1745 lines
74 KiB
JSON
1745 lines
74 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--56f0302e-e494-494b-b012-42d7950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:37:30.000Z",
|
||
|
"modified": "2016-03-21T17:37:30.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--56f0302e-e494-494b-b012-42d7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:37:30.000Z",
|
||
|
"modified": "2016-03-21T17:37:30.000Z",
|
||
|
"name": "OSINT - STOP SCANNING MY MACRO",
|
||
|
"published": "2016-03-21T17:39:37Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--56f03058-8564-4afc-bce3-4ace950d210f",
|
||
|
"observed-data--56f03062-d6d4-4c13-aa02-468e950d210f",
|
||
|
"url--56f03062-d6d4-4c13-aa02-468e950d210f",
|
||
|
"indicator--56f03078-7514-43db-af07-4d66950d210f",
|
||
|
"indicator--56f03078-4650-4fbf-92f5-4922950d210f",
|
||
|
"indicator--56f03078-8794-489e-ab48-4075950d210f",
|
||
|
"indicator--56f03079-5ca8-41f6-be41-46df950d210f",
|
||
|
"indicator--56f03079-5dec-4fe9-aac4-479d950d210f",
|
||
|
"indicator--56f03079-a4c4-471a-9c81-43b3950d210f",
|
||
|
"indicator--56f0307a-f030-48bf-b212-4546950d210f",
|
||
|
"indicator--56f0307a-a890-4d66-a26d-455a950d210f",
|
||
|
"indicator--56f0307a-c1a4-4f4a-b5a7-4fc0950d210f",
|
||
|
"indicator--56f03094-ea38-44b9-be1d-4b79950d210f",
|
||
|
"indicator--56f030a1-a7dc-47b4-bc85-4bb8950d210f",
|
||
|
"indicator--56f030bd-9368-4ab8-b4b0-481f950d210f",
|
||
|
"indicator--56f030bd-7df0-4fb7-b858-4a23950d210f",
|
||
|
"indicator--56f030be-7d3c-4868-98f3-440a950d210f",
|
||
|
"indicator--56f030be-c334-4c0f-a9ae-4c62950d210f",
|
||
|
"indicator--56f030bf-f1a0-4cc0-b43e-43e2950d210f",
|
||
|
"indicator--56f030bf-0664-4194-bb39-4874950d210f",
|
||
|
"indicator--56f030bf-193c-45f5-a885-4fed950d210f",
|
||
|
"indicator--56f030bf-31c4-4f80-8007-4ab8950d210f",
|
||
|
"indicator--56f030d1-5904-4f85-8080-4b68950d210f",
|
||
|
"indicator--56f030e1-4bc0-4463-9a0f-4aa3950d210f",
|
||
|
"indicator--56f03116-e580-4803-91f7-4c2302de0b81",
|
||
|
"indicator--56f03117-3234-41d0-9d7e-495402de0b81",
|
||
|
"observed-data--56f03117-6aa4-4140-92de-40c102de0b81",
|
||
|
"url--56f03117-6aa4-4140-92de-40c102de0b81",
|
||
|
"indicator--56f03117-324c-400a-bd86-4c1002de0b81",
|
||
|
"indicator--56f03118-c954-4830-bfe2-4e2002de0b81",
|
||
|
"observed-data--56f03118-0468-48ac-9571-43aa02de0b81",
|
||
|
"url--56f03118-0468-48ac-9571-43aa02de0b81",
|
||
|
"indicator--56f03118-7e30-47c8-9c66-48ef02de0b81",
|
||
|
"indicator--56f03118-2ffc-4c44-b133-406a02de0b81",
|
||
|
"observed-data--56f03119-8dbc-41f3-a54d-47b102de0b81",
|
||
|
"url--56f03119-8dbc-41f3-a54d-47b102de0b81",
|
||
|
"indicator--56f03119-b7c4-4c29-80e1-4bc702de0b81",
|
||
|
"indicator--56f03119-bb00-4100-a128-45a202de0b81",
|
||
|
"observed-data--56f0311a-17cc-4844-88bc-437f02de0b81",
|
||
|
"url--56f0311a-17cc-4844-88bc-437f02de0b81",
|
||
|
"indicator--56f0311a-d55c-438e-8b49-44eb02de0b81",
|
||
|
"indicator--56f0311a-37c4-468f-9805-460802de0b81",
|
||
|
"observed-data--56f0311b-22d8-4b20-9edc-459702de0b81",
|
||
|
"url--56f0311b-22d8-4b20-9edc-459702de0b81",
|
||
|
"indicator--56f0311b-3690-48dc-992f-47f202de0b81",
|
||
|
"indicator--56f0311b-d7d4-4101-9f0a-4eef02de0b81",
|
||
|
"observed-data--56f0311c-cc34-4132-ab1e-4eb902de0b81",
|
||
|
"url--56f0311c-cc34-4132-ab1e-4eb902de0b81",
|
||
|
"indicator--56f0311c-8d54-43d2-a1f2-466402de0b81",
|
||
|
"indicator--56f0311c-a69c-4368-af80-4bac02de0b81",
|
||
|
"observed-data--56f0311d-bd54-4f90-836d-489202de0b81",
|
||
|
"url--56f0311d-bd54-4f90-836d-489202de0b81",
|
||
|
"indicator--56f0311d-b0d0-4c28-a75a-40f602de0b81",
|
||
|
"indicator--56f0311d-a360-4732-ae42-466b02de0b81",
|
||
|
"observed-data--56f0311e-1a20-46b0-bf9b-4ab502de0b81",
|
||
|
"url--56f0311e-1a20-46b0-bf9b-4ab502de0b81",
|
||
|
"indicator--56f0311e-3bec-4ea9-a949-4f2002de0b81",
|
||
|
"indicator--56f0311e-cdb8-4e97-8352-4acc02de0b81",
|
||
|
"observed-data--56f0311f-03fc-4a48-b5a6-4cfb02de0b81",
|
||
|
"url--56f0311f-03fc-4a48-b5a6-4cfb02de0b81",
|
||
|
"indicator--56f0311f-932c-4f37-b1e7-4fa802de0b81",
|
||
|
"indicator--56f0311f-8930-42de-8706-46c702de0b81",
|
||
|
"observed-data--56f03120-b2ac-4451-9d81-485102de0b81",
|
||
|
"url--56f03120-b2ac-4451-9d81-485102de0b81",
|
||
|
"indicator--56f03120-a018-434b-8970-420e02de0b81",
|
||
|
"indicator--56f03120-f604-4c60-af93-4b3f02de0b81",
|
||
|
"observed-data--56f03120-16e0-48b2-abba-4eb702de0b81",
|
||
|
"url--56f03120-16e0-48b2-abba-4eb702de0b81",
