misp-circl-feed/feeds/circl/stix-2.1/57317fb9-814c-466d-9151-4594950d210f.json

4393 lines
221 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--57317fb9-814c-466d-9151-4594950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:45.000Z",
"modified": "2016-05-10T06:44:45.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--57317fb9-814c-466d-9151-4594950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:45.000Z",
"modified": "2016-05-10T06:44:45.000Z",
"name": "A Detailed Examination of the Siesta Campaign",
"published": "2016-05-10T06:54:46Z",
"object_refs": [
"indicator--57317fda-86e8-408a-a10c-4b1e950d210f",
"x-misp-attribute--5731805e-c794-4adc-a8e6-42ff950d210f",
"observed-data--5731807d-1500-4119-9498-4232950d210f",
"url--5731807d-1500-4119-9498-4232950d210f",
"indicator--57318096-2110-470b-baad-14da950d210f",
"indicator--573180c4-6d24-475b-939a-4124950d210f",
"indicator--573180e4-6d8c-44dd-8ec0-4f56950d210f",
"indicator--573180e5-26e4-4db6-a107-491e950d210f",
"indicator--57318103-c3a4-44cf-ae49-4770950d210f",
"indicator--57318142-0f88-4aa1-b945-4cb6950d210f",
"indicator--57318142-372c-43b5-8027-4620950d210f",
"indicator--57318171-b274-41ca-8110-459a950d210f",
"indicator--573181ca-8c94-4a54-8c1d-4395950d210f",
"indicator--573181cb-f904-43ca-b380-4f04950d210f",
"indicator--573181cb-2a34-4e5a-9c72-4360950d210f",
"indicator--573181cb-3f3c-4da7-9953-48bb950d210f",
"indicator--573181cc-7ef0-4089-af32-4ff3950d210f",
"indicator--573181cc-def0-4bf4-9e00-4da0950d210f",
"indicator--573181cd-2224-4bbe-a05e-4719950d210f",
"indicator--573181cd-717c-4764-828a-4abe950d210f",
"indicator--573181ce-6660-4a0b-9b37-4e30950d210f",
"indicator--573181ce-7208-4ae4-8d89-458a950d210f",
"indicator--573181ce-0040-4ef2-8b20-443b950d210f",
"indicator--573181cf-35d8-437a-bd6e-4e67950d210f",
"indicator--573181cf-0c18-4604-96bc-4333950d210f",
"indicator--573181d0-0cec-46b3-a67b-4e52950d210f",
"indicator--573181d0-e790-40f8-8007-4d7a950d210f",
"indicator--573181d1-7cec-4fb3-9160-4940950d210f",
"indicator--573181d1-600c-466b-aa67-4a87950d210f",
"indicator--573181d1-b8a8-4f4e-9a3b-4387950d210f",
"indicator--573181d2-03e0-4da4-b989-4c9b950d210f",
"indicator--573181d2-b454-4895-a638-4ec2950d210f",
"indicator--57318251-aae4-47a7-9f92-4e13950d210f",
"indicator--57318251-89ac-491d-8f87-4c2c950d210f",
"indicator--57318251-c070-4ce7-ba1c-44f8950d210f",
"indicator--57318252-73bc-409d-9845-4459950d210f",
"indicator--57318252-3a98-4c36-9a26-451f950d210f",
"indicator--57318253-3e24-466d-80d1-4cc3950d210f",
"indicator--57318253-4324-437f-a70c-4f17950d210f",
"indicator--57318253-11fc-4c28-9b9b-4750950d210f",
"indicator--57318254-d48c-4744-a4b1-4109950d210f",
"indicator--57318254-3dd4-4c1a-99f2-4a32950d210f",
"indicator--57318255-93f8-4277-b6ae-4b33950d210f",
"indicator--57318255-c3d4-4684-bfea-4452950d210f",
"indicator--57318256-a34c-4875-8d67-4fda950d210f",
"indicator--573182c6-ed5c-45ca-9487-4135950d210f",
"indicator--573182c6-7984-4ea0-aeaa-4547950d210f",
"indicator--573182c6-e4f8-4979-ac97-4a35950d210f",
"indicator--573182c7-af40-4d71-8951-4014950d210f",
"indicator--573182c7-d7ac-4372-8f6f-4435950d210f",
"indicator--573182c8-bd78-4048-97fd-4886950d210f",
"indicator--573182c8-3c74-4eae-91ed-4fac950d210f",
"indicator--573182c9-411c-48dd-95f0-4980950d210f",
"indicator--573182c9-2a50-412c-8f7b-4081950d210f",
"indicator--573182c9-8220-476f-882a-4182950d210f",
"indicator--573182ca-8118-4a44-858c-4c86950d210f",
"indicator--573182ca-b974-4212-bb60-4645950d210f",
"indicator--573182cb-a720-48c3-9e4b-4ab0950d210f",
"indicator--573182cb-e31c-4ab5-a8c3-4b45950d210f",
"indicator--573182cb-ade0-4eee-ad70-4506950d210f",
"indicator--573182cc-2858-4d2f-a2b3-419a950d210f",
"indicator--573182cc-9b1c-4680-9972-4de3950d210f",
"indicator--573182cd-dd44-4d45-97b1-4139950d210f",
"indicator--573182cd-4314-4c25-8497-4e20950d210f",
"indicator--57318305-3c80-4a64-8557-4f02950d210f",
"indicator--57318305-d0b8-407f-a536-44e4950d210f",
"indicator--57318305-a770-4608-bc21-4179950d210f",
"indicator--57318306-4e18-4481-8772-4a86950d210f",
"indicator--57318306-8320-4412-87c9-4071950d210f",
"indicator--57318307-5d20-4d33-8f9b-4030950d210f",
"indicator--57318307-f520-4226-962a-4407950d210f",
"indicator--57318308-7274-4d5e-b51f-4a6d950d210f",
"indicator--57318308-2778-45ee-996b-472c950d210f",
"indicator--57318308-3ab0-4ee5-920b-49d3950d210f",
"indicator--57318309-f1dc-4a9c-8c19-4454950d210f",
"indicator--57318309-2c00-4022-9ca6-4c6d950d210f",
"indicator--5731830a-3814-4e94-a669-48da950d210f",
"indicator--5731830a-c2dc-4a92-9855-46fb950d210f",
"indicator--5731830a-8e54-4930-a7ba-4193950d210f",
"indicator--5731830b-0b28-4984-bea5-49b2950d210f",
"indicator--5731830b-a7fc-498b-bab7-4731950d210f",
"indicator--5731835d-a220-445f-b0c7-4e5702de0b81",
"indicator--5731835d-0cac-41b8-b2fb-4fca02de0b81",
"observed-data--5731835e-cacc-4d4b-8c77-467c02de0b81",
"url--5731835e-cacc-4d4b-8c77-467c02de0b81",
"indicator--5731835e-c2e0-491d-9c08-4c8a02de0b81",
"indicator--5731835f-73a8-43bf-b742-43d302de0b81",
"observed-data--5731835f-2a9c-4be4-9406-4fd902de0b81",
"url--5731835f-2a9c-4be4-9406-4fd902de0b81",
"indicator--5731835f-1cc8-4a97-8ea8-433602de0b81",
"indicator--57318360-eec4-4fc3-8bec-40d902de0b81",
"observed-data--57318360-f730-4f26-8bc6-44a402de0b81",
"url--57318360-f730-4f26-8bc6-44a402de0b81",
"indicator--57318361-c150-4754-9cf5-452f02de0b81",
"indicator--57318361-bb00-4dde-9b17-413d02de0b81",
"observed-data--57318362-7890-400a-b240-480a02de0b81",
"url--57318362-7890-400a-b240-480a02de0b81",
"indicator--57318362-3530-4062-98c0-4fa502de0b81",
"indicator--57318363-bb40-4af5-9376-420602de0b81",
"observed-data--57318363-37b0-40fd-94a7-46d302de0b81",
"url--57318363-37b0-40fd-94a7-46d302de0b81",
"indicator--57318363-8060-4439-9cd1-4c2602de0b81",
"indicator--57318364-f960-414b-aa76-40c602de0b81",
"observed-data--57318364-2d04-4576-af52-49ac02de0b81",
"url--57318364-2d04-4576-af52-49ac02de0b81",
"indicator--57318365-0f38-4452-b0ee-485a02de0b81",
"indicator--57318365-288c-4ce8-aaeb-46ff02de0b81",
"observed-data--57318366-e1ac-4745-96f6-404402de0b81",
"url--57318366-e1ac-4745-96f6-404402de0b81",
"indicator--57318366-66d4-490b-a7d3-49b202de0b81",
"indicator--57318366-2a78-401f-9091-4cca02de0b81",
"observed-data--57318367-09e0-4f59-9c23-447802de0b81",
"url--57318367-09e0-4f59-9c23-447802de0b81",
"indicator--57318367-4e7c-48db-bd5a-457d02de0b81",
"indicator--57318368-ee78-482e-9833-4f0502de0b81",
"observed-data--57318368-e658-46fa-bf74-42fa02de0b81",
"url--57318368-e658-46fa-bf74-42fa02de0b81",
"indicator--57318369-1aec-4056-8429-448802de0b81",
"indicator--57318369-39b8-4539-8e88-46f202de0b81",
"observed-data--57318369-873c-49e1-aba5-48ef02de0b81",
"url--57318369-873c-49e1-aba5-48ef02de0b81",
"indicator--5731836a-dec4-46d5-b5e3-4ee802de0b81",
"indicator--5731836a-fca0-4c81-848b-410402de0b81",
"observed-data--5731836b-6edc-41c0-9e99-440902de0b81",
"url--5731836b-6edc-41c0-9e99-440902de0b81",
"indicator--5731836b-14e8-4b32-872b-412002de0b81",
"indicator--5731836c-eb4c-4ad2-bd9b-412c02de0b81",
"observed-data--5731836c-14c8-4148-a498-434802de0b81",
"url--5731836c-14c8-4148-a498-434802de0b81",
"indicator--5731836c-ff64-4322-ab2b-4d8d02de0b81",
"indicator--5731836d-3600-4596-946f-468e02de0b81",
"observed-data--5731836d-a498-452b-97a9-495002de0b81",
"url--5731836d-a498-452b-97a9-495002de0b81",
"indicator--5731836e-b3dc-445c-84d9-40be02de0b81",
"indicator--5731836e-31cc-4281-92cf-4e9902de0b81",
"observed-data--5731836e-ef58-409b-aa00-450302de0b81",
"url--5731836e-ef58-409b-aa00-450302de0b81",
"indicator--5731836f-6cd8-4a7a-bfec-495b02de0b81",
"indicator--5731836f-a6a4-4a84-832b-468302de0b81",
"observed-data--5731836f-20b8-43c4-9d06-463802de0b81",
"url--5731836f-20b8-43c4-9d06-463802de0b81",
"indicator--57318370-bfe4-4295-a6e4-49c802de0b81",
"indicator--57318370-b264-4a35-ba23-41ef02de0b81",
"observed-data--57318370-690c-408e-ab57-47be02de0b81",
"url--57318370-690c-408e-ab57-47be02de0b81",
"indicator--57318371-281c-4eb9-bcca-41ec02de0b81",
"indicator--57318371-f0e4-4265-9519-470e02de0b81",
"observed-data--57318371-d9e8-4c5b-b543-49c902de0b81",
"url--57318371-d9e8-4c5b-b543-49c902de0b81",
"indicator--57318372-6e24-4e3a-b74b-4dbe02de0b81",
"indicator--57318372-b380-4256-bc1d-4d8f02de0b81",
"observed-data--57318372-ee10-4db1-963e-4bef02de0b81",
"url--57318372-ee10-4db1-963e-4bef02de0b81",
"indicator--57318373-c824-43af-aec2-476c02de0b81",
"indicator--57318373-2d4c-48d0-968f-453602de0b81",
"observed-data--57318373-112c-43ef-bfec-40db02de0b81",
"url--57318373-112c-43ef-bfec-40db02de0b81",
"indicator--57318374-30ac-4302-87f0-4ef702de0b81",
"indicator--57318374-dac4-4624-b044-4d1102de0b81",
"observed-data--57318375-aca0-4b86-ab32-45d402de0b81",
"url--57318375-aca0-4b86-ab32-45d402de0b81",
"indicator--57318375-5038-43c0-9579-42cf02de0b81",
"indicator--57318375-b238-4f41-829b-4abf02de0b81",
"observed-data--57318376-026c-4697-9429-47bc02de0b81",
"url--57318376-026c-4697-9429-47bc02de0b81",
"indicator--57318376-61fc-4095-a3aa-435102de0b81",
"indicator--57318376-13e0-4440-bd3d-453702de0b81",
"observed-data--57318377-b0d8-4a3f-beff-4a0602de0b81",
"url--57318377-b0d8-4a3f-beff-4a0602de0b81",
"indicator--57318377-fee4-4769-92e4-4f1d02de0b81",
"indicator--57318377-a35c-4be4-b8ed-4bcb02de0b81",
"observed-data--57318378-5750-40e9-9441-4a4402de0b81",
