b-9f68b2ae253d", | |
"created": "2017-07-22T01:40:44.784Z", | |
"modified": "2017-07-22T01:40:44.784Z", | |
"name": "IMDDOS TLHD Traffic", | |
"labels": [ | |
"malicious-activity" | |
], | |
"description": "Traffic to this domain indicates the source host is infected with IMDDOS malware", | |
"valid_from": "2010-04-01T00:00:00.000Z", | |
"kill_chain_phases": [ | |
{ | |
"kill_chain_name": "lockheed-martin-cyber-kill-chain", | |
"phase_name": "exploit" | |
} | |
], | |
"pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'imddos.my03.com' AND network-traffic:dst_port = 9090 ]" | |
}, | |
{ | |
"type": "indicator", | |
"id": "indicator--dd3a94f9-2175-4713-8aff-cd63d8d9842b", | |
"created": "2017-07-22T01:40:44.784Z", | |
"modified": "2017-07-22T01:40:44.784Z", | |
"name": "IMDDOS Infected Host", | |
"labels": [ | |
"malicious-activity" | |
], | |
"description": "Presence of this registry key on a host indicates it is infected with the IMDDOS malware", | |
"valid_from": "2010-04-01T00:00:00.000Z", | |
"kill_chain_phases": [ | |
{ | |
"kill_chain_name": "lockheed-martin-cyber-kill-chain", | |
"phase_name": "exploit" | |
} | |
], | |
"pattern": "[windows-registry-key:key LIKE 'HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\SafePrec%' ]" | |
}, | |
{ | |
"type": "indicator", | |
"id": "indicator--8a6c4dc8-4cf1-4d34-a69a-7765d7c5562e", | |
"created": "2017-07-22T01:40:44.784Z", | |
"modified": "2017-07-22T01:40:44.784Z", | |
"name": "IMDDOS C2 Traffic", | |
"labels": [ | |
"malicious-activity" | |
], | |
"description": "Traffic to these domains indicates that the source host is under the control of the IMDDOS malware", | |
"valid_from": "2010-04-01T00:00:00.000Z", | |
"kill_chain_phases": [ | |
{ | |
"kill_chain_name": "lockheed-martin-cyber-kill-chain", | |
"phase_name": "control" | |
} | |
], | |
"pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value IN ('dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org', 'pk518.3322.org', 'huanjue6369029.3322.org', 'qq603535.3322.org', 'qq188588.3322.org', 'hjff.3322.org', '198600.3322.org', 'ankankan.3322.org', 'yinn.3322.org') ]" | |
}, | |
{ | |
"type": "course-of-action", | |
"id": "course-of-action--d3827682-7510-4831-b8d7-54a0c811d1a1", | |
"created": "2017-07-22T01:40:44.784Z", | |
"modified": "2017-07-22T01:40:44.784Z", | |
"name": "IMDDOS TLHD Outbound Traffic Block", | |
"description": "Block outbound traffic to the IMDDOS Target Listing Host Domain" | |
}, | |
{ | |
"type": "course-of-action", | |
"id": "course-of-action--2cf3e9f3-e546-4581-abac-9b4d2be90a44", | |
"created": "2017-07-22T01:40:44.784Z", | |
"modified": "2017-07-22T01:40:44.784Z", | |
"name": "IMDDOS Malware Removal", | |
"description": "Steps required to remove the IMDDOS Malware from a Windows system" | |
}, | |
{ | |
"type": "course-of-action", | |
"id": "course-of-action--80acaf03-ebf1-4c81-bc69-60d429ec1c64", | |
"created": "2017-07-22T01:40:44.784Z", | |
"modified": "2017-07-22T01:40:44.784Z", | |
"name": "IMDDOS C2 Outbound Traffic Block", | |
"description": "Block outbound traffic to the IMDDOS C2 Domains" | |
}, | |
{ | |
"type": "relationship", | |
"id": "relationship--60bbd629-bef3-4d09-8f70-d64d24a49b77", | |
"created": "2017-07-22T01:40:44.784Z", | |
"modified": "2017-07-22T01:40:44.784Z", | |
"relationship_type": "indicates", | |
"source_ref": "indicator--1c205369-1038-4182-97e0-c2411759f449", | |
"target_ref": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322" | |
}, | |
{ | |
"type": "relationship", | |
"id": "relationship--4b8f179a-94e2-4723-bdfd-14ee8e17296e", | |
"created": "2017-07-22T01:40:44.784Z", | |
"modified": "2017-07-22T01:40:44.784Z", | |
"relationship_type": "indicates", | |
"source_ref": "indicator--bc9b4d08-20bd-43e1-ba0b-9f68b2ae253d", | |
"target_ref": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322" | |
}, | |
{ | |
"type": "relationship", | |
"id": "relationship--9427a3bc-227a-4107-9899-cb4f6b3d530c", | |
"created": "2017-07-22T01:40:44.785Z", | |
"modified": "2017-07-22T01:40:44.785Z", | |
"relationship_type": "indicates", | |
"source_ref": "indicator--dd3a94f9-2175-4713-8aff-cd63d8d9842b", | |
"target_ref": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322" | |
}, | |
{ | |
"type": "relationship", | |
"id": "relationship--e40294fe-3a5c-4dfd-9ef8-38335e872fc4", | |
"created": "2017-07-22T01:40:44.785Z", | |
"modified": "2017-07-22T01:40:44.785Z", | |
"relationship_type": "indicates", | |
"source_ref": "indicator--8a6c4dc8-4cf1-4d34-a69a-7765d7c5562e", | |
"target_ref": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322" | |
}, | |
{ | |
"type": "relationship", | |