|
||
|
"indicator--56f03121-84f4-48ca-ab99-475b02de0b81",
|
||
|
"indicator--56f03121-0ec0-42f9-a7a9-42b702de0b81",
|
||
|
"observed-data--56f03121-31bc-44d1-8270-4cb902de0b81",
|
||
|
"url--56f03121-31bc-44d1-8270-4cb902de0b81",
|
||
|
"indicator--56f03122-3824-4a64-8802-408d02de0b81",
|
||
|
"indicator--56f03122-3c30-40bd-bf7a-4f1002de0b81",
|
||
|
"observed-data--56f03122-1260-43f2-8ba9-483e02de0b81",
|
||
|
"url--56f03122-1260-43f2-8ba9-483e02de0b81",
|
||
|
"indicator--56f03123-1744-4203-80e7-42b502de0b81",
|
||
|
"indicator--56f03123-7fc8-4e21-8e46-456402de0b81",
|
||
|
"observed-data--56f03123-fbc0-42ad-8b1c-4e1302de0b81",
|
||
|
"url--56f03123-fbc0-42ad-8b1c-4e1302de0b81",
|
||
|
"x-misp-attribute--56f0315a-4820-4860-9a00-4c79950d210f",
|
||
|
"x-misp-attribute--56f0315a-bf78-42bb-9d6c-4e36950d210f",
|
||
|
"x-misp-attribute--56f0315a-ef1c-4929-be90-4d1c950d210f",
|
||
|
"x-misp-attribute--56f0315b-2cd8-4fdc-b80a-4ca8950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--56f03058-8564-4afc-bce3-4ace950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:33:12.000Z",
|
||
|
"modified": "2016-03-21T17:33:12.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "FireEye Labs detected an interesting evasion strategy in two recent, large Dridex campaigns. These campaigns changed the attachment file-type and location of malicious logic in an attempt to avoid scanners."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f03062-d6d4-4c13-aa02-468e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:33:22.000Z",
|
||
|
"modified": "2016-03-21T17:33:22.000Z",
|
||
|
"first_observed": "2016-03-21T17:33:22Z",
|
||
|
"last_observed": "2016-03-21T17:33:22Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f03062-d6d4-4c13-aa02-468e950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f03062-d6d4-4c13-aa02-468e950d210f",
|
||
|
"value": "https://www.fireeye.com/blog/threat-research/2016/03/stop_scanning_mymac.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03078-7514-43db-af07-4d66950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:33:44.000Z",
|
||
|
"modified": "2016-03-21T17:33:44.000Z",
|
||
|
"description": "Tip Top Delivery campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '858451ad73050bda48e5470abd2643ac']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:33:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03078-4650-4fbf-92f5-4922950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:33:44.000Z",
|
||
|
"modified": "2016-03-21T17:33:44.000Z",
|
||
|
"description": "Tip Top Delivery campaign",
|
||
|
"pattern": "[file:hashes.MD5 = 'aff54d68cbf6ac8611fe89cd9f0dc2de']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:33:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03078-8794-489e-ab48-4075950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:33:44.000Z",
|
||
|
"modified": "2016-03-21T17:33:44.000Z",
|
||
|
"description": "Tip Top Delivery campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '876d081e8b474a3c1ac57cf435e330cb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:33:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03079-5ca8-41f6-be41-46df950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:33:45.000Z",
|
||
|
"modified": "2016-03-21T17:33:45.000Z",
|
||
|
"description": "Tip Top Delivery campaign",
|
||
|
"pattern": "[file:hashes.MD5 = 'd8eebe2a08fff86abd06ec94e8bdd165']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:33:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03079-5dec-4fe9-aac4-479d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:33:45.000Z",
|
||
|
"modified": "2016-03-21T17:33:45.000Z",
|
||
|
"description": "Tip Top Delivery campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '8c07b9337deda3c589d50e4ff3aadcd6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:33:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03079-a4c4-471a-9c81-43b3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:33:45.000Z",
|
||
|
"modified": "2016-03-21T17:33:45.000Z",
|
||
|
"description": "Tip Top Delivery campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '73c7bf49caa0d1bd37053b99a986ebe8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:33:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0307a-f030-48bf-b212-4546950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:33:46.000Z",
|
||
|
"modified": "2016-03-21T17:33:46.000Z",
|
||
|
"description": "Tip Top Delivery campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '770fede93cc4220a371569daed2a4bc1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:33:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0307a-a890-4d66-a26d-455a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:33:46.000Z",
|
||
|
"modified": "2016-03-21T17:33:46.000Z",
|
||
|
"description": "Tip Top Delivery campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '5b7813105cf9ebccb46cf7e63a5a836d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:33:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0307a-c1a4-4f4a-b5a7-4fc0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:33:46.000Z",
|
||
|
"modified": "2016-03-21T17:33:46.000Z",
|
||
|
"description": "Tip Top Delivery campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '8f787ddedbaa8af3f6a73d0c6cd4e33e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:33:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03094-ea38-44b9-be1d-4b79950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:35:46.000Z",
|
||
|
"modified": "2016-03-21T17:35:46.000Z",
|
||
|
"pattern": "[email-message:body_multipart[*].body_raw_ref.name = 'Invoice_GIINV02514_from_tip_top_delivery.rtf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:35:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-attachment\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f030a1-a7dc-47b4-bc85-4bb8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:34:25.000Z",
|
||
|
"modified": "2016-03-21T17:34:25.000Z",
|
||
|
"pattern": "[domain-name:value = 'parts.woodwardcounselinginc.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:34:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f030bd-9368-4ab8-b4b0-481f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:34:53.000Z",
|
||
|
"modified": "2016-03-21T17:34:53.000Z",
|
||
|
"description": "IMAGINiT campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '8840c20ac74281c0580e8637caf1edea']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:34:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f030bd-7df0-4fb7-b858-4a23950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:34:53.000Z",
|
||
|
"modified": "2016-03-21T17:34:53.000Z",
|
||
|
"description": "IMAGINiT campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '800f90f29d13716eb1f7059fb84089ed']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:34:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f030be-7d3c-4868-98f3-440a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:34:54.000Z",
|
||
|
"modified": "2016-03-21T17:34:54.000Z",
|
||
|
"description": "IMAGINiT campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '7e74d5a3a20038fe0a66445eb76fa066']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:34:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f030be-c334-4c0f-a9ae-4c62950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:34:54.000Z",
|
||
|
"modified": "2016-03-21T17:34:54.000Z",
|
||
|
"description": "IMAGINiT campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '7a4b7762f8db2438b4ad3d991864431d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:34:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f030bf-f1a0-4cc0-b43e-43e2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:34:55.000Z",
|
||
|
"modified": "2016-03-21T17:34:55.000Z",
|
||
|
"description": "IMAGINiT campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '74f9da1ce1ff900113ae7cb28b3eb56f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:34:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f030bf-0664-4194-bb39-4874950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:34:55.000Z",
|
||
|
"modified": "2016-03-21T17:34:55.000Z",
|
||
|
"description": "IMAGINiT campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '6ccc678c3ec284fad015ed0eaa875733']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:34:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f030bf-193c-45f5-a885-4fed950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:34:55.000Z",
|
||
|
"modified": "2016-03-21T17:34:55.000Z",
|
||
|
"description": "IMAGINiT campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '3ea5c225132f0d7423417b3c7ce98c7d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:34:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f030bf-31c4-4f80-8007-4ab8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:34:55.000Z",
|
||
|
"modified": "2016-03-21T17:34:55.000Z",
|
||
|
"description": "IMAGINiT campaign",
|
||
|
"pattern": "[file:hashes.MD5 = '33b2a2d98aca34b66de9a11b7ec2d951']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:34:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f030d1-5904-4f85-8080-4b68950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:35:13.000Z",
|
||
|
"modified": "2016-03-21T17:35:13.000Z",
|
||
|
"pattern": "[domain-name:value = 'house.nochildforgotten.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:35:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f030e1-4bc0-4463-9a0f-4aa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:35:36.000Z",
|
||
|
"modified": "2016-03-21T17:35:36.000Z",
|
||
|
"pattern": "[email-message:body_multipart[*].body_raw_ref.name = 'IGINV51905.rtf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:35:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-attachment\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03116-e580-4803-91f7-4c2302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:22.000Z",
|
||
|
"modified": "2016-03-21T17:36:22.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 33b2a2d98aca34b66de9a11b7ec2d951",
|
||
|
"pattern": "[file:hashes.SHA256 = 'fb36a810bf9a543384cb23b103394aad380548f871297f6a580773c138c8f8c8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03117-3234-41d0-9d7e-495402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:23.000Z",
|
||
|
"modified": "2016-03-21T17:36:23.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 33b2a2d98aca34b66de9a11b7ec2d951",
|
||
|
"pattern": "[file:hashes.SHA1 = '4ca1f37cb52c33b9678d499ed8b6a37b8577a680']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f03117-6aa4-4140-92de-40c102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:23.000Z",
|
||
|
"modified": "2016-03-21T17:36:23.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:23Z",
|
||
|
"last_observed": "2016-03-21T17:36:23Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f03117-6aa4-4140-92de-40c102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f03117-6aa4-4140-92de-40c102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/fb36a810bf9a543384cb23b103394aad380548f871297f6a580773c138c8f8c8/analysis/1458552924/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03117-324c-400a-bd86-4c1002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:23.000Z",
|
||
|
"modified": "2016-03-21T17:36:23.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 3ea5c225132f0d7423417b3c7ce98c7d",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cccbd3f2d121575290c19304faf1abeac1a3bbf4c1ad4af0c34479c95006ac5e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03118-c954-4830-bfe2-4e2002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:24.000Z",
|
||
|
"modified": "2016-03-21T17:36:24.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 3ea5c225132f0d7423417b3c7ce98c7d",
|
||
|
"pattern": "[file:hashes.SHA1 = '28f463492c3d5683405ac76fce2e43f2a2ae58db']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f03118-0468-48ac-9571-43aa02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:24.000Z",
|
||
|
"modified": "2016-03-21T17:36:24.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:24Z",
|
||
|
"last_observed": "2016-03-21T17:36:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f03118-0468-48ac-9571-43aa02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f03118-0468-48ac-9571-43aa02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cccbd3f2d121575290c19304faf1abeac1a3bbf4c1ad4af0c34479c95006ac5e/analysis/1458544469/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03118-7e30-47c8-9c66-48ef02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:24.000Z",
|
||
|
"modified": "2016-03-21T17:36:24.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 6ccc678c3ec284fad015ed0eaa875733",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cbec8323a70876fa9d2261ed2a81cc3917c45c516e14cd24600fdc062bcf0889']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03118-2ffc-4c44-b133-406a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:24.000Z",
|
||
|
"modified": "2016-03-21T17:36:24.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 6ccc678c3ec284fad015ed0eaa875733",
|
||
|
"pattern": "[file:hashes.SHA1 = '585e82ec384cce5f329bbe6d917946723845da91']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f03119-8dbc-41f3-a54d-47b102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:25.000Z",
|
||
|
"modified": "2016-03-21T17:36:25.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:25Z",
|
||
|
"last_observed": "2016-03-21T17:36:25Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f03119-8dbc-41f3-a54d-47b102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f03119-8dbc-41f3-a54d-47b102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cbec8323a70876fa9d2261ed2a81cc3917c45c516e14cd24600fdc062bcf0889/analysis/1458424209/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03119-b7c4-4c29-80e1-4bc702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:25.000Z",
|
||
|
"modified": "2016-03-21T17:36:25.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 74f9da1ce1ff900113ae7cb28b3eb56f",
|
||
|
"pattern": "[file:hashes.SHA256 = 'fe523db2e1b86127d21cd9b3476ba7b1b0cee35bbaa8965841fce71ed54eb576']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03119-bb00-4100-a128-45a202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:25.000Z",
|
||
|
"modified": "2016-03-21T17:36:25.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 74f9da1ce1ff900113ae7cb28b3eb56f",
|
||
|
"pattern": "[file:hashes.SHA1 = '9aa3cb387006af303e43b564140fd2bd302f83d4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f0311a-17cc-4844-88bc-437f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:26.000Z",
|
||
|
"modified": "2016-03-21T17:36:26.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:26Z",
|
||
|
"last_observed": "2016-03-21T17:36:26Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f0311a-17cc-4844-88bc-437f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f0311a-17cc-4844-88bc-437f02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/fe523db2e1b86127d21cd9b3476ba7b1b0cee35bbaa8965841fce71ed54eb576/analysis/1458537966/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311a-d55c-438e-8b49-44eb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:26.000Z",
|
||
|
"modified": "2016-03-21T17:36:26.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 7a4b7762f8db2438b4ad3d991864431d",
|
||
|
"pattern": "[file:hashes.SHA256 = '2c7c3650f85a6ec5fab51078318cbeb2781305e5713df98e2ed3b0dd689d0bda']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311a-37c4-468f-9805-460802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:26.000Z",
|
||
|
"modified": "2016-03-21T17:36:26.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 7a4b7762f8db2438b4ad3d991864431d",
|
||
|
"pattern": "[file:hashes.SHA1 = '333e2815f05401ea4d365b7b8052aca7ffa92861']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f0311b-22d8-4b20-9edc-459702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:27.000Z",
|
||
|
"modified": "2016-03-21T17:36:27.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:27Z",
|
||
|
"last_observed": "2016-03-21T17:36:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f0311b-22d8-4b20-9edc-459702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f0311b-22d8-4b20-9edc-459702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/2c7c3650f85a6ec5fab51078318cbeb2781305e5713df98e2ed3b0dd689d0bda/analysis/1458454881/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311b-3690-48dc-992f-47f202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:27.000Z",
|
||
|
"modified": "2016-03-21T17:36:27.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 7e74d5a3a20038fe0a66445eb76fa066",
|
||
|
"pattern": "[file:hashes.SHA256 = '28e80edc15b3bebac008a4cdb030603e1477d20b7814cea491fc8506b9388c1c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311b-d7d4-4101-9f0a-4eef02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:27.000Z",
|
||
|
"modified": "2016-03-21T17:36:27.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 7e74d5a3a20038fe0a66445eb76fa066",
|
||
|
"pattern": "[file:hashes.SHA1 = '747cb0aaa3c48d2b1e46b2e36027ebe55681218b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f0311c-cc34-4132-ab1e-4eb902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:28.000Z",
|
||
|
"modified": "2016-03-21T17:36:28.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:28Z",
|
||
|
"last_observed": "2016-03-21T17:36:28Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f0311c-cc34-4132-ab1e-4eb902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f0311c-cc34-4132-ab1e-4eb902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/28e80edc15b3bebac008a4cdb030603e1477d20b7814cea491fc8506b9388c1c/analysis/1458468781/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311c-8d54-43d2-a1f2-466402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:28.000Z",