"url--57318378-5750-40e9-9441-4a4402de0b81",
"indicator--57318378-3334-490e-a151-459402de0b81",
"indicator--57318378-5cd8-477b-b741-4a7502de0b81",
"observed-data--57318379-d624-41f5-8045-468602de0b81",
"url--57318379-d624-41f5-8045-468602de0b81",
"indicator--57318379-4678-446e-968b-467c02de0b81",
"indicator--57318379-55d4-44a9-b7a9-451d02de0b81",
"observed-data--5731837a-10cc-476b-8513-4fee02de0b81",
"url--5731837a-10cc-476b-8513-4fee02de0b81",
"indicator--5731837a-1398-4c65-b45a-438a02de0b81",
"indicator--5731837a-04d8-4ad7-b244-4acf02de0b81",
"observed-data--5731837b-bbe8-4192-aa67-4bf702de0b81",
"url--5731837b-bbe8-4192-aa67-4bf702de0b81",
"indicator--5731837b-2874-4e51-b5a7-4d1002de0b81",
"indicator--5731837b-fd38-4663-8ff3-438e02de0b81",
"observed-data--5731837c-c2f0-438c-ac48-48ea02de0b81",
"url--5731837c-c2f0-438c-ac48-48ea02de0b81",
"indicator--5731837c-9318-4671-9059-43f702de0b81",
"indicator--5731837c-e9d4-4c66-b7b3-4e5102de0b81",
"observed-data--5731837d-7d20-4ee2-9eca-44c402de0b81",
"url--5731837d-7d20-4ee2-9eca-44c402de0b81",
"indicator--5731837d-b058-4296-92aa-4f5d02de0b81",
"indicator--5731837d-96f4-4424-9b7e-469502de0b81",
"observed-data--5731837e-4b74-46a6-b299-480302de0b81",
"url--5731837e-4b74-46a6-b299-480302de0b81",
"indicator--5731837e-79fc-4137-94f5-462902de0b81",
"indicator--5731837f-a454-436b-bf98-4a8102de0b81",
"observed-data--5731837f-35ac-43fe-b644-446d02de0b81",
"url--5731837f-35ac-43fe-b644-446d02de0b81",
"indicator--5731837f-f208-4732-9b5e-455a02de0b81",
"indicator--57318380-00a4-42cf-8691-414202de0b81",
"observed-data--57318380-a90c-4586-a460-4b0402de0b81",
"url--57318380-a90c-4586-a460-4b0402de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57317fda-86e8-408a-a10c-4b1e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:33:48.000Z",
"modified": "2016-05-10T06:33:48.000Z",
"pattern": "[file:hashes.MD5 = '61249bf64fa270931570b8a5eba06afa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:33:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5731805e-c794-4adc-a8e6-42ff950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:31:58.000Z",
"modified": "2016-05-10T06:31:58.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "FireEye recently looked deeper into the activity discussed in TrendMicro\u00e2\u20ac\u2122s blog and dubbed the \u00e2\u20ac\u0153Siesta\u00e2\u20ac\u009d campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1.\r\n\r\nThe Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731807d-1500-4119-9498-4232950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:32:29.000Z",
"modified": "2016-05-10T06:32:29.000Z",
"first_observed": "2016-05-10T06:32:29Z",
"last_observed": "2016-05-10T06:32:29Z",
"number_observed": 1,
"object_refs": [
"url--5731807d-1500-4119-9498-4232950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731807d-1500-4119-9498-4232950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318096-2110-470b-baad-14da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:32:54.000Z",
"modified": "2016-05-10T06:32:54.000Z",
"description": "Spear-phishing",
"pattern": "[url:value = 'ifuedit.net/Healthcare_Questionnaire.zip']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:32:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573180c4-6d24-475b-939a-4124950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:33:40.000Z",
"modified": "2016-05-10T06:33:40.000Z",
"description": "This zip file contained a malicious executable with the following properties",
"pattern": "[domain-name:value = 'www.microsofthomes.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:33:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573180e4-6d8c-44dd-8ec0-4f56950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:34:12.000Z",
"modified": "2016-05-10T06:34:12.000Z",
"description": "Dropper (extracted from the ZIP)",
"pattern": "[file:hashes.MD5 = '68f73d81c814ab2f70eed02c0be3b67d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:34:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573180e5-26e4-4db6-a107-491e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:34:13.000Z",
"modified": "2016-05-10T06:34:13.000Z",
"description": "Dropper (extracted from the ZIP)",
"pattern": "[file:hashes.MD5 = '20b124baaaec1e8cbc3cd52e8e5ceebd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:34:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318103-c3a4-44cf-ae49-4770950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:34:43.000Z",
"modified": "2016-05-10T06:34:43.000Z",
"description": "A related dropper listed in the TrendMicro report on the Siesta campaign is",
"pattern": "[file:hashes.MD5 = '0f3031412d255336a102bbc1dcd43812']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:34:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318142-0f88-4aa1-b945-4cb6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:35:46.000Z",
"modified": "2016-05-10T06:35:46.000Z",
"description": "The import hash of 0fefba40443edd57f816502035077e3e is in other samples linked to the Siesta campaign",
"pattern": "[file:hashes.MD5 = '643654975b63a9bb6f597502e5cd8f49']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:35:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318142-372c-43b5-8027-4620950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:35:46.000Z",
"modified": "2016-05-10T06:35:46.000Z",
"description": "The import hash of 0fefba40443edd57f816502035077e3e is in other samples linked to the Siesta campaign",
"pattern": "[domain-name:value = 'www.cloudcominc.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:35:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318171-b274-41ca-8110-459a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:36:33.000Z",
"modified": "2016-05-10T06:36:33.000Z",
"description": "The import hash of 0fefba40443edd57f816502035077e3e is in other samples linked to the Siesta campaign",
"pattern": "[domain-name:value = 'www.skyslisten.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:36:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181ca-8c94-4a54-8c1d-4395950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:02.000Z",
"modified": "2016-05-10T06:38:02.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[file:hashes.MD5 = '719453b4da6d3814604c84a28d4d1f4c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181cb-f904-43ca-b380-4f04950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:03.000Z",
"modified": "2016-05-10T06:38:03.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[domain-name:value = 'www.stapharrest.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181cb-2a34-4e5a-9c72-4360950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:03.000Z",
"modified": "2016-05-10T06:38:03.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[file:hashes.MD5 = '93a6e9a26924a5cdab8ed47cadbe88d5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181cb-3f3c-4da7-9953-48bb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:03.000Z",
"modified": "2016-05-10T06:38:03.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[domain-name:value = 'www.offerdahls.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181cc-7ef0-4089-af32-4ff3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:04.000Z",
"modified": "2016-05-10T06:38:04.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[file:hashes.MD5 = 'c2aadd6a69a775602d984af64eaeda96']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181cc-def0-4bf4-9e00-4da0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:04.000Z",
"modified": "2016-05-10T06:38:04.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[domain-name:value = 'www.bluecoate.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181cd-2224-4bbe-a05e-4719950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:05.000Z",
"modified": "2016-05-10T06:38:05.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[file:hashes.MD5 = '1df0b937239473df0187063392dae028']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181cd-717c-4764-828a-4abe950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:05.000Z",
"modified": "2016-05-10T06:38:05.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[domain-name:value = 'www.billyjoebobshow.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181ce-6660-4a0b-9b37-4e30950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:06.000Z",
"modified": "2016-05-10T06:38:06.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[file:hashes.MD5 = '55065f1b341e5b095b6d453923d5654d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181ce-7208-4ae4-8d89-458a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:06.000Z",
"modified": "2016-05-10T06:38:06.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '184.82.164.104']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181ce-0040-4ef2-8b20-443b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:06.000Z",
"modified": "2016-05-10T06:38:06.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[file:hashes.MD5 = '65502e91e3676cf30778a7078f1061de']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181cf-35d8-437a-bd6e-4e67950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:07.000Z",
"modified": "2016-05-10T06:38:07.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[file:hashes.MD5 = '287113e4423813efd242af8e6255f680']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181cf-0c18-4604-96bc-4333950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:07.000Z",
"modified": "2016-05-10T06:38:07.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[domain-name:value = 'thales.myftp.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181d0-0cec-46b3-a67b-4e52950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:08.000Z",
"modified": "2016-05-10T06:38:08.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[file:hashes.MD5 = 'd613d40d5402f58d8952da2c24d1a769']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181d0-e790-40f8-8007-4d7a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:08.000Z",
"modified": "2016-05-10T06:38:08.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[file:hashes.MD5 = '57a4c6236b4ecf96d31258e5cc6f0ae4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181d1-7cec-4fb3-9160-4940950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:09.000Z",
"modified": "2016-05-10T06:38:09.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[domain-name:value = 'manslist.loopback.nu']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181d1-600c-466b-aa67-4a87950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:09.000Z",
"modified": "2016-05-10T06:38:09.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[file:hashes.MD5 = 'e5a4ec0519c471b5be093aee5c33b1ee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181d1-b8a8-4f4e-9a3b-4387950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:09.000Z",
"modified": "2016-05-10T06:38:09.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[domain-name:value = 'www.whackcard.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181d2-03e0-4da4-b989-4c9b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:10.000Z",
"modified": "2016-05-10T06:38:10.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[file:hashes.MD5 = 'f822a9e08b51c19a154dfb63ee9b8367']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573181d2-b454-4895-a638-4ec2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:38:10.000Z",
"modified": "2016-05-10T06:38:10.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern": "[domain-name:value = 'technology.acmetoy.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:38:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318251-aae4-47a7-9f92-4e13950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:17.000Z",
"modified": "2016-05-10T06:40:17.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[file:hashes.MD5 = '736ebc9b8ece410aaf4e8b60615f065f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318251-89ac-491d-8f87-4c2c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:17.000Z",
"modified": "2016-05-10T06:40:17.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[domain-name:value = 'www.comtoway.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318251-c070-4ce7-ba1c-44f8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:17.000Z",
"modified": "2016-05-10T06:40:17.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[file:hashes.MD5 = 'ac87816b9a371e72512d8fd82f61c737']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318252-73bc-409d-9845-4459950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:18.000Z",
"modified": "2016-05-10T06:40:18.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[domain-name:value = 'www.mwa.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318252-3a98-4c36-9a26-451f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:18.000Z",
"modified": "2016-05-10T06:40:18.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[file:hashes.MD5 = '173cd315008897e56fa812f2b2843f83']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318253-3e24-466d-80d1-4cc3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:19.000Z",
"modified": "2016-05-10T06:40:19.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[domain-name:value = 'www.deebeedesigns.ca']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318253-4324-437f-a70c-4f17950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:19.000Z",
"modified": "2016-05-10T06:40:19.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[file:hashes.MD5 = '513644c57688b70860d0b9aa1b6cd0d7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318253-11fc-4c28-9b9b-4750950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:19.000Z",
"modified": "2016-05-10T06:40:19.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '69.90.65.240']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318254-d48c-4744-a4b1-4109950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:20.000Z",
"modified": "2016-05-10T06:40:20.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[file:hashes.MD5 = 'fdf6bf1973af8ab130fbcaa0914b4b06']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318254-3dd4-4c1a-99f2-4a32950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:20.000Z",
"modified": "2016-05-10T06:40:20.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[domain-name:value = 'www.woodagency.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318255-93f8-4277-b6ae-4b33950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:21.000Z",
"modified": "2016-05-10T06:40:21.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[file:hashes.MD5 = '682bfed6332e210b4f3a91e5e8a1410b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318255-c3d4-4684-bfea-4452950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:21.000Z",
"modified": "2016-05-10T06:40:21.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[domain-name:value = 'www.oewarehouse.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318256-a34c-4875-8d67-4fda950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:40:22.000Z",
"modified": "2016-05-10T06:40:22.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern": "[file:hashes.MD5 = 'fb7a74a88eead4d39a58cc7b6eede4ce']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:40:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182c6-ed5c-45ca-9487-4135950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:14.000Z",
"modified": "2016-05-10T06:42:14.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[file:hashes.MD5 = '1aab2040ed4f918e1823e2caf645a81d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182c6-7984-4ea0-aeaa-4547950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:14.000Z",
"modified": "2016-05-10T06:42:14.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[domain-name:value = 'www.olmusic100.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182c6-e4f8-4979-ac97-4a35950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:14.000Z",
"modified": "2016-05-10T06:42:14.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[file:hashes.MD5 = '8ee2cf05746bb0a009981fdb90f1343e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182c7-af40-4d71-8951-4014950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:15.000Z",
"modified": "2016-05-10T06:42:15.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[domain-name:value = 'gogotrade.apple.org.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182c7-d7ac-4372-8f6f-4435950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:15.000Z",
"modified": "2016-05-10T06:42:15.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[domain-name:value = 'tradeproject.rlogin.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182c8-bd78-4048-97fd-4886950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:16.000Z",
"modified": "2016-05-10T06:42:16.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[file:hashes.MD5 = '9c4617793984c4b08d75b00f1562cbda']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182c8-3c74-4eae-91ed-4fac950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:16.000Z",
"modified": "2016-05-10T06:42:16.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[domain-name:value = 'freetrade.allowed.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182c9-411c-48dd-95f0-4980950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:17.000Z",
"modified": "2016-05-10T06:42:17.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[domain-name:value = 'worldwide.chickenkiller.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182c9-2a50-412c-8f7b-4081950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:17.000Z",
"modified": "2016-05-10T06:42:17.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[file:hashes.MD5 = 'b584b48d401e98f404584c330489895c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182c9-8220-476f-882a-4182950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:17.000Z",
"modified": "2016-05-10T06:42:17.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[file:hashes.MD5 = 'b92a53fc409d175c768581978f1d3331']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182ca-8118-4a44-858c-4c86950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:18.000Z",
"modified": "2016-05-10T06:42:18.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[domain-name:value = 'www.rbaparts.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182ca-b974-4212-bb60-4645950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:18.000Z",
"modified": "2016-05-10T06:42:18.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[file:hashes.MD5 = 'd6c19be4e9e1ae347ee269d15cb96a51']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182cb-a720-48c3-9e4b-4ab0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:19.000Z",
"modified": "2016-05-10T06:42:19.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[domain-name:value = 'www.kayauto.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182cb-e31c-4ab5-a8c3-4b45950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:19.000Z",
"modified": "2016-05-10T06:42:19.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[file:hashes.MD5 = 'd0a7cd5cd7da9024fb8bd594d37d7594']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182cb-ade0-4eee-ad70-4506950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:19.000Z",
"modified": "2016-05-10T06:42:19.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[file:hashes.MD5 = 'b19ef1134f54b4021f99cc45ae1bc270']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182cc-2858-4d2f-a2b3-419a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:20.000Z",
"modified": "2016-05-10T06:42:20.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[file:hashes.MD5 = 'b0a95c47d170baad8a5594e0f755e0c1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182cc-9b1c-4680-9972-4de3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:20.000Z",
"modified": "2016-05-10T06:42:20.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[domain-name:value = 'www.coachmotor.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182cd-dd44-4d45-97b1-4139950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:21.000Z",
"modified": "2016-05-10T06:42:21.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[file:hashes.MD5 = '894ef915af830f38499d498342fdd8db']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--573182cd-4314-4c25-8497-4e20950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:42:21.000Z",
"modified": "2016-05-10T06:42:21.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"pattern": "[domain-name:value = 'www.rightnowautoparts.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:42:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318305-3c80-4a64-8557-4f02950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:17.000Z",
"modified": "2016-05-10T06:43:17.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[file:hashes.MD5 = '392f15c431c00f049bb1282847d8967f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318305-d0b8-407f-a536-44e4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:17.000Z",
"modified": "2016-05-10T06:43:17.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[domain-name:value = 'army.xxuz.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318305-a770-4608-bc21-4179950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:17.000Z",
"modified": "2016-05-10T06:43:17.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[file:hashes.MD5 = '21567cce2c26e7543b977a205845ba77']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318306-4e18-4481-8772-4a86950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:18.000Z",
"modified": "2016-05-10T06:43:18.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[domain-name:value = 'nasa.xxuz.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318306-8320-4412-87c9-4071950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:18.000Z",
"modified": "2016-05-10T06:43:18.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[file:hashes.MD5 = 'd4b7f99669a3efc94006e5fe9d84eb65']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318307-5d20-4d33-8f9b-4030950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:19.000Z",
"modified": "2016-05-10T06:43:19.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[domain-name:value = 'tw.2012yearleft.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318307-f520-4226-962a-4407950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:19.000Z",
"modified": "2016-05-10T06:43:19.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[file:hashes.MD5 = 'df5bd411f080b55c578aeb9001a4287d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318308-7274-4d5e-b51f-4a6d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:20.000Z",
"modified": "2016-05-10T06:43:20.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[domain-name:value = 'apple.cmdnetview.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318308-2778-45ee-996b-472c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:20.000Z",
"modified": "2016-05-10T06:43:20.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[file:hashes.MD5 = '001b8f696b6576798517168cd0a0fb44']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318308-3ab0-4ee5-920b-49d3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:20.000Z",
"modified": "2016-05-10T06:43:20.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[domain-name:value = 'google.macforlinux.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318309-f1dc-4a9c-8c19-4454950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:21.000Z",
"modified": "2016-05-10T06:43:21.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[file:hashes.MD5 = '6a3b8d24c125f3a3c7cff526e63297f3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318309-2c00-4022-9ca6-4c6d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:21.000Z",
"modified": "2016-05-10T06:43:21.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[domain-name:value = 'cvnx.zyns.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731830a-3814-4e94-a669-48da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:22.000Z",
"modified": "2016-05-10T06:43:22.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[file:hashes.MD5 = 'a02610e760fa15c064931cfafb90a9e8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731830a-c2dc-4a92-9855-46fb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:22.000Z",
"modified": "2016-05-10T06:43:22.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[file:hashes.MD5 = '78a4fee0e7b471f733f00c6e7bca3d90']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731830a-8e54-4930-a7ba-4193950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:22.000Z",
"modified": "2016-05-10T06:43:22.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[domain-name:value = 'fbi.sexxxy.biz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731830b-0b28-4984-bea5-49b2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:23.000Z",
"modified": "2016-05-10T06:43:23.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[file:hashes.MD5 = '6f3d15cf788e28ca504a6370c4ff6a1e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731830b-a7fc-498b-bab7-4731950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:43:23.000Z",
"modified": "2016-05-10T06:43:23.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"pattern": "[domain-name:value = 'scrlk.exprenum.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:43:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731835d-a220-445f-b0c7-4e5702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:45.000Z",
"modified": "2016-05-10T06:44:45.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 6f3d15cf788e28ca504a6370c4ff6a1e",
"pattern": "[file:hashes.SHA256 = 'f7ef4a429dec2409fd6f300fd33b42e334f2ada827224bd91d2d74ddfb94da25']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731835d-0cac-41b8-b2fb-4fca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:45.000Z",
"modified": "2016-05-10T06:44:45.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 6f3d15cf788e28ca504a6370c4ff6a1e",
"pattern": "[file:hashes.SHA1 = '891d0ed7eedd45030dea79f092fa83ef5b04de7f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731835e-cacc-4d4b-8c77-467c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:46.000Z",
"modified": "2016-05-10T06:44:46.000Z",
"first_observed": "2016-05-10T06:44:46Z",
"last_observed": "2016-05-10T06:44:46Z",
"number_observed": 1,
"object_refs": [
"url--5731835e-cacc-4d4b-8c77-467c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731835e-cacc-4d4b-8c77-467c02de0b81",
"value": "https://www.virustotal.com/file/f7ef4a429dec2409fd6f300fd33b42e334f2ada827224bd91d2d74ddfb94da25/analysis/1425629486/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731835e-c2e0-491d-9c08-4c8a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:46.000Z",
"modified": "2016-05-10T06:44:46.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 6a3b8d24c125f3a3c7cff526e63297f3",
"pattern": "[file:hashes.SHA256 = 'c05f366ebfe3bee7d41496f27789896b9cc581c6bd58c65c56c7f375dd079a03']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731835f-73a8-43bf-b742-43d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:47.000Z",
"modified": "2016-05-10T06:44:47.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 6a3b8d24c125f3a3c7cff526e63297f3",
"pattern": "[file:hashes.SHA1 = 'ef4c2fba92c032633e02cab43fc99d435de651ae']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731835f-2a9c-4be4-9406-4fd902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:47.000Z",
"modified": "2016-05-10T06:44:47.000Z",
"first_observed": "2016-05-10T06:44:47Z",
"last_observed": "2016-05-10T06:44:47Z",
"number_observed": 1,
"object_refs": [
"url--5731835f-2a9c-4be4-9406-4fd902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731835f-2a9c-4be4-9406-4fd902de0b81",
"value": "https://www.virustotal.com/file/c05f366ebfe3bee7d41496f27789896b9cc581c6bd58c65c56c7f375dd079a03/analysis/1392276015/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731835f-1cc8-4a97-8ea8-433602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:47.000Z",
"modified": "2016-05-10T06:44:47.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 001b8f696b6576798517168cd0a0fb44",
"pattern": "[file:hashes.SHA256 = 'ca4f35a7a6f98cbd9e065a171675f628c317f4365c01911f10160fd8bed87b1c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318360-eec4-4fc3-8bec-40d902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:48.000Z",
"modified": "2016-05-10T06:44:48.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 001b8f696b6576798517168cd0a0fb44",
"pattern": "[file:hashes.SHA1 = '6ec8862facae7e86d69fba69ec18290b2fa0187c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318360-f730-4f26-8bc6-44a402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:48.000Z",
"modified": "2016-05-10T06:44:48.000Z",
"first_observed": "2016-05-10T06:44:48Z",
"last_observed": "2016-05-10T06:44:48Z",
"number_observed": 1,
"object_refs": [
"url--57318360-f730-4f26-8bc6-44a402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318360-f730-4f26-8bc6-44a402de0b81",
"value": "https://www.virustotal.com/file/ca4f35a7a6f98cbd9e065a171675f628c317f4365c01911f10160fd8bed87b1c/analysis/1440798621/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318361-c150-4754-9cf5-452f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:49.000Z",
"modified": "2016-05-10T06:44:49.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 21567cce2c26e7543b977a205845ba77",
"pattern": "[file:hashes.SHA256 = '8cc24c507de155942dd99f94f90f7cc8088cc74ce6e89155b764e5d40ca649f4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318361-bb00-4dde-9b17-413d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:49.000Z",
"modified": "2016-05-10T06:44:49.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 21567cce2c26e7543b977a205845ba77",
"pattern": "[file:hashes.SHA1 = '6d1280824fe6c6386e5bf08a59f0e5b2eb19cdd0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318362-7890-400a-b240-480a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:50.000Z",
"modified": "2016-05-10T06:44:50.000Z",
"first_observed": "2016-05-10T06:44:50Z",
"last_observed": "2016-05-10T06:44:50Z",
"number_observed": 1,
"object_refs": [
"url--57318362-7890-400a-b240-480a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318362-7890-400a-b240-480a02de0b81",
"value": "https://www.virustotal.com/file/8cc24c507de155942dd99f94f90f7cc8088cc74ce6e89155b764e5d40ca649f4/analysis/1356918578/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318362-3530-4062-98c0-4fa502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:50.000Z",
"modified": "2016-05-10T06:44:50.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 392f15c431c00f049bb1282847d8967f",
"pattern": "[file:hashes.SHA256 = 'a655f206209659007df2da3e0b08c1fedfdb3455d6a37e9721913fa04bfb6bd0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318363-bb40-4af5-9376-420602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:51.000Z",
"modified": "2016-05-10T06:44:51.000Z",
"description": "This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 392f15c431c00f049bb1282847d8967f",
"pattern": "[file:hashes.SHA1 = 'b96ba089e35d0623d0ae1e4844ca7527014bf503']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318363-37b0-40fd-94a7-46d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:51.000Z",
"modified": "2016-05-10T06:44:51.000Z",
"first_observed": "2016-05-10T06:44:51Z",
"last_observed": "2016-05-10T06:44:51Z",
"number_observed": 1,
"object_refs": [
"url--57318363-37b0-40fd-94a7-46d302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318363-37b0-40fd-94a7-46d302de0b81",
"value": "https://www.virustotal.com/file/a655f206209659007df2da3e0b08c1fedfdb3455d6a37e9721913fa04bfb6bd0/analysis/1452550278/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318363-8060-4439-9cd1-4c2602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:51.000Z",
"modified": "2016-05-10T06:44:51.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 894ef915af830f38499d498342fdd8db",
"pattern": "[file:hashes.SHA256 = '74a5069433cc16b622f220be20cd926833d903896b300778f1f85368c5b4ada3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318364-f960-414b-aa76-40c602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:52.000Z",
"modified": "2016-05-10T06:44:52.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 894ef915af830f38499d498342fdd8db",
"pattern": "[file:hashes.SHA1 = '64a24b88e586d8441559dea57ade0f2723ff9868']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318364-2d04-4576-af52-49ac02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:52.000Z",
"modified": "2016-05-10T06:44:52.000Z",
"first_observed": "2016-05-10T06:44:52Z",
"last_observed": "2016-05-10T06:44:52Z",
"number_observed": 1,
"object_refs": [
"url--57318364-2d04-4576-af52-49ac02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318364-2d04-4576-af52-49ac02de0b81",
"value": "https://www.virustotal.com/file/74a5069433cc16b622f220be20cd926833d903896b300778f1f85368c5b4ada3/analysis/1395177638/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318365-0f38-4452-b0ee-485a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:53.000Z",
"modified": "2016-05-10T06:44:53.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b0a95c47d170baad8a5594e0f755e0c1",
"pattern": "[file:hashes.SHA256 = '1e491f3fc51e67fd58ff990698dcdbdd85b7002493d7ad13087c8fa193e4d014']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318365-288c-4ce8-aaeb-46ff02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:53.000Z",
"modified": "2016-05-10T06:44:53.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b0a95c47d170baad8a5594e0f755e0c1",
"pattern": "[file:hashes.SHA1 = 'b9547cf5c913744345ddb4148cc5df8aa5c5b48e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318366-e1ac-4745-96f6-404402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:54.000Z",
"modified": "2016-05-10T06:44:54.000Z",
"first_observed": "2016-05-10T06:44:54Z",
"last_observed": "2016-05-10T06:44:54Z",
"number_observed": 1,
"object_refs": [
"url--57318366-e1ac-4745-96f6-404402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318366-e1ac-4745-96f6-404402de0b81",
"value": "https://www.virustotal.com/file/1e491f3fc51e67fd58ff990698dcdbdd85b7002493d7ad13087c8fa193e4d014/analysis/1394409946/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318366-66d4-490b-a7d3-49b202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:54.000Z",
"modified": "2016-05-10T06:44:54.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b19ef1134f54b4021f99cc45ae1bc270",
"pattern": "[file:hashes.SHA256 = 'c11564abe4faf59bde4a7a603c9eabd819a55a64d2a9042211959c6fdb00d201']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318366-2a78-401f-9091-4cca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:54.000Z",
"modified": "2016-05-10T06:44:54.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b19ef1134f54b4021f99cc45ae1bc270",
"pattern": "[file:hashes.SHA1 = '2d5f81588c2bdb7ed1236a5a199055ca86803ae2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318367-09e0-4f59-9c23-447802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:55.000Z",
"modified": "2016-05-10T06:44:55.000Z",
"first_observed": "2016-05-10T06:44:55Z",
"last_observed": "2016-05-10T06:44:55Z",
"number_observed": 1,
"object_refs": [
"url--57318367-09e0-4f59-9c23-447802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318367-09e0-4f59-9c23-447802de0b81",
"value": "https://www.virustotal.com/file/c11564abe4faf59bde4a7a603c9eabd819a55a64d2a9042211959c6fdb00d201/analysis/1445320275/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318367-4e7c-48db-bd5a-457d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:55.000Z",
"modified": "2016-05-10T06:44:55.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: d0a7cd5cd7da9024fb8bd594d37d7594",
"pattern": "[file:hashes.SHA256 = 'c0ee012356066b463b690b7b44a883e52ae656ff8bbe66d180219458c1bcad12']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318368-ee78-482e-9833-4f0502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:56.000Z",
"modified": "2016-05-10T06:44:56.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: d0a7cd5cd7da9024fb8bd594d37d7594",
"pattern": "[file:hashes.SHA1 = 'e626ff523783005e24e6ea53ca669d74b2b9df3a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318368-e658-46fa-bf74-42fa02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:56.000Z",
"modified": "2016-05-10T06:44:56.000Z",
"first_observed": "2016-05-10T06:44:56Z",
"last_observed": "2016-05-10T06:44:56Z",
"number_observed": 1,
"object_refs": [
"url--57318368-e658-46fa-bf74-42fa02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318368-e658-46fa-bf74-42fa02de0b81",
"value": "https://www.virustotal.com/file/c0ee012356066b463b690b7b44a883e52ae656ff8bbe66d180219458c1bcad12/analysis/1376486187/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318369-1aec-4056-8429-448802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:57.000Z",
"modified": "2016-05-10T06:44:57.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: d6c19be4e9e1ae347ee269d15cb96a51",
"pattern": "[file:hashes.SHA256 = 'a44affafe66c44c29500e644729c914fa9abc3b3207f823b14962541b0784c87']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318369-39b8-4539-8e88-46f202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:57.000Z",
"modified": "2016-05-10T06:44:57.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: d6c19be4e9e1ae347ee269d15cb96a51",
"pattern": "[file:hashes.SHA1 = '15987dafeb302955c495e7b348203c5981934f0a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318369-873c-49e1-aba5-48ef02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:57.000Z",
"modified": "2016-05-10T06:44:57.000Z",
"first_observed": "2016-05-10T06:44:57Z",
"last_observed": "2016-05-10T06:44:57Z",
"number_observed": 1,
"object_refs": [
"url--57318369-873c-49e1-aba5-48ef02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318369-873c-49e1-aba5-48ef02de0b81",
"value": "https://www.virustotal.com/file/a44affafe66c44c29500e644729c914fa9abc3b3207f823b14962541b0784c87/analysis/1365871408/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731836a-dec4-46d5-b5e3-4ee802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:58.000Z",
"modified": "2016-05-10T06:44:58.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b92a53fc409d175c768581978f1d3331",
"pattern": "[file:hashes.SHA256 = 'dcf4db05f5eb65ec196be12522f7b6b033a3ad1edd6ba7345a47ac4a04d1a743']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731836a-fca0-4c81-848b-410402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:58.000Z",
"modified": "2016-05-10T06:44:58.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b92a53fc409d175c768581978f1d3331",
"pattern": "[file:hashes.SHA1 = '5a58c547fab11444dacd8d3119255d57d5769429']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731836b-6edc-41c0-9e99-440902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:59.000Z",
"modified": "2016-05-10T06:44:59.000Z",
"first_observed": "2016-05-10T06:44:59Z",
"last_observed": "2016-05-10T06:44:59Z",
"number_observed": 1,
"object_refs": [
"url--5731836b-6edc-41c0-9e99-440902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731836b-6edc-41c0-9e99-440902de0b81",
"value": "https://www.virustotal.com/file/dcf4db05f5eb65ec196be12522f7b6b033a3ad1edd6ba7345a47ac4a04d1a743/analysis/1365602616/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731836b-14e8-4b32-872b-412002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:44:59.000Z",
"modified": "2016-05-10T06:44:59.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b584b48d401e98f404584c330489895c",
"pattern": "[file:hashes.SHA256 = 'add517d0aeeaba63d5dffb749f4a4f3c2467ab5c4b6177881e922eb52ecfe35b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:44:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731836c-eb4c-4ad2-bd9b-412c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:00.000Z",
"modified": "2016-05-10T06:45:00.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b584b48d401e98f404584c330489895c",
"pattern": "[file:hashes.SHA1 = '694b89edb9551740bc239f6ef9e7959b4f7e4cfa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731836c-14c8-4148-a498-434802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:00.000Z",
"modified": "2016-05-10T06:45:00.000Z",
"first_observed": "2016-05-10T06:45:00Z",
"last_observed": "2016-05-10T06:45:00Z",
"number_observed": 1,
"object_refs": [
"url--5731836c-14c8-4148-a498-434802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731836c-14c8-4148-a498-434802de0b81",
"value": "https://www.virustotal.com/file/add517d0aeeaba63d5dffb749f4a4f3c2467ab5c4b6177881e922eb52ecfe35b/analysis/1365784471/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731836c-ff64-4322-ab2b-4d8d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:00.000Z",
"modified": "2016-05-10T06:45:00.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 9c4617793984c4b08d75b00f1562cbda",
"pattern": "[file:hashes.SHA256 = '10fd1a83834b737bb14834957741cb7fa16bb18fc717c5406505da48138d7aea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731836d-3600-4596-946f-468e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:01.000Z",
"modified": "2016-05-10T06:45:01.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 9c4617793984c4b08d75b00f1562cbda",
"pattern": "[file:hashes.SHA1 = '9df686e6682024cc383b9c52ea9f584e5f5d76b7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731836d-a498-452b-97a9-495002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:01.000Z",
"modified": "2016-05-10T06:45:01.000Z",
"first_observed": "2016-05-10T06:45:01Z",
"last_observed": "2016-05-10T06:45:01Z",
"number_observed": 1,
"object_refs": [
"url--5731836d-a498-452b-97a9-495002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731836d-a498-452b-97a9-495002de0b81",
"value": "https://www.virustotal.com/file/10fd1a83834b737bb14834957741cb7fa16bb18fc717c5406505da48138d7aea/analysis/1363682807/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731836e-b3dc-445c-84d9-40be02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:02.000Z",
"modified": "2016-05-10T06:45:02.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 8ee2cf05746bb0a009981fdb90f1343e",
"pattern": "[file:hashes.SHA256 = '83dcd4701ade9196effd88552ba41c4cedff869ca61a905b03f370fcfacf6ffb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731836e-31cc-4281-92cf-4e9902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:02.000Z",
"modified": "2016-05-10T06:45:02.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 8ee2cf05746bb0a009981fdb90f1343e",
"pattern": "[file:hashes.SHA1 = 'f2a0076bf9168b913c01660a511c3890e19629c6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731836e-ef58-409b-aa00-450302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:02.000Z",
"modified": "2016-05-10T06:45:02.000Z",
"first_observed": "2016-05-10T06:45:02Z",
"last_observed": "2016-05-10T06:45:02Z",
"number_observed": 1,
"object_refs": [
"url--5731836e-ef58-409b-aa00-450302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731836e-ef58-409b-aa00-450302de0b81",
"value": "https://www.virustotal.com/file/83dcd4701ade9196effd88552ba41c4cedff869ca61a905b03f370fcfacf6ffb/analysis/1393876294/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731836f-6cd8-4a7a-bfec-495b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:03.000Z",
"modified": "2016-05-10T06:45:03.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 1aab2040ed4f918e1823e2caf645a81d",
"pattern": "[file:hashes.SHA256 = '9ff226e5b3be7c4240763574be837646ca58740ef034e3e6481f73cc95d95003']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731836f-a6a4-4a84-832b-468302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:03.000Z",
"modified": "2016-05-10T06:45:03.000Z",
"description": "Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 1aab2040ed4f918e1823e2caf645a81d",
"pattern": "[file:hashes.SHA1 = '32f5d083fa934928fd7a09bea0217fb498bd87f7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731836f-20b8-43c4-9d06-463802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:03.000Z",
"modified": "2016-05-10T06:45:03.000Z",
"first_observed": "2016-05-10T06:45:03Z",
"last_observed": "2016-05-10T06:45:03Z",
"number_observed": 1,
"object_refs": [
"url--5731836f-20b8-43c4-9d06-463802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731836f-20b8-43c4-9d06-463802de0b81",
"value": "https://www.virustotal.com/file/9ff226e5b3be7c4240763574be837646ca58740ef034e3e6481f73cc95d95003/analysis/1443589943/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318370-bfe4-4295-a6e4-49c802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:04.000Z",
"modified": "2016-05-10T06:45:04.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: fdf6bf1973af8ab130fbcaa0914b4b06",
"pattern": "[file:hashes.SHA256 = '42349d703491db312a0bd44279e8e067043b050986eb8c4ec2337af154e19789']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318370-b264-4a35-ba23-41ef02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:04.000Z",
"modified": "2016-05-10T06:45:04.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: fdf6bf1973af8ab130fbcaa0914b4b06",
"pattern": "[file:hashes.SHA1 = 'd4bb3c9bd4abe66cfc3a55118c8bcf3483101e30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318370-690c-408e-ab57-47be02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:04.000Z",
"modified": "2016-05-10T06:45:04.000Z",
"first_observed": "2016-05-10T06:45:04Z",
"last_observed": "2016-05-10T06:45:04Z",
"number_observed": 1,
"object_refs": [
"url--57318370-690c-408e-ab57-47be02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318370-690c-408e-ab57-47be02de0b81",
"value": "https://www.virustotal.com/file/42349d703491db312a0bd44279e8e067043b050986eb8c4ec2337af154e19789/analysis/1361273142/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318371-281c-4eb9-bcca-41ec02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:05.000Z",
"modified": "2016-05-10T06:45:05.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 513644c57688b70860d0b9aa1b6cd0d7",
"pattern": "[file:hashes.SHA256 = '10a7214e7d749f3bdf49bc2e8780295fd2399fc1d5af0a2a649bb029a3cfabe1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318371-f0e4-4265-9519-470e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:05.000Z",
"modified": "2016-05-10T06:45:05.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 513644c57688b70860d0b9aa1b6cd0d7",
"pattern": "[file:hashes.SHA1 = 'b5114e7b722f128647b3ea4fa973f71e961289d9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318371-d9e8-4c5b-b543-49c902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:05.000Z",
"modified": "2016-05-10T06:45:05.000Z",
"first_observed": "2016-05-10T06:45:05Z",
"last_observed": "2016-05-10T06:45:05Z",
"number_observed": 1,
"object_refs": [
"url--57318371-d9e8-4c5b-b543-49c902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318371-d9e8-4c5b-b543-49c902de0b81",
"value": "https://www.virustotal.com/file/10a7214e7d749f3bdf49bc2e8780295fd2399fc1d5af0a2a649bb029a3cfabe1/analysis/1443591858/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318372-6e24-4e3a-b74b-4dbe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:06.000Z",
"modified": "2016-05-10T06:45:06.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 173cd315008897e56fa812f2b2843f83",
"pattern": "[file:hashes.SHA256 = 'aa94057d957736005bd6c70dba96b39b60121e0a4b35db03d5b9dfdbf5e58537']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318372-b380-4256-bc1d-4d8f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:06.000Z",
"modified": "2016-05-10T06:45:06.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 173cd315008897e56fa812f2b2843f83",
"pattern": "[file:hashes.SHA1 = '2bf7f0e84a5ae908af9e846cdab04327bcc83b72']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318372-ee10-4db1-963e-4bef02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:06.000Z",
"modified": "2016-05-10T06:45:06.000Z",
"first_observed": "2016-05-10T06:45:06Z",
"last_observed": "2016-05-10T06:45:06Z",
"number_observed": 1,
"object_refs": [
"url--57318372-ee10-4db1-963e-4bef02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318372-ee10-4db1-963e-4bef02de0b81",
"value": "https://www.virustotal.com/file/aa94057d957736005bd6c70dba96b39b60121e0a4b35db03d5b9dfdbf5e58537/analysis/1461303512/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318373-c824-43af-aec2-476c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:07.000Z",
"modified": "2016-05-10T06:45:07.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: ac87816b9a371e72512d8fd82f61c737",
"pattern": "[file:hashes.SHA256 = 'b5f5b25b3e93394d530df6ecb4f3f66bffb72af73fbe61859dc15e73ee43e9c0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318373-2d4c-48d0-968f-453602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:07.000Z",
"modified": "2016-05-10T06:45:07.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: ac87816b9a371e72512d8fd82f61c737",
"pattern": "[file:hashes.SHA1 = 'aad4b86ad3545c508d5e02a6f78a8f363f9de6dc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318373-112c-43ef-bfec-40db02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:07.000Z",
"modified": "2016-05-10T06:45:07.000Z",
"first_observed": "2016-05-10T06:45:07Z",
"last_observed": "2016-05-10T06:45:07Z",
"number_observed": 1,
"object_refs": [
"url--57318373-112c-43ef-bfec-40db02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318373-112c-43ef-bfec-40db02de0b81",
"value": "https://www.virustotal.com/file/b5f5b25b3e93394d530df6ecb4f3f66bffb72af73fbe61859dc15e73ee43e9c0/analysis/1460513653/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318374-30ac-4302-87f0-4ef702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:08.000Z",
"modified": "2016-05-10T06:45:08.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 736ebc9b8ece410aaf4e8b60615f065f",
"pattern": "[file:hashes.SHA256 = '544972a7e1dc64c43bea64271789d8c2921e959cd8c5050b34e27d1a5d2e7394']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318374-dac4-4624-b044-4d1102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:08.000Z",
"modified": "2016-05-10T06:45:08.000Z",
"description": "This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 736ebc9b8ece410aaf4e8b60615f065f",
"pattern": "[file:hashes.SHA1 = 'd51b4f9181171c47beae8a8f1b27d1068a08616a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318375-aca0-4b86-ab32-45d402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:09.000Z",
"modified": "2016-05-10T06:45:09.000Z",
"first_observed": "2016-05-10T06:45:09Z",
"last_observed": "2016-05-10T06:45:09Z",
"number_observed": 1,
"object_refs": [
"url--57318375-aca0-4b86-ab32-45d402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318375-aca0-4b86-ab32-45d402de0b81",
"value": "https://www.virustotal.com/file/544972a7e1dc64c43bea64271789d8c2921e959cd8c5050b34e27d1a5d2e7394/analysis/1385051774/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318375-5038-43c0-9579-42cf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:09.000Z",
"modified": "2016-05-10T06:45:09.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: e5a4ec0519c471b5be093aee5c33b1ee",
"pattern": "[file:hashes.SHA256 = 'ee1fec3845b69ceb947abdebe52f25c939b7c19127ecaaf6ed176e713ed71c97']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318375-b238-4f41-829b-4abf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:09.000Z",
"modified": "2016-05-10T06:45:09.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: e5a4ec0519c471b5be093aee5c33b1ee",
"pattern": "[file:hashes.SHA1 = '8e5f61534e84197952da0afc6bd0ca6f431c784c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318376-026c-4697-9429-47bc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:10.000Z",
"modified": "2016-05-10T06:45:10.000Z",
"first_observed": "2016-05-10T06:45:10Z",
"last_observed": "2016-05-10T06:45:10Z",
"number_observed": 1,
"object_refs": [
"url--57318376-026c-4697-9429-47bc02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318376-026c-4697-9429-47bc02de0b81",
"value": "https://www.virustotal.com/file/ee1fec3845b69ceb947abdebe52f25c939b7c19127ecaaf6ed176e713ed71c97/analysis/1432210616/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318376-61fc-4095-a3aa-435102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:10.000Z",
"modified": "2016-05-10T06:45:10.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 57a4c6236b4ecf96d31258e5cc6f0ae4",
"pattern": "[file:hashes.SHA256 = 'b2b02a05b82dbff66c12dd2cddea8d14198a5404f5af3eff21a0f230849e9c08']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318376-13e0-4440-bd3d-453702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:10.000Z",
"modified": "2016-05-10T06:45:10.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 57a4c6236b4ecf96d31258e5cc6f0ae4",
"pattern": "[file:hashes.SHA1 = 'c3d4ffd92bc2addb091ebc58b2b71997fde0059f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318377-b0d8-4a3f-beff-4a0602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:11.000Z",
"modified": "2016-05-10T06:45:11.000Z",
"first_observed": "2016-05-10T06:45:11Z",
"last_observed": "2016-05-10T06:45:11Z",
"number_observed": 1,
"object_refs": [
"url--57318377-b0d8-4a3f-beff-4a0602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318377-b0d8-4a3f-beff-4a0602de0b81",
"value": "https://www.virustotal.com/file/b2b02a05b82dbff66c12dd2cddea8d14198a5404f5af3eff21a0f230849e9c08/analysis/1459716576/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318377-fee4-4769-92e4-4f1d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:11.000Z",
"modified": "2016-05-10T06:45:11.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 287113e4423813efd242af8e6255f680",
"pattern": "[file:hashes.SHA256 = '733c3905f6171780cad79ebc55e7a64b1fffb885718e164b1c2946b0035e024a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318377-a35c-4be4-b8ed-4bcb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:11.000Z",
"modified": "2016-05-10T06:45:11.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 287113e4423813efd242af8e6255f680",
"pattern": "[file:hashes.SHA1 = '3f71c9c3919d2d73e8dd03e0ea2384a438000944']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318378-5750-40e9-9441-4a4402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:12.000Z",
"modified": "2016-05-10T06:45:12.000Z",
"first_observed": "2016-05-10T06:45:12Z",
"last_observed": "2016-05-10T06:45:12Z",
"number_observed": 1,
"object_refs": [
"url--57318378-5750-40e9-9441-4a4402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318378-5750-40e9-9441-4a4402de0b81",
"value": "https://www.virustotal.com/file/733c3905f6171780cad79ebc55e7a64b1fffb885718e164b1c2946b0035e024a/analysis/1388477477/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318378-3334-490e-a151-459402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:12.000Z",
"modified": "2016-05-10T06:45:12.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 1df0b937239473df0187063392dae028",
"pattern": "[file:hashes.SHA256 = '9e39217f2deedd91d6bb0ef5449dd032bde7bcf9049e7b04f236dd3432efe6b9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318378-5cd8-477b-b741-4a7502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:12.000Z",
"modified": "2016-05-10T06:45:12.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 1df0b937239473df0187063392dae028",
"pattern": "[file:hashes.SHA1 = '57a17cbd0cef1f1745aac083789ea16b965a9d6d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318379-d624-41f5-8045-468602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:13.000Z",
"modified": "2016-05-10T06:45:13.000Z",
"first_observed": "2016-05-10T06:45:13Z",
"last_observed": "2016-05-10T06:45:13Z",
"number_observed": 1,
"object_refs": [
"url--57318379-d624-41f5-8045-468602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318379-d624-41f5-8045-468602de0b81",
"value": "https://www.virustotal.com/file/9e39217f2deedd91d6bb0ef5449dd032bde7bcf9049e7b04f236dd3432efe6b9/analysis/1376401763/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318379-4678-446e-968b-467c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:13.000Z",
"modified": "2016-05-10T06:45:13.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: c2aadd6a69a775602d984af64eaeda96",
"pattern": "[file:hashes.SHA256 = 'f66c12baa95a3bf37df748ad55ff7dcc12fa817fbfc24f2594bfcb649321dc0a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318379-55d4-44a9-b7a9-451d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:13.000Z",
"modified": "2016-05-10T06:45:13.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: c2aadd6a69a775602d984af64eaeda96",
"pattern": "[file:hashes.SHA1 = '088f0ae3862dcb9ad4016222de05f931cd54b6ce']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731837a-10cc-476b-8513-4fee02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:14.000Z",
"modified": "2016-05-10T06:45:14.000Z",
"first_observed": "2016-05-10T06:45:14Z",
"last_observed": "2016-05-10T06:45:14Z",
"number_observed": 1,
"object_refs": [
"url--5731837a-10cc-476b-8513-4fee02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731837a-10cc-476b-8513-4fee02de0b81",
"value": "https://www.virustotal.com/file/f66c12baa95a3bf37df748ad55ff7dcc12fa817fbfc24f2594bfcb649321dc0a/analysis/1435218772/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731837a-1398-4c65-b45a-438a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:14.000Z",
"modified": "2016-05-10T06:45:14.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 93a6e9a26924a5cdab8ed47cadbe88d5",
"pattern": "[file:hashes.SHA256 = '5414b94a919ec9f2bb40f8b25b3f8c9ec39d86f5a54e1bea4baffe6edfda3c1b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731837a-04d8-4ad7-b244-4acf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:14.000Z",
"modified": "2016-05-10T06:45:14.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 93a6e9a26924a5cdab8ed47cadbe88d5",
"pattern": "[file:hashes.SHA1 = '90d7e255903b63e1f21dcca8e26b65790c54b66d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731837b-bbe8-4192-aa67-4bf702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:15.000Z",
"modified": "2016-05-10T06:45:15.000Z",
"first_observed": "2016-05-10T06:45:15Z",
"last_observed": "2016-05-10T06:45:15Z",
"number_observed": 1,
"object_refs": [
"url--5731837b-bbe8-4192-aa67-4bf702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731837b-bbe8-4192-aa67-4bf702de0b81",
"value": "https://www.virustotal.com/file/5414b94a919ec9f2bb40f8b25b3f8c9ec39d86f5a54e1bea4baffe6edfda3c1b/analysis/1456852741/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731837b-2874-4e51-b5a7-4d1002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:15.000Z",
"modified": "2016-05-10T06:45:15.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 719453b4da6d3814604c84a28d4d1f4c",
"pattern": "[file:hashes.SHA256 = 'a7c1d5ee278d47c6bfd7a9310cb8eda999fa2cdcab4087a6d37930fcccf5b3e4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731837b-fd38-4663-8ff3-438e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:15.000Z",
"modified": "2016-05-10T06:45:15.000Z",
"description": "The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 719453b4da6d3814604c84a28d4d1f4c",
"pattern": "[file:hashes.SHA1 = '8d239d0070b1f18480de0160a2a51073821b9b11']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731837c-c2f0-438c-ac48-48ea02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:16.000Z",
"modified": "2016-05-10T06:45:16.000Z",
"first_observed": "2016-05-10T06:45:16Z",
"last_observed": "2016-05-10T06:45:16Z",
"number_observed": 1,
"object_refs": [
"url--5731837c-c2f0-438c-ac48-48ea02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731837c-c2f0-438c-ac48-48ea02de0b81",
"value": "https://www.virustotal.com/file/a7c1d5ee278d47c6bfd7a9310cb8eda999fa2cdcab4087a6d37930fcccf5b3e4/analysis/1394358757/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731837c-9318-4671-9059-43f702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:16.000Z",
"modified": "2016-05-10T06:45:16.000Z",
"description": "The import hash of 0fefba40443edd57f816502035077e3e is in other samples linked to the Siesta campaign - Xchecked via VT: 643654975b63a9bb6f597502e5cd8f49",
"pattern": "[file:hashes.SHA256 = '7b63576c9f0ea6afb4c900b0c5832789922c0409e9cd6efd100d3b33024963cd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731837c-e9d4-4c66-b7b3-4e5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:16.000Z",
"modified": "2016-05-10T06:45:16.000Z",
"description": "The import hash of 0fefba40443edd57f816502035077e3e is in other samples linked to the Siesta campaign - Xchecked via VT: 643654975b63a9bb6f597502e5cd8f49",
"pattern": "[file:hashes.SHA1 = '2c901a12e8c4ec9babfd693b5f3d805c945e4657']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731837d-7d20-4ee2-9eca-44c402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:17.000Z",
"modified": "2016-05-10T06:45:17.000Z",
"first_observed": "2016-05-10T06:45:17Z",
"last_observed": "2016-05-10T06:45:17Z",
"number_observed": 1,
"object_refs": [
"url--5731837d-7d20-4ee2-9eca-44c402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731837d-7d20-4ee2-9eca-44c402de0b81",
"value": "https://www.virustotal.com/file/7b63576c9f0ea6afb4c900b0c5832789922c0409e9cd6efd100d3b33024963cd/analysis/1456818099/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731837d-b058-4296-92aa-4f5d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:17.000Z",
"modified": "2016-05-10T06:45:17.000Z",
"description": "A related dropper listed in the TrendMicro report on the Siesta campaign is - Xchecked via VT: 0f3031412d255336a102bbc1dcd43812",
"pattern": "[file:hashes.SHA256 = '943a7838f3eccc0984219642f533deaffb7b99e8c1d51157115bc87cf72aa80f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731837d-96f4-4424-9b7e-469502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:17.000Z",
"modified": "2016-05-10T06:45:17.000Z",
"description": "A related dropper listed in the TrendMicro report on the Siesta campaign is - Xchecked via VT: 0f3031412d255336a102bbc1dcd43812",
"pattern": "[file:hashes.SHA1 = '014542eafb792b98196954373b3fd13e60cb94fe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731837e-4b74-46a6-b299-480302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:18.000Z",
"modified": "2016-05-10T06:45:18.000Z",
"first_observed": "2016-05-10T06:45:18Z",
"last_observed": "2016-05-10T06:45:18Z",
"number_observed": 1,
"object_refs": [
"url--5731837e-4b74-46a6-b299-480302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731837e-4b74-46a6-b299-480302de0b81",
"value": "https://www.virustotal.com/file/943a7838f3eccc0984219642f533deaffb7b99e8c1d51157115bc87cf72aa80f/analysis/1445867753/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731837e-79fc-4137-94f5-462902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:18.000Z",
"modified": "2016-05-10T06:45:18.000Z",
"description": "Dropper (extracted from the ZIP) - Xchecked via VT: 20b124baaaec1e8cbc3cd52e8e5ceebd",
"pattern": "[file:hashes.SHA256 = '0729b0e29409f1a0ccecc392e7c93b959a5e6f21a2ed4204107c9a247877a77e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731837f-a454-436b-bf98-4a8102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:19.000Z",
"modified": "2016-05-10T06:45:19.000Z",
"description": "Dropper (extracted from the ZIP) - Xchecked via VT: 20b124baaaec1e8cbc3cd52e8e5ceebd",
"pattern": "[file:hashes.SHA1 = '36e8028e2028f3f87bc99ec2e055b32cdf23ca93']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5731837f-35ac-43fe-b644-446d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:19.000Z",
"modified": "2016-05-10T06:45:19.000Z",
"first_observed": "2016-05-10T06:45:19Z",
"last_observed": "2016-05-10T06:45:19Z",
"number_observed": 1,
"object_refs": [
"url--5731837f-35ac-43fe-b644-446d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5731837f-35ac-43fe-b644-446d02de0b81",
"value": "https://www.virustotal.com/file/0729b0e29409f1a0ccecc392e7c93b959a5e6f21a2ed4204107c9a247877a77e/analysis/1396984872/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5731837f-f208-4732-9b5e-455a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:19.000Z",
"modified": "2016-05-10T06:45:19.000Z",
"description": "Dropper (extracted from the ZIP) - Xchecked via VT: 68f73d81c814ab2f70eed02c0be3b67d",
"pattern": "[file:hashes.SHA256 = '542365778f4f9b087e577a85e889a94e4ec6794b3d282d0cf36a54b394541756']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57318380-00a4-42cf-8691-414202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:20.000Z",
"modified": "2016-05-10T06:45:20.000Z",
"description": "Dropper (extracted from the ZIP) - Xchecked via VT: 68f73d81c814ab2f70eed02c0be3b67d",
"pattern": "[file:hashes.SHA1 = 'dd0d0fd51000a316a46301de03aceb24a573ea1d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-10T06:45:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57318380-a90c-4586-a460-4b0402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-10T06:45:20.000Z",
"modified": "2016-05-10T06:45:20.000Z",
"first_observed": "2016-05-10T06:45:20Z",
"last_observed": "2016-05-10T06:45:20Z",
"number_observed": 1,
"object_refs": [
"url--57318380-a90c-4586-a460-4b0402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57318380-a90c-4586-a460-4b0402de0b81",
"value": "https://www.virustotal.com/file/542365778f4f9b087e577a85e889a94e4ec6794b3d282d0cf36a54b394541756/analysis/1456818131/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}