"id": "relationship--3c44dd9f-591a-4e0e-b7af-66a278554b38", | |
"created": "2017-07-22T01:40:44.785Z", | |
"modified": "2017-07-22T01:40:44.785Z", | |
"relationship_type": "located-at", | |
"source_ref": "threat-actor--e089afe1-0b5d-4deb-9f36-e2726f19b0b2", | |
"target_ref": "location--ccaf9460-ece5-4aca-be92-7147522d46ef" | |
}, | |
{ | |
"type": "relationship", | |
"id": "relationship--a6da1f4e-b962-4e3a-91a1-6ec4b3accdd8", | |
"created": "2017-07-22T01:40:44.785Z", | |
"modified": "2017-07-22T01:40:44.785Z", | |
"relationship_type": "uses", | |
"source_ref": "threat-actor--e089afe1-0b5d-4deb-9f36-e2726f19b0b2", | |
"target_ref": "malware--c27edb3e-6f70-492b-911e-6c821f2e9322" | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
marking-definition: | |
definition_type: statement | |
definition: | |
statement: "Copyright 2010, Damballa, Inc All Rights Reserved" | |
report: | |
name: IMDDOS Botnet | |
labels: [ threat-report ] | |
description: "The newly-uncovered IMDDOS Botnet is a commercial DDOS service hosted in China." | |
published: 2010-09-13T00:00:00Z | |
object_refs: [ IMDDOS, (Unnamed) IMDDOS Threat Actor, IMDDOS TLHD, IMDDOS TLHD Traffic, IMDDOS Infected Host, IMDDOS C2 Traffic ] | |
object_marking_refs: [ 0 ] | |
external_references: [ { source_name: "Damballa, Inc.", url: "https://www.coresecurity.com/system/files/publications/2017/03/Damballa_Report_IMDDOS.pdf", hashes: { SHA-1: "4e0f4197d6d61f52f80a5560d78af599a37277c0" } } ] | |
malware: | |
name: IMDDOS | |
labels: [ bot, ddos ] | |
description: "Once infected with this malware, a host becomes part of the IMDDOS Botnet" | |
kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "exploit" } ] | |
threat-actor: | |
name: (Unnamed) IMDDOS Threat Actor | |
labels: [ criminal ] | |
location: | |
country: China | |
indicator: | |
name: IMDDOS TLHD | |
labels: [ malicious-activity ] | |
description: "References to this domain are indicative of the presence of the IMDDOS malware in the environment" | |
valid_from: 2010-04-01T00:00:00Z | |
kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "exploit" } ] | |
pattern: "[ domain-name:value = 'imddos.my03.com' ]" | |
indicator: | |
name: IMDDOS TLHD Traffic | |
labels: [ malicious-activity ] | |
description: "Traffic to this domain indicates the source host is infected with IMDDOS malware" | |
valid_from: 2010-04-01T00:00:00Z | |
kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "exploit" } ] | |
pattern: "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'imddos.my03.com' AND network-traffic:dst_port = 9090 ]" | |
indicator: | |
name: IMDDOS Infected Host | |
labels: [ malicious-activity ] | |
description: "Presence of this registry key on a host indicates it is infected with the IMDDOS malware" | |
valid_from: 2010-04-01T00:00:00Z | |
kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "exploit" } ] | |
pattern: "[windows-registry-key:key LIKE 'HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\SafePrec%' ]" | |
indicator: | |
name: IMDDOS C2 Traffic | |
labels: [ malicious-activity ] | |
description: "Traffic to these domains indicates that the source host is under the control of the IMDDOS malware" | |
valid_from: 2010-04-01T00:00:00Z | |
kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "control" } ] | |
pattern: "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value IN ('dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org', 'pk518.3322.org', 'huanjue6369029.3322.org', 'qq603535.3322.org', 'qq188588.3322.org', 'hjff.3322.org', '198600.3322.org', 'ankankan.3322.org', 'yinn.3322.org') ]" | |
course-of-action: | |
name: IMDDOS TLHD Outbound Traffic Block | |
description: "Block outbound traffic to the IMDDOS Target Listing Host Domain" | |
course-of-action: | |
name: IMDDOS Malware Removal | |
description: "Steps required to remove the IMDDOS Malware from a Windows system" | |
course-of-action: | |
name: IMDDOS C2 Outbound Traffic Block | |
description: "Block outbound traffic to the IMDDOS C2 Domains" | |
relationship: | |
relationship_type: indicates | |
source_ref: IMDDOS TLHD | |
target_ref: IMDDOS | |
relationship: | |
relationship_type: indicates | |
source_ref: IMDDOS TLHD Traffic | |
target_ref: IMDDOS | |
relationship: | |
relationship_type: indicates | |
source_ref: IMDDOS Infected Host | |
target_ref: IMDDOS | |
relationship: | |
relationship_type: indicates | |
source_ref: IMDDOS C2 Traffic | |
target_ref: IMDDOS | |
relationship: | |
relationship_type: located-at | |
source_ref: 3 | |
target_ref: 4 | |
relationship: | |
relationship_type: uses | |
source_ref: 3 | |
target_ref: IMDDOS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment