malware:
   name: IMDDOS
   labels: [ bot, ddos ]
   description: "Once infected with this malware, a host becomes part of the IMDDOS Botnet"
   kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "exploit" } ]


indicator:
   name: IMDDOS TLHD
   labels: [ malicious-activity ]
   description: "Traffic to this domain indicates the source host is infected with IMDDOS malware"
   valid_from: 2010-04-01T00:00:00Z
   kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "exploit" } ]
   pattern: "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'imddos.my03.com' AND network-traffic:dst_port = 9090 ]"

indicator:
   name: IMDDOS Infected Host
   labels: [ malicious-activity ]
   description: "Presence of this registry key on a host indicates it is infected with the IMDDOS malware"
   valid_from: 2010-04-01T00:00:00Z
   kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "exploit" } ]
   pattern: "[windows-registry-key:key LIKE 'HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\SafePrec%' ]"

indicator:
   name: IMDDOS C2 Traffic
   labels: [ malicious-activity ]
   description: "Traffic to these domains indicates that the source host is under the control of the IMDDOS malware"
   valid_from: 2010-04-01T00:00:00Z
   kill_chain_phases: [ { kill_chain_name: "lockheed-martin-cyber-kill-chain", phase_name: "control" } ]
   pattern: "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value IN ('dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org', 'pk518.3322.org', 'huanjue6369029.3322.org', 'qq603535.3322.org', 'qq188588.3322.org', 'hjff.3322.org', '198600.3322.org', 'ankankan.3322.org', 'yinn.3322.org') ]"


identity:
   name: IMDDOS infected host
   description: "Internal host where Observations were made"

observed-data:
   name: Observed registry key
   description: "Observation of registry key HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\SafePrec% "

observed-data:
   name: Observed C2 domains
   description: "Observation of all/subset of C2 domains - 'dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org', 'pk518.3322.org', 'huanjue6369029.3322.org', 'qq603535.3322.org', 'qq188588.3322.org', 'hjff.3322.org', '198600.3322.org', 'ankankan.3322.org', 'yinn.3322.org'"

observed-data:
   name: Observed TLHD domain
   description: "Observation of TLHD domain"

sighting:
   name: Registry key sighting
   sighting_of_ref: IMDDOS Infected Host
   observed_data_refs: [Observed registry key]
   where_sighted_refs: [IMDDOS infected host]

sighting:
   name: C2 domain sighting
   sighting_of_ref: IMDDOS C2 Traffic
   observed_data_refs: [Observed C2 domains]
   where_sighted_refs: [IMDDOS infected host]

sighting:
   name: TLHD domain sighting
   sighting_of_ref: IMDDOS TLHD
   observed_data_refs: [Observed TLHD domain]
   where_sighted_refs: [IMDDOS infected host]

course-of-action:
   name: Delete Registry key
   description: "delete registry key on the host where it was sighted"

course-of-action:
   name: Kill C2 processes
   description: "kill processes/applications reaching out to the C2 domains"

course-of-action:
   name: Kill TLHD process
   description: "kill processes/applications reaching out to the TLHD domain"

course-of-action:
   name: IMDDOS Malware Removal
   description: "Steps required to remove the IMDDOS Malware from a Windows system"

course-of-action:
   name: IMDDOS TLHD Outbound Block
   description: "Block outbound traffic to the IMDDOS Target Listing Host Domain. Add domain to blacklist and block a perimeter"

course-of-action:
   name: IMDDOS C2 Outbound Block
   description: "Block outbound traffic to the IMDDOS C2 Domains. Add C2 domains to blacklist and block a perimeter"

relationship:
   relationship_type: prevents
   source_ref: IMDDOS TLHD Outbound Block
   target_ref: IMDDOS TLHD

relationship:
   relationship_type: prevents
   source_ref: IMDDOS C2 Outbound Block
   target_ref: IMDDOS C2 Traffic

relationship:
   relationship_type: indicates
   source_ref: IMDDOS TLHD
   target_ref: IMDDOS

relationship:
   relationship_type: indicates
   source_ref: IMDDOS TLHD
   target_ref: IMDDOS

relationship:
   relationship_type: indicates
   source_ref: IMDDOS Infected Host
   target_ref: IMDDOS

relationship:
   relationship_type: indicates
   source_ref: IMDDOS C2 Traffic
   target_ref: IMDDOS

relationship:
   relationship_type: applies-to
   source_ref: Delete Registry key
   target_ref: Registry key sighting

relationship:
   relationship_type: applies-to
   source_ref: Kill C2 processes
   target_ref: C2 domain sighting

relationship:
   relationship_type: applies-to
   source_ref: Kill TLHD process
   target_ref: TLHD domain sighting

relationship:
   relationship_type: parent-of
   source_ref: IMDDOS Malware Removal
   target_ref: Delete Registry key

relationship:
   relationship_type: parent-of
   source_ref: IMDDOS Malware Removal
   target_ref: Kill C2 processes

relationship:
   relationship_type: fixes
   source_ref: IMDDOS Malware Removal
   target_ref: IMDDOS