|
||
|
"modified": "2016-03-21T17:36:28.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 800f90f29d13716eb1f7059fb84089ed",
|
||
|
"pattern": "[file:hashes.SHA256 = '81ec6bc642130d1f5f9882a4cef9256636f543d46da759081bcf8886f13394ff']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311c-a69c-4368-af80-4bac02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:28.000Z",
|
||
|
"modified": "2016-03-21T17:36:28.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 800f90f29d13716eb1f7059fb84089ed",
|
||
|
"pattern": "[file:hashes.SHA1 = '5bf90ec91adba8c2684c3e31c1bd0ddfe2a9397b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f0311d-bd54-4f90-836d-489202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:29.000Z",
|
||
|
"modified": "2016-03-21T17:36:29.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:29Z",
|
||
|
"last_observed": "2016-03-21T17:36:29Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f0311d-bd54-4f90-836d-489202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f0311d-bd54-4f90-836d-489202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/81ec6bc642130d1f5f9882a4cef9256636f543d46da759081bcf8886f13394ff/analysis/1458424210/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311d-b0d0-4c28-a75a-40f602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:29.000Z",
|
||
|
"modified": "2016-03-21T17:36:29.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 8840c20ac74281c0580e8637caf1edea",
|
||
|
"pattern": "[file:hashes.SHA256 = 'b1088ada9a80ae8a5bfa6a54994573afaee16cecec1fcafdcca877d182ba088f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311d-a360-4732-ae42-466b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:29.000Z",
|
||
|
"modified": "2016-03-21T17:36:29.000Z",
|
||
|
"description": "IMAGINiT campaign - Xchecked via VT: 8840c20ac74281c0580e8637caf1edea",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f577ff9b4c62b784d04cb3a22d733f07ec195881']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f0311e-1a20-46b0-bf9b-4ab502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:30.000Z",
|
||
|
"modified": "2016-03-21T17:36:30.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:30Z",
|
||
|
"last_observed": "2016-03-21T17:36:30Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f0311e-1a20-46b0-bf9b-4ab502de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f0311e-1a20-46b0-bf9b-4ab502de0b81",
|
||
|
"value": "https://www.virustotal.com/file/b1088ada9a80ae8a5bfa6a54994573afaee16cecec1fcafdcca877d182ba088f/analysis/1458547416/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311e-3bec-4ea9-a949-4f2002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:30.000Z",
|
||
|
"modified": "2016-03-21T17:36:30.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: 8f787ddedbaa8af3f6a73d0c6cd4e33e",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e5ccec9d24b4d518de6c6722c1c72b6b23b3bb4ddddfc03a2b9a5630702e59c0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311e-cdb8-4e97-8352-4acc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:30.000Z",
|
||
|
"modified": "2016-03-21T17:36:30.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: 8f787ddedbaa8af3f6a73d0c6cd4e33e",
|
||
|
"pattern": "[file:hashes.SHA1 = '20fb89ae7ec81f28dc5fd29a5664d257150a7f7c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f0311f-03fc-4a48-b5a6-4cfb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:31.000Z",
|
||
|
"modified": "2016-03-21T17:36:31.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:31Z",
|
||
|
"last_observed": "2016-03-21T17:36:31Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f0311f-03fc-4a48-b5a6-4cfb02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f0311f-03fc-4a48-b5a6-4cfb02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e5ccec9d24b4d518de6c6722c1c72b6b23b3bb4ddddfc03a2b9a5630702e59c0/analysis/1458424207/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311f-932c-4f37-b1e7-4fa802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:31.000Z",
|
||
|
"modified": "2016-03-21T17:36:31.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: 5b7813105cf9ebccb46cf7e63a5a836d",
|
||
|
"pattern": "[file:hashes.SHA256 = '7a1df6c77168f06b06df8e53120d3a5c0c465d6319d42fc95dcc08593a4d1108']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f0311f-8930-42de-8706-46c702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:31.000Z",
|
||
|
