misp-circl-feed/feeds/circl/stix-2.1/544fee45-f108-4fa6-ace9-3989950d210b.json

2819 lines
150 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--544fee45-f108-4fa6-ace9-3989950d210b",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-06-22T20:32:13.000Z",
"modified": "2017-06-22T20:32:13.000Z",
"name": "CthulhuSPRL.be",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--544fee45-f108-4fa6-ace9-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-06-22T20:32:13.000Z",
"modified": "2017-06-22T20:32:13.000Z",
"name": "OSINT APT28: A Window into Russia\u00e2\u20ac\u2122s Cyber Espionage Operations? blog post by FireEye",
"published": "2017-06-22T20:33:52Z",
"object_refs": [
"observed-data--544fee5a-2d54-45c7-96ae-4193950d210b",
"url--544fee5a-2d54-45c7-96ae-4193950d210b",
"observed-data--544fee5a-07ec-4539-803c-4ec7950d210b",
"url--544fee5a-07ec-4539-803c-4ec7950d210b",
"x-misp-attribute--544fee65-d4e8-4b02-a4db-073f950d210b",
"x-misp-attribute--544fee73-8964-4c74-a279-b8e1950d210b",
"indicator--544ff45d-2f3c-4809-9279-3989950d210b",
"indicator--544ff45e-39b0-4303-9ba7-3989950d210b",
"indicator--544ff45e-a25c-46b3-9505-3989950d210b",
"indicator--544ff45e-c6c0-4b28-9733-3989950d210b",
"indicator--544ff45e-e07c-4056-99a5-3989950d210b",
"indicator--544ff45e-4d2c-49ab-bf10-3989950d210b",
"indicator--544ff45e-de0c-406b-b09b-3989950d210b",
"indicator--544ff45e-3774-4904-9235-3989950d210b",
"indicator--544ff45e-dc88-4862-a57a-3989950d210b",
"indicator--544ff45e-e8bc-40be-8afc-3989950d210b",
"indicator--544ff471-3828-428e-90a6-47e1950d210b",
"indicator--544ff472-726c-4994-bb01-4d53950d210b",
"indicator--544ff482-06e0-40ab-a168-52be950d210b",
"indicator--544ff483-93ec-4a79-b783-52be950d210b",
"indicator--544ff483-fb00-4642-b300-52be950d210b",
"indicator--544ff483-dd28-48ac-a3a8-52be950d210b",
"indicator--544ff483-0214-4d43-ae3d-52be950d210b",
"indicator--544ff483-8e0c-4abe-8c30-52be950d210b",
"indicator--544ff483-3fa0-4d2b-bfa8-52be950d210b",
"indicator--544ff483-af00-4c6c-a454-52be950d210b",
"indicator--544ff483-7b7c-4e49-88c5-52be950d210b",
"indicator--544ff483-f044-4c5b-a1f8-52be950d210b",
"indicator--544ff483-c8dc-4aa7-9aea-52be950d210b",
"indicator--544ff49a-5084-4354-bf30-3989950d210b",
"indicator--544ff49a-9d70-430a-a6d7-3989950d210b",
"indicator--544ff49a-57fc-4f67-ad9f-3989950d210b",
"indicator--544ff49a-dfe0-4466-ba42-3989950d210b",
"indicator--544ff49a-9920-4e52-8790-3989950d210b",
"indicator--544ff4c2-914c-482f-aa29-4c43950d210b",
"indicator--544ff4c2-6e34-48b8-ac27-4730950d210b",
"observed-data--8041a130-1ead-43b7-9e3d-a8e19057292d",
"file--8041a130-1ead-43b7-9e3d-a8e19057292d",
"x-misp-attribute--23755a4c-fdfa-420e-964d-565ce679332f",
"observed-data--ef486ea3-4023-4fcc-960a-58eb87d77a03",
"file--ef486ea3-4023-4fcc-960a-58eb87d77a03",
"x-misp-attribute--54509659-ab28-4778-9e1a-449d950d210b",
"observed-data--54509659-bbf4-4523-a9db-42a6950d210b",
"file--54509659-bbf4-4523-a9db-42a6950d210b",
"artifact--54509659-bbf4-4523-a9db-42a6950d210b",
"observed-data--5450968b-cab4-4442-9cc7-4e1c950d210b",
"file--5450968b-cab4-4442-9cc7-4e1c950d210b",
"artifact--5450968b-cab4-4442-9cc7-4e1c950d210b",
"observed-data--0195bdbb-61bd-4fdd-bc80-cc130234b0a9",
"file--0195bdbb-61bd-4fdd-bc80-cc130234b0a9",
"x-misp-attribute--d96396b2-672a-4518-87a2-53c66d20676a",
"x-misp-attribute--545096c5-e860-4c9c-97fc-4d8c950d210b",
"observed-data--545096c5-f8c8-49ac-9b71-4e72950d210b",
"file--545096c5-f8c8-49ac-9b71-4e72950d210b",
"artifact--545096c5-f8c8-49ac-9b71-4e72950d210b",
"indicator--30842d86-e073-4b6e-a5e0-d6b354f6847a",
"x-misp-attribute--a0e443e4-6a41-4856-8c14-d1a271ba7b6b",
"x-misp-attribute--545096eb-1e24-4dd2-861e-46b7950d210b",
"observed-data--545096eb-3080-401b-9a3a-4f7f950d210b",
"file--545096eb-3080-401b-9a3a-4f7f950d210b",
"artifact--545096eb-3080-401b-9a3a-4f7f950d210b",
"indicator--5ea9f200-01f1-411e-94e3-49903f14d6f9",
"indicator--3f83ca5b-9a2c-4aeb-94ef-28093f6709f8",
"indicator--3fe4547e-5e19-4bb3-9792-eb382de45eb0",
"indicator--020e58f2-e4f2-4801-b731-d26589bd96b6",
"indicator--b48a7011-59d9-4c53-8d6c-2710d705b0c6",
"indicator--9106bde9-52f4-49db-86a1-13f4363bc029",
"indicator--8253e6f6-4248-4751-a818-f5d77efd469c",
"indicator--b707e318-bb58-4965-be62-a15ccf896891",
"indicator--51c11809-d0be-45e0-a035-e5d63686e889",
"indicator--21169314-ed29-4148-a70e-e9798894ea55",
"x-misp-attribute--87ba0439-df69-4c21-9013-be773de352ce",
"x-misp-attribute--2660589c-6263-44e1-b4de-484db317f93c",
"x-misp-attribute--e3fad633-2b34-4bdb-864e-be495f549e2a",
"x-misp-attribute--820fc95e-3d6f-4771-a592-fb60811fa0c0",
"observed-data--e704246d-ecca-4ac5-82a7-404c93aab893",
"file--e704246d-ecca-4ac5-82a7-404c93aab893",
"observed-data--91b06096-1333-470f-8d49-f408b51d84a1",
"file--91b06096-1333-470f-8d49-f408b51d84a1",
"observed-data--37148f5b-fff5-4c9e-98aa-f52fb01a3547",
"file--37148f5b-fff5-4c9e-98aa-f52fb01a3547",
"observed-data--09dd2172-ed97-433f-9c59-517161b78b2d",
"file--09dd2172-ed97-433f-9c59-517161b78b2d",
"observed-data--590e7aef-7df8-47cd-916a-360d83f132f5",
"network-traffic--590e7aef-7df8-47cd-916a-360d83f132f5",
"ipv4-addr--590e7aef-7df8-47cd-916a-360d83f132f5",
"observed-data--5fa65919-9467-4de8-9cb7-8574ff86b85d",
"file--5fa65919-9467-4de8-9cb7-8574ff86b85d",
"indicator--ec771d67-32c0-4076-8e9f-d9ce6b9f2a80",
"x-misp-attribute--54509725-4978-4706-bf95-4638950d210b",
"observed-data--54509725-678c-4a8c-a283-4c8c950d210b",
"file--54509725-678c-4a8c-a283-4c8c950d210b",
"artifact--54509725-678c-4a8c-a283-4c8c950d210b",
"observed-data--54515172-0784-49fe-bdff-b9b0950d210b",
"url--54515172-0784-49fe-bdff-b9b0950d210b",
"observed-data--54515172-3364-46b3-9145-b9b0950d210b",
"url--54515172-3364-46b3-9145-b9b0950d210b",
"observed-data--54515172-b254-4a77-8bc0-b9b0950d210b",
"url--54515172-b254-4a77-8bc0-b9b0950d210b",
"observed-data--54515172-b94c-41ae-9be0-b9b0950d210b",
"url--54515172-b94c-41ae-9be0-b9b0950d210b",
"observed-data--54515172-354c-4406-8bde-b9b0950d210b",
"url--54515172-354c-4406-8bde-b9b0950d210b",
"observed-data--54515172-24ac-4754-a2a6-b9b0950d210b",
"url--54515172-24ac-4754-a2a6-b9b0950d210b",
"observed-data--54515172-969c-4f4b-a2c1-b9b0950d210b",
"url--54515172-969c-4f4b-a2c1-b9b0950d210b",
"observed-data--54515172-dd3c-426c-ae5a-b9b0950d210b",
"url--54515172-dd3c-426c-ae5a-b9b0950d210b",
"observed-data--54515172-60d4-4a77-b1c4-b9b0950d210b",
"url--54515172-60d4-4a77-b1c4-b9b0950d210b",
"observed-data--54515172-bbc8-45b9-899f-b9b0950d210b",
"url--54515172-bbc8-45b9-899f-b9b0950d210b",
"observed-data--54515172-e024-4106-9098-b9b0950d210b",
"url--54515172-e024-4106-9098-b9b0950d210b",
"indicator--545151b0-b7b4-4d33-a3c6-6181950d210b",
"x-misp-attribute--545154ef-0bac-4215-ba2d-4ab3950d210b",
"x-misp-attribute--545154ef-3db8-4a5a-9726-47c9950d210b",
"x-misp-attribute--545154ef-3854-4a2b-9b51-403e950d210b",
"x-misp-attribute--545154ef-7dfc-4e2c-88b8-4fab950d210b",
"indicator--5451559b-be98-46ff-9f68-800f950d210b",
"indicator--5451559b-5a28-4c55-ba34-800f950d210b",
"indicator--5451559b-69cc-4db0-a51c-800f950d210b",
"indicator--545155d1-e76c-4f65-aae3-b9b0950d210b",
"indicator--545155d1-4304-461e-9615-b9b0950d210b",
"indicator--56c63fb9-0644-4c76-b9d5-c653950d210f",
"indicator--56c63fbc-c38c-4ebe-a6b2-40e8950d210f",
"indicator--56c63fbf-d514-4dbf-b3dc-599c950d210f",
"indicator--56c63fc1-5308-452f-8ea2-4958950d210f",
"indicator--56c63fc4-59e8-4951-8576-c652950d210f",
"indicator--56c63fc6-f364-4e59-a679-c650950d210f",
"indicator--56c63fc9-2818-407f-8c13-42f1950d210f",
"indicator--56c63fcc-fa60-440b-bb3f-59a1950d210f",
"indicator--56c63fcf-2d28-4d26-b266-c652950d210f",
"indicator--56c63fd1-439c-4d04-9e0d-c651950d210f",
"indicator--56c63fd4-1d2c-453b-873d-5ca1950d210f",
"indicator--56c63fbb-19c0-43af-a6b7-599f950d210f",
"indicator--56c63fbd-3ca8-4b5b-91d1-4b0d950d210f",
"indicator--56c63fc0-ec50-4ce9-95e1-599d950d210f",
"indicator--56c63fc2-d3a8-4484-977c-44e8950d210f",
"indicator--56c63fc5-4654-4248-b045-599c950d210f",
"indicator--56c63fc8-fe70-4a09-8e89-c651950d210f",
"indicator--56c63fca-b464-4f85-8926-59a2950d210f",
"indicator--56c63fcd-0868-4b54-a95d-5ca1950d210f",
"indicator--56c63fd0-08cc-4889-8343-4d32950d210f",
"indicator--56c63fd2-40b8-4459-8d9a-c653950d210f",
"indicator--56c63fd5-98f8-4ed5-bc19-c654950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"misp-galaxy:threat-actor=\"Sofacy\""
],
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--544fee5a-2d54-45c7-96ae-4193950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:28:26.000Z",
"modified": "2014-10-28T19:28:26.000Z",
"first_observed": "2014-10-28T19:28:26Z",
"last_observed": "2014-10-28T19:28:26Z",
"number_observed": 1,
"object_refs": [
"url--544fee5a-2d54-45c7-96ae-4193950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--544fee5a-2d54-45c7-96ae-4193950d210b",
"value": "http://www.fireeye.com/blog/technical/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--544fee5a-07ec-4539-803c-4ec7950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:28:26.000Z",
"modified": "2014-10-28T19:28:26.000Z",
"first_observed": "2014-10-28T19:28:26Z",
"last_observed": "2014-10-28T19:28:26Z",
"number_observed": 1,
"object_refs": [
"url--544fee5a-07ec-4539-803c-4ec7950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--544fee5a-07ec-4539-803c-4ec7950d210b",
"value": "http://www.fireeye.com/resources/pdfs/apt28.pdf"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--544fee65-d4e8-4b02-a4db-073f950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:28:37.000Z",
"modified": "2014-10-28T19:28:37.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "APT28"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--544fee73-8964-4c74-a279-b8e1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:47:30.000Z",
"modified": "2014-10-29T20:47:30.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Data entered by David Andr\u00c3\u00a9 with CIRCL collaboration"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff45d-2f3c-4809-9279-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:05.000Z",
"modified": "2014-10-28T19:54:05.000Z",
"description": "Phishing domains",
"pattern": "[domain-name:value = 'kavkazcentr.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff45e-39b0-4303-9ba7-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:06.000Z",
"modified": "2014-10-28T19:54:06.000Z",
"description": "Phishing domains",
"pattern": "[domain-name:value = 'rnil.am']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff45e-a25c-46b3-9505-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:06.000Z",
"modified": "2014-10-28T19:54:06.000Z",
"description": "Phishing domains",
"pattern": "[domain-name:value = 'standartnevvs.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff45e-c6c0-4b28-9733-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:06.000Z",
"modified": "2014-10-28T19:54:06.000Z",
"description": "Phishing domains",
"pattern": "[domain-name:value = 'novinitie.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff45e-e07c-4056-99a5-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:06.000Z",
"modified": "2014-10-28T19:54:06.000Z",
"description": "Phishing domains",
"pattern": "[domain-name:value = 'n0vinite.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff45e-4d2c-49ab-bf10-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:06.000Z",
"modified": "2014-10-28T19:54:06.000Z",
"description": "Phishing domains",
"pattern": "[domain-name:value = 'qov.hu.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff45e-de0c-406b-b09b-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:06.000Z",
"modified": "2014-10-28T19:54:06.000Z",
"description": "Phishing domains",
"pattern": "[domain-name:value = 'q0v.pl']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff45e-3774-4904-9235-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:06.000Z",
"modified": "2014-10-28T19:54:06.000Z",
"description": "Phishing domains",
"pattern": "[domain-name:value = 'nato.nshq.in']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff45e-dc88-4862-a57a-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:06.000Z",
"modified": "2014-10-28T19:54:06.000Z",
"description": "Phishing domains",
"pattern": "[domain-name:value = 'natoexhibitionff14.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff45e-e8bc-40be-8afc-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:06.000Z",
"modified": "2014-10-28T19:54:06.000Z",
"description": "Phishing domains",
"pattern": "[domain-name:value = 'login-osce.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff471-3828-428e-90a6-47e1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:46:22.000Z",
"modified": "2014-10-29T20:46:22.000Z",
"description": "Phishing hostnames",
"pattern": "[domain-name:value = 'mail.q0v.pl']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:46:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff472-726c-4994-bb01-4d53950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:46:22.000Z",
"modified": "2014-10-29T20:46:22.000Z",
"description": "Phishing hostnames",
"pattern": "[domain-name:value = 'poczta.mon.q0v.pl']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:46:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff482-06e0-40ab-a168-52be950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:42.000Z",
"modified": "2014-10-28T19:54:42.000Z",
"pattern": "[file:hashes.MD5 = '272f0fde35dbdfccbca1e33373b3570d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff483-93ec-4a79-b783-52be950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:43.000Z",
"modified": "2014-10-28T19:54:43.000Z",
"pattern": "[file:hashes.MD5 = '8b92fe86c5b7a9e34f433a6fbac8bc3a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff483-fb00-4642-b300-52be950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:43.000Z",
"modified": "2014-10-28T19:54:43.000Z",
"pattern": "[file:hashes.MD5 = '9eebfebe3987fec3c395594dc57a0c4c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff483-dd28-48ac-a3a8-52be950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:43.000Z",
"modified": "2014-10-28T19:54:43.000Z",
"pattern": "[file:hashes.MD5 = 'da2a657dc69d7320f2ffc87013f257ad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff483-0214-4d43-ae3d-52be950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:43.000Z",
"modified": "2014-10-28T19:54:43.000Z",
"pattern": "[file:hashes.MD5 = '1259c4fe5efd9bf07fc4c78466f2dd09']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff483-8e0c-4abe-8c30-52be950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:43.000Z",
"modified": "2014-10-28T19:54:43.000Z",
"pattern": "[file:hashes.MD5 = '3b0ecd011500f61237c205834db0e13a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff483-3fa0-4d2b-bfa8-52be950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:43.000Z",
"modified": "2014-10-28T19:54:43.000Z",
"pattern": "[file:hashes.MD5 = '5882fda97fdf78b47081cc4105d44f7c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff483-af00-4c6c-a454-52be950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:43.000Z",
"modified": "2014-10-28T19:54:43.000Z",
"pattern": "[file:hashes.MD5 = '791428601ad12b9230b9ace4f2138713']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff483-7b7c-4e49-88c5-52be950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:43.000Z",
"modified": "2014-10-28T19:54:43.000Z",
"pattern": "[file:hashes.MD5 = 'ead4ec18ebce6890d20757bb9f5285b1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff483-f044-4c5b-a1f8-52be950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:43.000Z",
"modified": "2014-10-28T19:54:43.000Z",
"pattern": "[file:hashes.MD5 = '48656a93f9ba39410763a2196aabc67f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff483-c8dc-4aa7-9aea-52be950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:54:43.000Z",
"modified": "2014-10-28T19:54:43.000Z",
"pattern": "[file:hashes.MD5 = '8c4fa713c5e2b009114adda758adc445']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:54:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff49a-5084-4354-bf30-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:55:06.000Z",
"modified": "2014-10-28T19:55:06.000Z",
"description": "CnC servers",
"pattern": "[domain-name:value = 'adobeincorp.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:55:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff49a-9d70-430a-a6d7-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:55:06.000Z",
"modified": "2014-10-28T19:55:06.000Z",
"description": "CnC servers",
"pattern": "[domain-name:value = 'windows-updater.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:55:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff49a-57fc-4f67-ad9f-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:55:06.000Z",
"modified": "2014-10-28T19:55:06.000Z",
"description": "CnC servers",
"pattern": "[domain-name:value = 'adawareblock.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:55:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff49a-dfe0-4466-ba42-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:55:06.000Z",
"modified": "2014-10-28T19:55:06.000Z",
"description": "CnC servers",
"pattern": "[domain-name:value = 'windous.kz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:55:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff49a-9920-4e52-8790-3989950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:55:06.000Z",
"modified": "2014-10-28T19:55:06.000Z",
"description": "CnC servers",
"pattern": "[domain-name:value = 'wind0ws.kz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:55:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff4c2-914c-482f-aa29-4c43950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:55:46.000Z",
"modified": "2014-10-28T19:55:46.000Z",
"pattern": "[email-message:to_refs[*].value = 'lisa.cuddy@wind0ws.kz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:55:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--544ff4c2-6e34-48b8-ac27-4730950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-28T19:55:46.000Z",
"modified": "2014-10-28T19:55:46.000Z",
"pattern": "[email-message:to_refs[*].value = 'dr.house@wind0ws.kz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-28T19:55:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--8041a130-1ead-43b7-9e3d-a8e19057292d",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:25:13.000Z",
"modified": "2014-10-29T07:25:13.000Z",
"first_observed": "2014-10-29T07:25:13Z",
"last_observed": "2014-10-29T07:25:13Z",
"number_observed": 1,
"object_refs": [
"file--8041a130-1ead-43b7-9e3d-a8e19057292d"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--8041a130-1ead-43b7-9e3d-a8e19057292d",
"name": "Application Data\\Microsoft\\MediaPlayer\\"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--23755a4c-fdfa-420e-964d-565ce679332f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:25:13.000Z",
"modified": "2014-10-29T07:25:13.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "OpenIOC import",
"x_misp_type": "other",
"x_misp_value": "ProcessItem/name: updatewindws.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--ef486ea3-4023-4fcc-960a-58eb87d77a03",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:25:13.000Z",
"modified": "2014-10-29T07:25:13.000Z",
"first_observed": "2014-10-29T07:25:13Z",
"last_observed": "2014-10-29T07:25:13Z",
"number_observed": 1,
"object_refs": [
"file--ef486ea3-4023-4fcc-960a-58eb87d77a03"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--ef486ea3-4023-4fcc-960a-58eb87d77a03",
"name": "updatewindws.exe"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--54509659-ab28-4778-9e1a-449d950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:25:13.000Z",
"modified": "2014-10-29T07:25:13.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "OpenIOC import",
"x_misp_type": "comment",
"x_misp_value": "long_info: OLDBAIT is a credential harvester. Both the internal strings and logic are obfuscated and are unpacked at startup. It harvests credentials from Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client made by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both email or HTTP to send out the collected credentials."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54509659-bbf4-4523-a9db-42a6950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:25:13.000Z",
"modified": "2014-10-29T07:25:13.000Z",
"first_observed": "2014-10-29T07:25:13Z",
"last_observed": "2014-10-29T07:25:13Z",
"number_observed": 1,
"object_refs": [
"file--54509659-bbf4-4523-a9db-42a6950d210b",
"artifact--54509659-bbf4-4523-a9db-42a6950d210b"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--54509659-bbf4-4523-a9db-42a6950d210b",
"name": "a438caeb-96dd-4225-853c-fc5910980961.ioc",
"content_ref": "artifact--54509659-bbf4-4523-a9db-42a6950d210b"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--54509659-bbf4-4523-a9db-42a6950d210b",
"payload_bin": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGE0MzhjYWViLTk2ZGQtNDIyNS04NTNjLWZjNTkxMDk4MDk2MS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYTQzOGNhZWItOTZkZC00MjI1LTg1M2MtZmM1OTEwOTgwOTYxIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTE5VDE1OjQxOjQ4WiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPk9MREJBSVQgKFJFUE9SVCk8L3Nob3J0X2Rlc2NyaXB0aW9uPgogIDxkZXNjcmlwdGlvbj5PTERCQUlUIGlzIGEgY3JlZGVudGlhbCBoYXJ2ZXN0ZXIuIEJvdGggdGhlIGludGVybmFsIHN0cmluZ3MgYW5kIGxvZ2ljIGFyZSBvYmZ1c2NhdGVkIGFuZCBhcmUgdW5wYWNrZWQgYXQgc3RhcnR1cC4gSXQgaGFydmVzdHMgY3JlZGVudGlhbHMgZnJvbSBJbnRlcm5ldCBFeHBsb3JlciwgTW96aWxsYSBGaXJlZm94LCBFdWRvcmEsIFRoZSBCYXQhIChhbiBlbWFpbCBjbGllbnQgbWFkZSBieSBhIE1vbGRvdmFuIGNvbXBhbnkpLCBhbmQgQmVja3khIChhbiBlbWFpbCBjbGllbnQgbWFkZSBieSBhIEphcGFuZXNlIGNvbXBhbnkpLiAgSXQgY2FuIHVzZSBib3RoIGVtYWlsIG9yIEhUVFAgdG8gc2VuZCBvdXQgdGhlIGNvbGxlY3RlZCBjcmVkZW50aWFscy4KPC9kZXNjcmlwdGlvbj4KICA8a2V5d29yZHMvPgogIDxhdXRob3JlZF9ieT5GaXJlRXllPC9hdXRob3JlZF9ieT4KICA8YXV0aG9yZWRfZGF0ZT4yMDE0LTEwLTE3VDAyOjAyOjUyWjwvYXV0aG9yZWRfZGF0ZT4KICA8bGlua3M+CiAgICA8bGluayByZWw9InRocmVhdGNhdGVnb3J5Ij5BUFQ8L2xpbms+CiAgICA8bGluayByZWw9InRocmVhdGdyb3VwIj5BUFQyODwvbGluaz4KICAgIDxsaW5rIHJlbD0iY2F0ZWdvcnkiPkNyZWRlbnRpYWwgU3RlYWxlcjwvbGluaz4KICAgIDxsaW5rIHJlbD0iZmFtaWx5Ij5PTERCQUlUPC9saW5rPgogICAgPGxpbmsgcmVsPSJsaWNlbnNlIj5BcGFjaGUgMi4wPC9saW5rPgogIDwvbGlua3M+CiAgPGRlZmluaXRpb24+CiAgICA8SW5kaWNhdG9yIGlkPSJlOTkxNmZjMC03ODI1LTRmYTEtOWY2ZC1jNTQwYTVjZjZkNWUiIG9wZXJhdG9yPSJPUiI+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI4MDQxYTEzMC0xZWFkLTQzYjctOWUzZC1hOGUxOTA1NzI5MmQiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9GdWxsUGF0aCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5BcHBsaWNhdGlvbiBEYXRhXE1pY3Jvc29mdFxNZWRpYVBsYXllclw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjIzNzU1YTRjLWZkZmEtNDIwZS05NjRkLTU2NWNlNjc5MzMyZiIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlByb2Nlc3NJdGVtIiBzZWFyY2g9IlByb2Nlc3NJdGVtL25hbWUiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+dXBkYXRld2luZHdzLmV4ZTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iZWY0ODZlYTMtNDAyMy00ZmNjLTk2MGEtNThlYjg3ZDc3YTAzIiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vRmlsZU5hbWUiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+dXBkYXRld2luZHdzLmV4ZTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgPC9JbmRpY2F0b3I+CiAgPC9kZWZpbml0aW9uPgo8L2lvYz4K"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5450968b-cab4-4442-9cc7-4e1c950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:26:03.000Z",
"modified": "2014-10-29T07:26:03.000Z",
"first_observed": "2014-10-29T07:26:03Z",
"last_observed": "2014-10-29T07:26:03Z",
"number_observed": 1,
"object_refs": [
"file--5450968b-cab4-4442-9cc7-4e1c950d210b",
"artifact--5450968b-cab4-4442-9cc7-4e1c950d210b"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5450968b-cab4-4442-9cc7-4e1c950d210b",
"name": "0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc",
"content_ref": "artifact--5450968b-cab4-4442-9cc7-4e1c950d210b"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5450968b-cab4-4442-9cc7-4e1c950d210b",
"payload_bin": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIDBmZjU4YmY5LTFjMDctNDJmNi1iMTM1LWIxOGMxMzlmNjMxYS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iMGZmNThiZjktMWMwNy00MmY2LWIxMzUtYjE4YzEzOWY2MzFhIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTE3VDIwOjU0OjUzWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPkFQVDI4IERPTUFJTlMgKFJFUE9SVCk8L3Nob3J0X2Rlc2NyaXB0aW9uPgogIDxkZXNjcmlwdGlvbj5Eb21haW5zIHVzZWQgYnkgQVBUMjguPC9kZXNjcmlwdGlvbj4KICA8a2V5d29yZHMvPgogIDxhdXRob3JlZF9ieT5GaXJlRXllPC9hdXRob3JlZF9ieT4KICA8YXV0aG9yZWRfZGF0ZT4yMDE0LTEwLTE3VDAyOjA0OjM0WjwvYXV0aG9yZWRfZGF0ZT4KICA8bGlua3M+CiAgICA8bGluayByZWw9InRocmVhdGNhdGVnb3J5Ij5BUFQ8L2xpbms+CiAgICA8bGluayByZWw9InRocmVhdGdyb3VwIj5BUFQyODwvbGluaz4KICAgIDxsaW5rIHJlbD0ibGljZW5zZSI+QXBhY2hlIDIuMDwvbGluaz4KICA8L2xpbmtzPgogIDxkZWZpbml0aW9uPgogICAgPEluZGljYXRvciBpZD0iY2ZiNDYyMzQtMDEyYS00M2M4LWE3NjMtZjYzNmMwNTY2MDZlIiBvcGVyYXRvcj0iT1IiPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iNTQ0ODFjNDItZWZmYi00MzZiLWI0ZDItY2ZmMWNiZDA5YTY2IiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRG5zRW50cnlJdGVtIiBzZWFyY2g9IkRuc0VudHJ5SXRlbS9Ib3N0IiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPmthdmthemNlbnRyLmluZm88L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9ImI4Yjc0MmQ1LTVkZmYtNGYwZi1iZGE4LTBjODc4YzFkZDFlMSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkRuc0VudHJ5SXRlbSIgc2VhcmNoPSJEbnNFbnRyeUl0ZW0vSG9zdCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5ybmlsLmFtPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJhZjM2YzliMy1kNTU0LTQ2ZGUtOTUyNS1jMDVhMDc1OWEzOTkiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJEbnNFbnRyeUl0ZW0iIHNlYXJjaD0iRG5zRW50cnlJdGVtL0hvc3QiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+c3RhbmRhcnRuZXZ2cy5jb208L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjM4OWM5YzAzLWVhZjQtNDI1OS05NGU1LTYyMzMzNGNlYTI2ZSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkRuc0VudHJ5SXRlbSIgc2VhcmNoPSJEbnNFbnRyeUl0ZW0vSG9zdCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5ub3Zpbml0aWUuY29tPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJjMTdkMDAxYy1kZjg5LTQwZmYtODdkZS1lODliZGU5ZjE0MjUiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJEbnNFbnRyeUl0ZW0iIHNlYXJjaD0iRG5zRW50cnlJdGVtL0hvc3QiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+bjB2aW5pdGUuY29tPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSIxMTUwMzFiZi1mMzQyLTRiZDAtOWY5Yy1hNWQ4ZTExMTEyODEiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJEbnNFbnRyeUl0ZW0iIHNlYXJjaD0iRG5zRW50cnlJdGVtL0hvc3QiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+cW92Lmh1LmNvbTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iMjAxZGE1YmEtYzMyNy00ZTliLWIwYWYtZGI
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--0195bdbb-61bd-4fdd-bc80-cc130234b0a9",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:27:01.000Z",
"modified": "2014-10-29T07:27:01.000Z",
"first_observed": "2014-10-29T07:27:01Z",
"last_observed": "2014-10-29T07:27:01Z",
"number_observed": 1,
"object_refs": [
"file--0195bdbb-61bd-4fdd-bc80-cc130234b0a9"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--0195bdbb-61bd-4fdd-bc80-cc130234b0a9",
"name": "netui.dll"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--d96396b2-672a-4518-87a2-53c66d20676a",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:27:01.000Z",
"modified": "2014-10-29T07:27:01.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "OpenIOC import",
"x_misp_type": "other",
"x_misp_value": "ProcessItem/SectionList/MemorySection/Name: \\netui.dll"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--545096c5-e860-4c9c-97fc-4d8c950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:27:01.000Z",
"modified": "2014-10-29T07:27:01.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "OpenIOC import",
"x_misp_type": "comment",
"x_misp_value": "long_info: This backdoor has been delivered through the SOURFACE downloader to gain system access for reconnaissance, monitoring, credential theft, and shellcode execution."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--545096c5-f8c8-49ac-9b71-4e72950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:27:01.000Z",
"modified": "2014-10-29T07:27:01.000Z",
"first_observed": "2014-10-29T07:27:01Z",
"last_observed": "2014-10-29T07:27:01Z",
"number_observed": 1,
"object_refs": [
"file--545096c5-f8c8-49ac-9b71-4e72950d210b",
"artifact--545096c5-f8c8-49ac-9b71-4e72950d210b"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--545096c5-f8c8-49ac-9b71-4e72950d210b",
"name": "a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc",
"content_ref": "artifact--545096c5-f8c8-49ac-9b71-4e72950d210b"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--545096c5-f8c8-49ac-9b71-4e72950d210b",
"payload_bin": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGE2YzZkYmYwLWQ3MmEtNGYwNy04YjExLTU1NTI3YWVmNDc1NS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYTZjNmRiZjAtZDcyYS00ZjA3LThiMTEtNTU1MjdhZWY0NzU1IiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTE5VDE1OjQyOjIxWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPkVWSUxUT1NTIChSRVBPUlQpPC9zaG9ydF9kZXNjcmlwdGlvbj4KICA8ZGVzY3JpcHRpb24+VGhpcyBiYWNrZG9vciBoYXMgYmVlbiBkZWxpdmVyZWQgdGhyb3VnaCB0aGUgU09VUkZBQ0UgZG93bmxvYWRlciB0byBnYWluIHN5c3RlbSBhY2Nlc3MgZm9yIHJlY29ubmFpc3NhbmNlLCBtb25pdG9yaW5nLCBjcmVkZW50aWFsIHRoZWZ0LCBhbmQgc2hlbGxjb2RlIGV4ZWN1dGlvbi48L2Rlc2NyaXB0aW9uPgogIDxrZXl3b3Jkcy8+CiAgPGF1dGhvcmVkX2J5PkZpcmVFeWU8L2F1dGhvcmVkX2J5PgogIDxhdXRob3JlZF9kYXRlPjIwMTQtMTAtMTdUMDI6MDA6NTdaPC9hdXRob3JlZF9kYXRlPgogIDxsaW5rcz4KICAgIDxsaW5rIHJlbD0idGhyZWF0Y2F0ZWdvcnkiPkFQVDwvbGluaz4KICAgIDxsaW5rIHJlbD0idGhyZWF0Z3JvdXAiPkFQVDI4PC9saW5rPgogICAgPGxpbmsgcmVsPSJjYXRlZ29yeSI+QmFja2Rvb3I8L2xpbms+CiAgICA8bGluayByZWw9ImZhbWlseSI+RVZJTFRPU1M8L2xpbms+CiAgICA8bGluayByZWw9ImxpY2Vuc2UiPkFwYWNoZSAyLjA8L2xpbms+CiAgPC9saW5rcz4KICA8ZGVmaW5pdGlvbj4KICAgIDxJbmRpY2F0b3IgaWQ9ImM2ZTI1NjdiLTg0NjYtNDRlZC05ZmQyLTJlOTJmNTMyZmEwYyIgb3BlcmF0b3I9Ik9SIj4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjAxOTViZGJiLTYxYmQtNGZkZC1iYzgwLWNjMTMwMjM0YjBhOSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0ZpbGVOYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPm5ldHVpLmRsbDwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iZDk2Mzk2YjItNjcyYS00NTE4LTg3YTItNTNjNjZkMjA2NzZhIiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUHJvY2Vzc0l0ZW0iIHNlYXJjaD0iUHJvY2Vzc0l0ZW0vU2VjdGlvbkxpc3QvTWVtb3J5U2VjdGlvbi9OYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPlxuZXR1aS5kbGw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgIDwvSW5kaWNhdG9yPgogIDwvZGVmaW5pdGlvbj4KPC9pb2M+Cg=="
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--30842d86-e073-4b6e-a5e0-d6b354f6847a",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:59:33.000Z",
"modified": "2014-10-29T20:59:33.000Z",
"description": "OpenIOC import",
"pattern": "[file:name = 'edg6EF885E2.tmp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:59:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--a0e443e4-6a41-4856-8c14-d1a271ba7b6b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:27:39.000Z",
"modified": "2014-10-29T07:27:39.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "OpenIOC import",
"x_misp_type": "other",
"x_misp_value": "ProcessItem/HandleList/Handle/Name: \\Device\\Mailslot\\check_mes_v5555"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--545096eb-1e24-4dd2-861e-46b7950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:27:39.000Z",
"modified": "2014-10-29T07:27:39.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "OpenIOC import",
"x_misp_type": "comment",
"x_misp_value": "long_info: CHOPSTICK is a backdoor that uses a modularized, object-oriented framework written in C++. This framework allows for a diverse set of capabilities across malware variants sharing a common code base. CHOPSTICK may communicate with external servers using SMTP or HTTP."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--545096eb-3080-401b-9a3a-4f7f950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:27:39.000Z",
"modified": "2014-10-29T07:27:39.000Z",
"first_observed": "2014-10-29T07:27:39Z",
"last_observed": "2014-10-29T07:27:39Z",
"number_observed": 1,
"object_refs": [
"file--545096eb-3080-401b-9a3a-4f7f950d210b",
"artifact--545096eb-3080-401b-9a3a-4f7f950d210b"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--545096eb-3080-401b-9a3a-4f7f950d210b",
"name": "bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc",
"content_ref": "artifact--545096eb-3080-401b-9a3a-4f7f950d210b"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--545096eb-3080-401b-9a3a-4f7f950d210b",
"payload_bin": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGJkZjc5MjljLTNmMGItNGZkZC1iY2M1LWI0YTgyNTU0YWQ5Mi5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYmRmNzkyOWMtM2YwYi00ZmRkLWJjYzUtYjRhODI1NTRhZDkyIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTIwVDE4OjUwOjUzWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPkNIT1BTVElDSyAoUkVQT1JUKTwvc2hvcnRfZGVzY3JpcHRpb24+CiAgPGRlc2NyaXB0aW9uPkNIT1BTVElDSyBpcyBhIGJhY2tkb29yIHRoYXQgdXNlcyBhIG1vZHVsYXJpemVkLCBvYmplY3Qtb3JpZW50ZWQgZnJhbWV3b3JrIHdyaXR0ZW4gaW4gQysrLiBUaGlzIGZyYW1ld29yayBhbGxvd3MgZm9yIGEgZGl2ZXJzZSBzZXQgb2YgY2FwYWJpbGl0aWVzIGFjcm9zcyBtYWx3YXJlIHZhcmlhbnRzIHNoYXJpbmcgYSBjb21tb24gY29kZSBiYXNlLiAgQ0hPUFNUSUNLIG1heSBjb21tdW5pY2F0ZSB3aXRoIGV4dGVybmFsIHNlcnZlcnMgdXNpbmcgU01UUCBvciBIVFRQLjwvZGVzY3JpcHRpb24+CiAgPGtleXdvcmRzLz4KICA8YXV0aG9yZWRfYnk+RmlyZUV5ZTwvYXV0aG9yZWRfYnk+CiAgPGF1dGhvcmVkX2RhdGU+MjAxNC0xMC0xN1QwMjowMjowMlo8L2F1dGhvcmVkX2RhdGU+CiAgPGxpbmtzPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRjYXRlZ29yeSI+QVBUPC9saW5rPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRncm91cCI+QVBUMjg8L2xpbms+CiAgICA8bGluayByZWw9ImNhdGVnb3J5Ij5CYWNrZG9vcjwvbGluaz4KICAgIDxsaW5rIHJlbD0iZmFtaWx5Ij5DSE9QU1RJQ0s8L2xpbms+CiAgICA8bGluayByZWw9ImxpY2Vuc2UiPkFwYWNoZSAyLjA8L2xpbms+CiAgPC9saW5rcz4KICA8ZGVmaW5pdGlvbj4KICAgIDxJbmRpY2F0b3IgaWQ9ImRkYzg4MGE0LTM2ZDEtNDUxNC1hZGYxLTNjNWI4ZjRmNmVmOCIgb3BlcmF0b3I9Ik9SIj4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjMwODQyZDg2LWUwNzMtNGI2ZS1hNWUwLWQ2YjM1NGY2ODQ3YSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0ZpbGVOYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPmVkZzZFRjg4NUUyLnRtcDwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iYTBlNDQzZTQtNmE0MS00ODU2LThjMTQtZDFhMjcxYmE3YjZiIiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUHJvY2Vzc0l0ZW0iIHNlYXJjaD0iUHJvY2Vzc0l0ZW0vSGFuZGxlTGlzdC9IYW5kbGUvTmFtZSIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5cRGV2aWNlXE1haWxzbG90XGNoZWNrX21lc192NTU1NTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9yIGlkPSIwZmM5ZTUzNC01MzI5LTRhMzEtODVkMi00M2I0MjYyZTFlZDkiIG9wZXJhdG9yPSJBTkQiPgogICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI5NWUyMmVhZC0xM2VmLTQ3OTctYjNiNi1kMDkwMjdkODU2MDIiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlJlZ2lzdHJ5SXRlbSIgc2VhcmNoPSJSZWdpc3RyeUl0ZW0vUGF0aCIgdHlwZT0ibWlyIi8+CiAgICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPk1pY3Jvc29mdFxNZWRpYVBsYXllclx7RTY2OTYxMDUtRTYzRS00RUYxLTkzOUUtMTVEREQ4M0I2NjlBfTwvQ29udGVudD4KICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjIzODg3OThhLWUxZTItNDI1MS1hMDFjLTc5M2QyY2VkYWFhOSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUmVnaXN0cnlJdGVtIiBzZWFyY2g9IlJlZ2lzdHJ5SXRlbS9WYWx1ZU5hbWUiIHR5cGU9Im1pciIvPgogICAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5jaG5ubDwvQ29udGVudD4KICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDwvSW5kaWNhdG9yPgogICAgPC9JbmRpY2F0b3I+CiAgPC9kZWZpbml0aW9uPgo8L2lvYz4
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ea9f200-01f1-411e-94e3-49903f14d6f9",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:45:46.000Z",
"modified": "2014-10-29T20:45:46.000Z",
"description": "OpenIOC import",
"pattern": "[file:hashes.MD5 = '8c4fa713c5e2b009114adda758adc445']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3f83ca5b-9a2c-4aeb-94ef-28093f6709f8",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:45:46.000Z",
"modified": "2014-10-29T20:45:46.000Z",
"description": "OpenIOC import",
"pattern": "[file:hashes.MD5 = '3b0ecd011500f61237c205834db0e13a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3fe4547e-5e19-4bb3-9792-eb382de45eb0",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:45:46.000Z",
"modified": "2014-10-29T20:45:46.000Z",
"description": "OpenIOC import",
"pattern": "[file:hashes.MD5 = '791428601ad12b9230b9ace4f2138713']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--020e58f2-e4f2-4801-b731-d26589bd96b6",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:45:46.000Z",
"modified": "2014-10-29T20:45:46.000Z",
"description": "OpenIOC import",
"pattern": "[file:hashes.MD5 = '5882fda97fdf78b47081cc4105d44f7c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b48a7011-59d9-4c53-8d6c-2710d705b0c6",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:45:46.000Z",
"modified": "2014-10-29T20:45:46.000Z",
"description": "OpenIOC import",
"pattern": "[file:hashes.MD5 = '48656a93f9ba39410763a2196aabc67f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9106bde9-52f4-49db-86a1-13f4363bc029",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:45:46.000Z",
"modified": "2014-10-29T20:45:46.000Z",
"description": "OpenIOC import",
"pattern": "[file:hashes.MD5 = '9eebfebe3987fec3c395594dc57a0c4c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8253e6f6-4248-4751-a818-f5d77efd469c",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:45:46.000Z",
"modified": "2014-10-29T20:45:46.000Z",
"description": "OpenIOC import",
"pattern": "[file:hashes.MD5 = '8b92fe86c5b7a9e34f433a6fbac8bc3a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b707e318-bb58-4965-be62-a15ccf896891",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:45:46.000Z",
"modified": "2014-10-29T20:45:46.000Z",
"description": "OpenIOC import",
"pattern": "[file:hashes.MD5 = 'ead4ec18ebce6890d20757bb9f5285b1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--51c11809-d0be-45e0-a035-e5d63686e889",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:45:46.000Z",
"modified": "2014-10-29T20:45:46.000Z",
"description": "OpenIOC import",
"pattern": "[file:hashes.MD5 = '1259c4fe5efd9bf07fc4c78466f2dd09']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--21169314-ed29-4148-a70e-e9798894ea55",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:45:46.000Z",
"modified": "2014-10-29T20:45:46.000Z",
"description": "OpenIOC import",
"pattern": "[file:hashes.MD5 = '272f0fde35dbdfccbca1e33373b3570d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--87ba0439-df69-4c21-9013-be773de352ce",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:38.000Z",
"modified": "2014-10-29T07:28:38.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "OpenIOC import",
"x_misp_type": "other",
"x_misp_value": "ProcessItem/SectionList/MemorySection/Name: AppData\\Local\\conhost.dll"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--2660589c-6263-44e1-b4de-484db317f93c",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:38.000Z",
"modified": "2014-10-29T07:28:38.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "OpenIOC import",
"x_misp_type": "other",
"x_misp_value": "ProcessItem/SectionList/MemorySection/Name: Local Settings\\Application Data\\conhost.dll"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--e3fad633-2b34-4bdb-864e-be495f549e2a",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:38.000Z",
"modified": "2014-10-29T07:28:38.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "OpenIOC import",
"x_misp_type": "other",
"x_misp_value": "ProcessItem/SectionList/MemorySection/PEInfo/Exports/DllName: coreshell.dll"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--820fc95e-3d6f-4771-a592-fb60811fa0c0",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:38.000Z",
"modified": "2014-10-29T07:28:38.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "OpenIOC import",
"x_misp_type": "other",
"x_misp_value": "ProcessItem/SectionList/MemorySection/Name: \\netids.dll"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--e704246d-ecca-4ac5-82a7-404c93aab893",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:38.000Z",
"modified": "2014-10-29T07:28:38.000Z",
"first_observed": "2014-10-29T07:28:38Z",
"last_observed": "2014-10-29T07:28:38Z",
"number_observed": 1,
"object_refs": [
"file--e704246d-ecca-4ac5-82a7-404c93aab893"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--e704246d-ecca-4ac5-82a7-404c93aab893",
"name": "Local Settings\\Application Data\\svchost.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--91b06096-1333-470f-8d49-f408b51d84a1",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:38.000Z",
"modified": "2014-10-29T07:28:38.000Z",
"first_observed": "2014-10-29T07:28:38Z",
"last_observed": "2014-10-29T07:28:38Z",
"number_observed": 1,
"object_refs": [
"file--91b06096-1333-470f-8d49-f408b51d84a1"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--91b06096-1333-470f-8d49-f408b51d84a1",
"name": "Local Settings\\Application Data\\conhost.dll"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--37148f5b-fff5-4c9e-98aa-f52fb01a3547",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:38.000Z",
"modified": "2014-10-29T07:28:38.000Z",
"first_observed": "2014-10-29T07:28:38Z",
"last_observed": "2014-10-29T07:28:38Z",
"number_observed": 1,
"object_refs": [
"file--37148f5b-fff5-4c9e-98aa-f52fb01a3547"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--37148f5b-fff5-4c9e-98aa-f52fb01a3547",
"name": "AppData\\Local\\svchost.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--09dd2172-ed97-433f-9c59-517161b78b2d",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:38.000Z",
"modified": "2014-10-29T07:28:38.000Z",
"first_observed": "2014-10-29T07:28:38Z",
"last_observed": "2014-10-29T07:28:38Z",
"number_observed": 1,
"object_refs": [
"file--09dd2172-ed97-433f-9c59-517161b78b2d"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--09dd2172-ed97-433f-9c59-517161b78b2d",
"name": "AppData\\Local\\conhost.dll"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--590e7aef-7df8-47cd-916a-360d83f132f5",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:39.000Z",
"modified": "2014-10-29T07:28:39.000Z",
"first_observed": "2014-10-29T07:28:39Z",
"last_observed": "2014-10-29T07:28:39Z",
"number_observed": 1,
"object_refs": [
"network-traffic--590e7aef-7df8-47cd-916a-360d83f132f5",
"ipv4-addr--590e7aef-7df8-47cd-916a-360d83f132f5"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--590e7aef-7df8-47cd-916a-360d83f132f5",
"src_ref": "ipv4-addr--590e7aef-7df8-47cd-916a-360d83f132f5",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--590e7aef-7df8-47cd-916a-360d83f132f5",
"value": "70.85.221.10"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5fa65919-9467-4de8-9cb7-8574ff86b85d",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:39.000Z",
"modified": "2014-10-29T07:28:39.000Z",
"first_observed": "2014-10-29T07:28:39Z",
"last_observed": "2014-10-29T07:28:39Z",
"number_observed": 1,
"object_refs": [
"file--5fa65919-9467-4de8-9cb7-8574ff86b85d"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload installation\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5fa65919-9467-4de8-9cb7-8574ff86b85d",
"name": "netids.dll"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ec771d67-32c0-4076-8e9f-d9ce6b9f2a80",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:45:46.000Z",
"modified": "2014-10-29T20:45:46.000Z",
"description": "OpenIOC import",
"pattern": "[file:hashes.MD5 = 'da2a657dc69d7320f2ffc87013f257ad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:45:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--54509725-4978-4706-bf95-4638950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:39.000Z",
"modified": "2014-10-29T07:28:39.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_comment": "OpenIOC import",
"x_misp_type": "comment",
"x_misp_value": "long_info: SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server. Over time the downloader has evolved and the newer versions, usually compiled with the DLL name 'coreshell.dll'. These variants are distinct from the older versions so we refer to it as SOURFACE/CORESHELL or simply CORESHELL."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54509725-678c-4a8c-a283-4c8c950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T07:28:39.000Z",
"modified": "2014-10-29T07:28:39.000Z",
"first_observed": "2014-10-29T07:28:39Z",
"last_observed": "2014-10-29T07:28:39Z",
"number_observed": 1,
"object_refs": [
"file--54509725-678c-4a8c-a283-4c8c950d210b",
"artifact--54509725-678c-4a8c-a283-4c8c950d210b"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--54509725-678c-4a8c-a283-4c8c950d210b",
"name": "e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc",
"content_ref": "artifact--54509725-678c-4a8c-a283-4c8c950d210b"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--54509725-678c-4a8c-a283-4c8c950d210b",
"payload_bin": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGUxY2JmN2NhLTQ5MzgtNGQzYy1hN2U2LTNmZjk2NjUxNjE5MS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iZTFjYmY3Y2EtNDkzOC00ZDNjLWE3ZTYtM2ZmOTY2NTE2MTkxIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTIxVDEzOjA4OjQxWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPlNPVVJGQUNFIChSRVBPUlQpPC9zaG9ydF9kZXNjcmlwdGlvbj4KICA8ZGVzY3JpcHRpb24+U09VUkZBQ0UgaXMgYSBkb3dubG9hZGVyIHRoYXQgb2J0YWlucyBhIHNlY29uZC1zdGFnZSBiYWNrZG9vciBmcm9tIGEgQzIgc2VydmVyLiAgT3ZlciB0aW1lIHRoZSBkb3dubG9hZGVyIGhhcyBldm9sdmVkIGFuZCB0aGUgbmV3ZXIgdmVyc2lvbnMsIHVzdWFsbHkgY29tcGlsZWQgd2l0aCB0aGUgRExMIG5hbWUgJ2NvcmVzaGVsbC5kbGwnLiAgVGhlc2UgdmFyaWFudHMgYXJlIGRpc3RpbmN0IGZyb20gdGhlIG9sZGVyIHZlcnNpb25zIHNvIHdlIHJlZmVyIHRvIGl0IGFzIFNPVVJGQUNFL0NPUkVTSEVMTCBvciBzaW1wbHkgQ09SRVNIRUxMLjwvZGVzY3JpcHRpb24+CiAgPGtleXdvcmRzLz4KICA8YXV0aG9yZWRfYnk+RmlyZUV5ZTwvYXV0aG9yZWRfYnk+CiAgPGF1dGhvcmVkX2RhdGU+MjAxNC0xMC0xNlQyMDo1ODoyMVo8L2F1dGhvcmVkX2RhdGU+CiAgPGxpbmtzPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRjYXRlZ29yeSI+QVBUPC9saW5rPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRncm91cCI+QVBUMjg8L2xpbms+CiAgICA8bGluayByZWw9ImNhdGVnb3J5Ij5Eb3dubG9hZGVyPC9saW5rPgogICAgPGxpbmsgcmVsPSJmYW1pbHkiPlNPVVJGQUNFPC9saW5rPgogICAgPGxpbmsgcmVsPSJmYW1pbHkiPlNPVVJGQUNFLkNPUkVTSEVMTDwvbGluaz4KICAgIDxsaW5rIHJlbD0ibGljZW5zZSI+QXBhY2hlIDIuMDwvbGluaz4KICA8L2xpbmtzPgogIDxkZWZpbml0aW9uPgogICAgPEluZGljYXRvciBpZD0iZTE2ZTYyOTktZjc1Yi00MjIzLThkOGQtMjkwY2QwYmYxYjQxIiBvcGVyYXRvcj0iT1IiPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iNWVhOWYyMDAtMDFmMS00MTFlLTk0ZTMtNDk5MDNmMTRkNmY5IiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vTWQ1c3VtIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJtZDUiPjhjNGZhNzEzYzVlMmIwMDkxMTRhZGRhNzU4YWRjNDQ1PC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSIzZjgzY2E1Yi05YTJjLTRhZWItOTRlZi0yODA5M2Y2NzA5ZjgiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9NZDVzdW0iIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9Im1kNSI+M2IwZWNkMDExNTAwZjYxMjM3YzIwNTgzNGRiMGUxM2E8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjNmZTQ1NDdlLTVlMTktNGJiMy05NzkyLWViMzgyZGU0NWViMCIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL01kNXN1bSIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ibWQ1Ij43OTE0Mjg2MDFhZDEyYjkyMzBiOWFjZTRmMjEzODcxMzwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iMDIwZTU4ZjItZTRmMi00ODAxLWI3MzEtZDI2NTg5YmQ5NmI2IiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vTWQ1c3VtIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJtZDUiPjU4ODJmZGE5N2ZkZjc4YjQ3MDgxY2M0MTA1ZDQ0ZjdjPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJiNDhhNzAxMS01OWQ5LTRjNTMtOGQ2Yy0yNzEwZDcwNWIwYzYiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWx
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54515172-0784-49fe-bdff-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:43:30.000Z",
"modified": "2014-10-29T20:43:30.000Z",
"first_observed": "2014-10-29T20:43:30Z",
"last_observed": "2014-10-29T20:43:30Z",
"number_observed": 1,
"object_refs": [
"url--54515172-0784-49fe-bdff-b9b0950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54515172-0784-49fe-bdff-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/tree/master/APT28"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54515172-3364-46b3-9145-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:43:30.000Z",
"modified": "2014-10-29T20:43:30.000Z",
"first_observed": "2014-10-29T20:43:30Z",
"last_observed": "2014-10-29T20:43:30Z",
"number_observed": 1,
"object_refs": [
"url--54515172-3364-46b3-9145-b9b0950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54515172-3364-46b3-9145-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54515172-b254-4a77-8bc0-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:43:30.000Z",
"modified": "2014-10-29T20:43:30.000Z",
"first_observed": "2014-10-29T20:43:30Z",
"last_observed": "2014-10-29T20:43:30Z",
"number_observed": 1,
"object_refs": [
"url--54515172-b254-4a77-8bc0-b9b0950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54515172-b254-4a77-8bc0-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/blob/master/APT28/a438caeb-96dd-4225-853c-fc5910980961.ioc"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54515172-b94c-41ae-9be0-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:43:30.000Z",
"modified": "2014-10-29T20:43:30.000Z",
"first_observed": "2014-10-29T20:43:30Z",
"last_observed": "2014-10-29T20:43:30Z",
"number_observed": 1,
"object_refs": [
"url--54515172-b94c-41ae-9be0-b9b0950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54515172-b94c-41ae-9be0-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/blob/master/APT28/a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54515172-354c-4406-8bde-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:43:30.000Z",
"modified": "2014-10-29T20:43:30.000Z",
"first_observed": "2014-10-29T20:43:30Z",
"last_observed": "2014-10-29T20:43:30Z",
"number_observed": 1,
"object_refs": [
"url--54515172-354c-4406-8bde-b9b0950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54515172-354c-4406-8bde-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/blob/master/APT28/bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54515172-24ac-4754-a2a6-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:43:30.000Z",
"modified": "2014-10-29T20:43:30.000Z",
"first_observed": "2014-10-29T20:43:30Z",
"last_observed": "2014-10-29T20:43:30Z",
"number_observed": 1,
"object_refs": [
"url--54515172-24ac-4754-a2a6-b9b0950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54515172-24ac-4754-a2a6-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/blob/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54515172-969c-4f4b-a2c1-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:43:30.000Z",
"modified": "2014-10-29T20:43:30.000Z",
"first_observed": "2014-10-29T20:43:30Z",
"last_observed": "2014-10-29T20:43:30Z",
"number_observed": 1,
"object_refs": [
"url--54515172-969c-4f4b-a2c1-b9b0950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54515172-969c-4f4b-a2c1-b9b0950d210b",
"value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54515172-dd3c-426c-ae5a-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:43:30.000Z",
"modified": "2014-10-29T20:43:30.000Z",
"first_observed": "2014-10-29T20:43:30Z",
"last_observed": "2014-10-29T20:43:30Z",
"number_observed": 1,
"object_refs": [
"url--54515172-dd3c-426c-ae5a-b9b0950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54515172-dd3c-426c-ae5a-b9b0950d210b",
"value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/a438caeb-96dd-4225-853c-fc5910980961.ioc"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54515172-60d4-4a77-b1c4-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:43:30.000Z",
"modified": "2014-10-29T20:43:30.000Z",
"first_observed": "2014-10-29T20:43:30Z",
"last_observed": "2014-10-29T20:43:30Z",
"number_observed": 1,
"object_refs": [
"url--54515172-60d4-4a77-b1c4-b9b0950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54515172-60d4-4a77-b1c4-b9b0950d210b",
"value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54515172-bbc8-45b9-899f-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:43:30.000Z",
"modified": "2014-10-29T20:43:30.000Z",
"first_observed": "2014-10-29T20:43:30Z",
"last_observed": "2014-10-29T20:43:30Z",
"number_observed": 1,
"object_refs": [
"url--54515172-bbc8-45b9-899f-b9b0950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54515172-bbc8-45b9-899f-b9b0950d210b",
"value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54515172-e024-4106-9098-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:43:30.000Z",
"modified": "2014-10-29T20:43:30.000Z",
"first_observed": "2014-10-29T20:43:30Z",
"last_observed": "2014-10-29T20:43:30Z",
"number_observed": 1,
"object_refs": [
"url--54515172-e024-4106-9098-b9b0950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54515172-e024-4106-9098-b9b0950d210b",
"value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--545151b0-b7b4-4d33-a3c6-6181950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:44:32.000Z",
"modified": "2014-10-29T20:44:32.000Z",
"pattern": "[domain-name:value = 'smigroup-online.co.uk']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T20:44:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--545154ef-0bac-4215-ba2d-4ab3950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:58:23.000Z",
"modified": "2014-10-29T20:58:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "OLDBAIT"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--545154ef-3db8-4a5a-9726-47c9950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:58:23.000Z",
"modified": "2014-10-29T20:58:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "EVILTOSS"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--545154ef-3854-4a2b-9b51-403e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:58:23.000Z",
"modified": "2014-10-29T20:58:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "CHOPSTICK"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--545154ef-7dfc-4e2c-88b8-4fab950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T20:58:23.000Z",
"modified": "2014-10-29T20:58:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "SOURFACE"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5451559b-be98-46ff-9f68-800f950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T21:01:15.000Z",
"modified": "2014-10-29T21:01:15.000Z",
"pattern": "[domain-name:value = 'g0v.pl']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T21:01:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5451559b-5a28-4c55-ba34-800f950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T21:01:15.000Z",
"modified": "2014-10-29T21:01:15.000Z",
"pattern": "[domain-name:value = 'nshq.in']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T21:01:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5451559b-69cc-4db0-a51c-800f950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T21:01:15.000Z",
"modified": "2014-10-29T21:01:15.000Z",
"pattern": "[domain-name:value = 'baltichost.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T21:01:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--545155d1-e76c-4f65-aae3-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T21:02:09.000Z",
"modified": "2014-10-29T21:02:09.000Z",
"pattern": "[domain-name:value = 'mail.g0v.pl']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T21:02:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--545155d1-4304-461e-9615-b9b0950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2014-10-29T21:02:09.000Z",
"modified": "2014-10-29T21:02:09.000Z",
"pattern": "[domain-name:value = 'nato.nshq.in']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2014-10-29T21:02:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fb9-0644-4c76-b9d5-c653950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:37.000Z",