"modified": "2016-03-21T17:36:31.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: 5b7813105cf9ebccb46cf7e63a5a836d",
|
||
|
"pattern": "[file:hashes.SHA1 = '5d38822aa1ce863eb260e38684a781a13ccd450c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f03120-b2ac-4451-9d81-485102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:32.000Z",
|
||
|
"modified": "2016-03-21T17:36:32.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:32Z",
|
||
|
"last_observed": "2016-03-21T17:36:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f03120-b2ac-4451-9d81-485102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f03120-b2ac-4451-9d81-485102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7a1df6c77168f06b06df8e53120d3a5c0c465d6319d42fc95dcc08593a4d1108/analysis/1458577767/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03120-a018-434b-8970-420e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:32.000Z",
|
||
|
"modified": "2016-03-21T17:36:32.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: 770fede93cc4220a371569daed2a4bc1",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cd9fdb4c3a7b647bda3aec1b5afa2e7b9e2fbdb49ee833e56f7cd8104bba3547']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03120-f604-4c60-af93-4b3f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:32.000Z",
|
||
|
"modified": "2016-03-21T17:36:32.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: 770fede93cc4220a371569daed2a4bc1",
|
||
|
"pattern": "[file:hashes.SHA1 = '681cb976de29f799c037e11c030d28dd490b04e4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f03120-16e0-48b2-abba-4eb702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:32.000Z",
|
||
|
"modified": "2016-03-21T17:36:32.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:32Z",
|
||
|
"last_observed": "2016-03-21T17:36:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f03120-16e0-48b2-abba-4eb702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f03120-16e0-48b2-abba-4eb702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cd9fdb4c3a7b647bda3aec1b5afa2e7b9e2fbdb49ee833e56f7cd8104bba3547/analysis/1458424507/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03121-84f4-48ca-ab99-475b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:33.000Z",
|
||
|
"modified": "2016-03-21T17:36:33.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: d8eebe2a08fff86abd06ec94e8bdd165",
|
||
|
"pattern": "[file:hashes.SHA256 = 'aa74d7d58b474d4fe9cd92826093c8c7af080452f19165c501fb0925ed8b2920']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03121-0ec0-42f9-a7a9-42b702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:33.000Z",
|
||
|
"modified": "2016-03-21T17:36:33.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: d8eebe2a08fff86abd06ec94e8bdd165",
|
||
|
"pattern": "[file:hashes.SHA1 = '745f519e41610bd5a89edb1359ced486474cca7f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f03121-31bc-44d1-8270-4cb902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:33.000Z",
|
||
|
"modified": "2016-03-21T17:36:33.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:33Z",
|
||
|
"last_observed": "2016-03-21T17:36:33Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f03121-31bc-44d1-8270-4cb902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f03121-31bc-44d1-8270-4cb902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/aa74d7d58b474d4fe9cd92826093c8c7af080452f19165c501fb0925ed8b2920/analysis/1458473661/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03122-3824-4a64-8802-408d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:34.000Z",
|
||
|
"modified": "2016-03-21T17:36:34.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: 876d081e8b474a3c1ac57cf435e330cb",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ed603ed10f71e2eb33d77bc4ef32ba8d00b410610b92df9bda4659a4eacc2a79']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03122-3c30-40bd-bf7a-4f1002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:34.000Z",
|
||
|
"modified": "2016-03-21T17:36:34.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: 876d081e8b474a3c1ac57cf435e330cb",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd50e97f803ef65e6f0ff136d81dba2c396287567']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f03122-1260-43f2-8ba9-483e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:34.000Z",
|
||
|
"modified": "2016-03-21T17:36:34.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:34Z",
|
||
|
"last_observed": "2016-03-21T17:36:34Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f03122-1260-43f2-8ba9-483e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f03122-1260-43f2-8ba9-483e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ed603ed10f71e2eb33d77bc4ef32ba8d00b410610b92df9bda4659a4eacc2a79/analysis/1458580699/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03123-1744-4203-80e7-42b502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:35.000Z",
|
||
|
"modified": "2016-03-21T17:36:35.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: aff54d68cbf6ac8611fe89cd9f0dc2de",
|
||
|
"pattern": "[file:hashes.SHA256 = '7f1548c7549c6a452d95ae9ed821f83e29a1ca9a225a3f7294c0d58f204b5d41']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56f03123-7fc8-4e21-8e46-456402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:35.000Z",
|
||
|
"modified": "2016-03-21T17:36:35.000Z",
|
||
|
"description": "Tip Top Delivery campaign - Xchecked via VT: aff54d68cbf6ac8611fe89cd9f0dc2de",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f83f899e5e12f610cb932014c1d05096cf5c7144']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-03-21T17:36:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56f03123-fbc0-42ad-8b1c-4e1302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:36:35.000Z",
|
||
|
"modified": "2016-03-21T17:36:35.000Z",
|
||
|
"first_observed": "2016-03-21T17:36:35Z",
|
||
|
"last_observed": "2016-03-21T17:36:35Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56f03123-fbc0-42ad-8b1c-4e1302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56f03123-fbc0-42ad-8b1c-4e1302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7f1548c7549c6a452d95ae9ed821f83e29a1ca9a225a3f7294c0d58f204b5d41/analysis/1458579160/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--56f0315a-4820-4860-9a00-4c79950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:37:30.000Z",
|
||
|
"modified": "2016-03-21T17:37:30.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pattern-in-file\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "The authors left Cyrillic strings in the XML, which could possibly be used as an IOC to hunt for similar documents.",
|
||
|
"x_misp_type": "pattern-in-file",
|
||
|
"x_misp_value": "<wx:uiName wx:val=\"\u00d0\u017e\u00d1\u0081\u00d0\u00bd\u00d0\u00be\u00d0\u00b2\u00d0\u00bd\u00d0\u00be\u00d0\u00b9 \u00d1\u02c6\u00d1\u20ac\u00d0\u00b8\u00d1\u201e\u00d1\u201a \u00d0\u00b0\u00d0\u00b1\u00d0\u00b7\u00d0\u00b0\u00d1\u2020\u00d0\u00b0\"/>"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--56f0315a-bf78-42bb-9d6c-4e36950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:37:30.000Z",
|
||
|
"modified": "2016-03-21T17:37:30.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pattern-in-file\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "The authors left Cyrillic strings in the XML, which could possibly be used as an IOC to hunt for similar documents.",
|
||
|
"x_misp_type": "pattern-in-file",
|
||
|
"x_misp_value": "<wx:uiName wx:val=\"\u00d0\u017e\u00d0\u00b1\u00d1\u2039\u00d1\u2021\u00d0\u00bd\u00d0\u00b0\u00d1\u008f \u00d1\u201a\u00d0\u00b0\u00d0\u00b1\u00d0\u00bb\u00d0\u00b8\u00d1\u2020\u00d0\u00b0\"/>"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--56f0315a-ef1c-4929-be90-4d1c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:37:30.000Z",
|
||
|
"modified": "2016-03-21T17:37:30.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pattern-in-file\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "The authors left Cyrillic strings in the XML, which could possibly be used as an IOC to hunt for similar documents.",
|
||
|
"x_misp_type": "pattern-in-file",
|
||
|
"x_misp_value": "<wx:uiName wx:val=\"\u00d0\u009d\u00d0\u00b5\u00d1\u201a \u00d1\u0081\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0\"/>"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--56f0315b-2cd8-4fdc-b80a-4ca8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-03-21T17:37:31.000Z",
|
||
|
"modified": "2016-03-21T17:37:31.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pattern-in-file\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "The authors left Cyrillic strings in the XML, which could possibly be used as an IOC to hunt for similar documents.",
|
||
|
"x_misp_type": "pattern-in-file",
|
||
|
"x_misp_value": "<o:LastAuthor>\u00d0\u00bf\u00d0\u00b0\u00d0\u00b2\u00d1\u0192\u00d0\u00b2\u00d0\u00b0\u00d1\u2039\u00d0\u00b2\u00d0\u00b0</o:LastAuthor>"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|