"modified": "2016-02-18T22:03:37.000Z",
"description": "Automatically added (via 8c4fa713c5e2b009114adda758adc445)",
"pattern": "[file:hashes.SHA1 = 'f5b3e98c6b5d65807da66d50bd5730d35692174d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fbc-c38c-4ebe-a6b2-40e8950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:40.000Z",
"modified": "2016-02-18T22:03:40.000Z",
"description": "Automatically added (via 48656a93f9ba39410763a2196aabc67f)",
"pattern": "[file:hashes.SHA1 = 'a8551397e1f1a2c0148e6eadcb56fa35ee6009ca']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fbf-d514-4dbf-b3dc-599c950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:43.000Z",
"modified": "2016-02-18T22:03:43.000Z",
"description": "Automatically added (via ead4ec18ebce6890d20757bb9f5285b1)",
"pattern": "[file:hashes.SHA1 = 'ed48ef531d96e8c7360701da1c57e2ff13f12405']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fc1-5308-452f-8ea2-4958950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:45.000Z",
"modified": "2016-02-18T22:03:45.000Z",
"description": "Automatically added (via 791428601ad12b9230b9ace4f2138713)",
"pattern": "[file:hashes.SHA1 = '367d40465fd1633c435b966fa9b289188aa444bc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fc4-59e8-4951-8576-c652950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:48.000Z",
"modified": "2016-02-18T22:03:48.000Z",
"description": "Automatically added (via 5882fda97fdf78b47081cc4105d44f7c)",
"pattern": "[file:hashes.SHA1 = 'cf3220c867b81949d1ce2b36446642de7894c6dc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fc6-f364-4e59-a679-c650950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:50.000Z",
"modified": "2016-02-18T22:03:50.000Z",
"description": "Automatically added (via 3b0ecd011500f61237c205834db0e13a)",
"pattern": "[file:hashes.SHA1 = '682e49efa6d2549147a21993d64291bfa40d815a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fc9-2818-407f-8c13-42f1950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:53.000Z",
"modified": "2016-02-18T22:03:53.000Z",
"description": "Automatically added (via 1259c4fe5efd9bf07fc4c78466f2dd09)",
"pattern": "[file:hashes.SHA1 = 'd9c53adce8c35ec3b1e015ec8011078902e6800b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fcc-fa60-440b-bb3f-59a1950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:56.000Z",
"modified": "2016-02-18T22:03:56.000Z",
"description": "Automatically added (via da2a657dc69d7320f2ffc87013f257ad)",
"pattern": "[file:hashes.SHA1 = '6316258ca5ba2d85134ad7427f24a8a51ce4815b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fcf-2d28-4d26-b266-c652950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:59.000Z",
"modified": "2016-02-18T22:03:59.000Z",
"description": "Automatically added (via 9eebfebe3987fec3c395594dc57a0c4c)",
"pattern": "[file:hashes.SHA1 = 'e2450dffa675c61aa43077b25b12851a910eeeb6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fd1-439c-4d04-9e0d-c651950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:04:01.000Z",
"modified": "2016-02-18T22:04:01.000Z",
"description": "Automatically added (via 8b92fe86c5b7a9e34f433a6fbac8bc3a)",
"pattern": "[file:hashes.SHA1 = '85522190958c82589fa290c0835805f3d9a2f8d6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:04:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fd4-1d2c-453b-873d-5ca1950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:04:04.000Z",
"modified": "2016-02-18T22:04:04.000Z",
"description": "Automatically added (via 272f0fde35dbdfccbca1e33373b3570d)",
"pattern": "[file:hashes.SHA1 = 'd87b310aa81ae6254fff27b7d57f76035f544073']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:04:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fbb-19c0-43af-a6b7-599f950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:39.000Z",
"modified": "2016-02-18T22:03:39.000Z",
"description": "Automatically added (via 8c4fa713c5e2b009114adda758adc445)",
"pattern": "[file:hashes.SHA256 = 'd58f2a799552aff8358e9c63a4345ea971b27edd14b8eac825db30a8321d1a7a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fbd-3ca8-4b5b-91d1-4b0d950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:41.000Z",
"modified": "2016-02-18T22:03:41.000Z",
"description": "Automatically added (via 48656a93f9ba39410763a2196aabc67f)",
"pattern": "[file:hashes.SHA256 = 'c8087186a215553d2f95c68c03398e17e67517553f6e9a8adc906faa51bce946']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fc0-ec50-4ce9-95e1-599d950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:44.000Z",
"modified": "2016-02-18T22:03:44.000Z",
"description": "Automatically added (via ead4ec18ebce6890d20757bb9f5285b1)",
"pattern": "[file:hashes.SHA256 = '7695f20315f84bb1d940149b17dd58383210ea3498450b45fefa22a450e79683']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fc2-d3a8-4484-977c-44e8950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:46.000Z",
"modified": "2016-02-18T22:03:46.000Z",
"description": "Automatically added (via 791428601ad12b9230b9ace4f2138713)",
"pattern": "[file:hashes.SHA256 = '29cc2e69f65b9ce5fe04eb9b65942b2dabf48e41770f0a49eb698271b99d2787']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fc5-4654-4248-b045-599c950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:49.000Z",
"modified": "2016-02-18T22:03:49.000Z",
"description": "Automatically added (via 5882fda97fdf78b47081cc4105d44f7c)",
"pattern": "[file:hashes.SHA256 = '744f2a1e1a62dff2a8d5bd273304a4d21ee37a3c9b0bdcffeeca50374bd10a39']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fc8-fe70-4a09-8e89-c651950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:52.000Z",
"modified": "2016-02-18T22:03:52.000Z",
"description": "Automatically added (via 3b0ecd011500f61237c205834db0e13a)",
"pattern": "[file:hashes.SHA256 = '7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fca-b464-4f85-8926-59a2950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:54.000Z",
"modified": "2016-02-18T22:03:54.000Z",
"description": "Automatically added (via 1259c4fe5efd9bf07fc4c78466f2dd09)",
"pattern": "[file:hashes.SHA256 = '102b0158bcd5a8b64de44d9f765193dd80df1504e398ce52d37b7c8c33f2552a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fcd-0868-4b54-a95d-5ca1950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:03:57.000Z",
"modified": "2016-02-18T22:03:57.000Z",
"description": "Automatically added (via da2a657dc69d7320f2ffc87013f257ad)",
"pattern": "[file:hashes.SHA256 = 'd54173be095b688016528f18dc97f2d583efcf5ce562ec766afc0b294eb51ac7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:03:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fd0-08cc-4889-8343-4d32950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:04:00.000Z",
"modified": "2016-02-18T22:04:00.000Z",
"description": "Automatically added (via 9eebfebe3987fec3c395594dc57a0c4c)",
"pattern": "[file:hashes.SHA256 = 'e6d09ce32cc62b6f17279204fac1771a6eb35077bb79471115e8dfed2c86cd75']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:04:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fd2-40b8-4459-8d9a-c653950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:04:02.000Z",
"modified": "2016-02-18T22:04:02.000Z",
"description": "Automatically added (via 8b92fe86c5b7a9e34f433a6fbac8bc3a)",
"pattern": "[file:hashes.SHA256 = '03ed773bde6c6a1ac3b24bde6003322df8d41d3d1c85109b8669c430b58d2f69']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:04:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c63fd5-98f8-4ed5-bc19-c654950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:04:05.000Z",
"modified": "2016-02-18T22:04:05.000Z",
"description": "Automatically added (via 272f0fde35dbdfccbca1e33373b3570d)",
"pattern": "[file:hashes.SHA256 = '423a0799efe41b28a8b765fa505699183c8278d5a7bf07658b3bd507bfa5346f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:04:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:GREEN",
"definition": {
"tlp": "green"
}
}
]
}