1027 lines
43 KiB
JSON
1027 lines
43 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--57454ee0-3294-407a-8468-493c950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:51.000Z",
|
||
|
"modified": "2016-05-25T07:34:51.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--57454ee0-3294-407a-8468-493c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:51.000Z",
|
||
|
"modified": "2016-05-25T07:34:51.000Z",
|
||
|
"name": "OSINT - New Wekby Attacks Use DNS Requests As Command and Control Mechanism",
|
||
|
"published": "2016-05-25T07:48:54Z",
|
||
|
"object_refs": [
|
||
|
"indicator--57455077-0144-41d3-b61f-4420950d210f",
|
||
|
"indicator--57455077-e4e8-46e7-8528-4fe1950d210f",
|
||
|
"indicator--57455078-6e98-4713-ae9a-4370950d210f",
|
||
|
"indicator--57455078-5aa8-4a30-9f3e-48ee950d210f",
|
||
|
"indicator--57455078-7a08-49da-a316-463f950d210f",
|
||
|
"indicator--57455079-8b60-418f-8579-4b4c950d210f",
|
||
|
"indicator--57455079-d494-4a47-9489-48a9950d210f",
|
||
|
"indicator--57455119-805c-49dd-b728-4394950d210f",
|
||
|
"indicator--57455119-2dcc-40d1-aa46-44a9950d210f",
|
||
|
"indicator--57455119-880c-48af-a815-4de3950d210f",
|
||
|
"indicator--5745511a-9328-4035-85c8-456f950d210f",
|
||
|
"indicator--5745511a-e1e4-4728-8b1a-441b950d210f",
|
||
|
"indicator--5745511a-1828-434d-bfbe-40fa950d210f",
|
||
|
"indicator--5745511b-5548-434d-a276-4bb1950d210f",
|
||
|
"observed-data--5745513e-e4c4-429d-98fb-40f5950d210f",
|
||
|
"url--5745513e-e4c4-429d-98fb-40f5950d210f",
|
||
|
"observed-data--5745513f-68ac-4629-9b82-480d950d210f",
|
||
|
"url--5745513f-68ac-4629-9b82-480d950d210f",
|
||
|
"observed-data--5745513f-79fc-4aa8-a5e4-48bf950d210f",
|
||
|
"url--5745513f-79fc-4aa8-a5e4-48bf950d210f",
|
||
|
"observed-data--5745513f-98a4-4b12-a221-4f50950d210f",
|
||
|
"url--5745513f-98a4-4b12-a221-4f50950d210f",
|
||
|
"observed-data--57455140-3e14-4530-a551-4326950d210f",
|
||
|
"url--57455140-3e14-4530-a551-4326950d210f",
|
||
|
"observed-data--57455140-79a4-4aaf-a4e3-4882950d210f",
|
||
|
"url--57455140-79a4-4aaf-a4e3-4882950d210f",
|
||
|
"observed-data--57455182-0280-4cee-8e2e-4bbb950d210f",
|
||
|
"mutex--57455182-0280-4cee-8e2e-4bbb950d210f",
|
||
|
"indicator--5745559b-6988-419d-aa75-4c9302de0b81",
|
||
|
"indicator--5745559b-b154-4998-98af-425f02de0b81",
|
||
|
"observed-data--5745559b-948c-4fe7-9404-4ef902de0b81",
|
||
|
"url--5745559b-948c-4fe7-9404-4ef902de0b81",
|
||
|
"indicator--5745559b-e91c-488c-82cb-479a02de0b81",
|
||
|
"indicator--5745559c-6bac-4960-9e47-445402de0b81",
|
||
|
"observed-data--5745559c-cffc-4030-b815-486102de0b81",
|
||
|
"url--5745559c-cffc-4030-b815-486102de0b81",
|
||
|
"indicator--5745559c-c63c-45ac-9f98-43a702de0b81",
|
||
|
"indicator--5745559c-4324-4a68-ae68-422f02de0b81",
|
||
|
"observed-data--5745559c-2db8-4f32-af0f-498c02de0b81",
|
||
|
"url--5745559c-2db8-4f32-af0f-498c02de0b81",
|
||
|
"indicator--5745559d-dba8-4c1b-9fdc-49db02de0b81",
|
||
|
"indicator--5745559d-9b54-46fc-b82c-44c202de0b81",
|
||
|
"observed-data--5745559d-5274-4cd4-992a-4d6402de0b81",
|
||
|
"url--5745559d-5274-4cd4-992a-4d6402de0b81",
|
||
|
"indicator--5745559d-0054-4721-a70e-4d3502de0b81",
|
||
|
"indicator--5745559d-5e58-4eaa-bc9b-4d3a02de0b81",
|
||
|
"observed-data--5745559e-fcb4-4847-a533-419402de0b81",
|
||
|
"url--5745559e-fcb4-4847-a533-419402de0b81",
|
||
|
"indicator--5745559e-c110-4754-af54-43a302de0b81",
|
||
|
"indicator--5745559e-f960-43d3-974a-410702de0b81",
|
||
|
"observed-data--5745559e-b6b0-419c-b1fc-469f02de0b81",
|
||
|
"url--5745559e-b6b0-419c-b1fc-469f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57455077-0144-41d3-b61f-4420950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:12:55.000Z",
|
||
|
"modified": "2016-05-25T07:12:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:12:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57455077-e4e8-46e7-8528-4fe1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:12:55.000Z",
|
||
|
"modified": "2016-05-25T07:12:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '930772d6af8f43f62ea78092914fa8d6b03e8e3360dd4678eec1a3dda17206ed']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:12:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57455078-6e98-4713-ae9a-4370950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:12:56.000Z",
|
||
|
"modified": "2016-05-25T07:12:56.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:12:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57455078-5aa8-4a30-9f3e-48ee950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:12:56.000Z",
|
||
|
"modified": "2016-05-25T07:12:56.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:12:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57455078-7a08-49da-a316-463f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:12:56.000Z",
|
||
|
"modified": "2016-05-25T07:12:56.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:12:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57455079-8b60-418f-8579-4b4c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:12:57.000Z",
|
||
|
"modified": "2016-05-25T07:12:57.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:12:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57455079-d494-4a47-9489-48a9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:12:57.000Z",
|
||
|
"modified": "2016-05-25T07:12:57.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:12:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57455119-805c-49dd-b728-4394950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:15:37.000Z",
|
||
|
"modified": "2016-05-25T07:15:37.000Z",
|
||
|
"description": "DNS exfiltration",
|
||
|
"pattern": "[domain-name:value = 'ns1.logitech-usa.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:15:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57455119-2dcc-40d1-aa46-44a9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:15:37.000Z",
|
||
|
"modified": "2016-05-25T07:15:37.000Z",
|
||
|
"description": "Delivery of the initial file",
|
||
|
"pattern": "[domain-name:value = 'globalprint-us.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:15:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57455119-880c-48af-a815-4de3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:15:37.000Z",
|
||
|
"modified": "2016-05-25T07:15:37.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[domain-name:value = 'intranetwabcam.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:15:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745511a-9328-4035-85c8-456f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:15:38.000Z",
|
||
|
"modified": "2016-05-25T07:15:38.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[domain-name:value = 'login.access-mail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:15:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745511a-e1e4-4728-8b1a-441b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:15:38.000Z",
|
||
|
"modified": "2016-05-25T07:15:38.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[domain-name:value = 'glb.it-desktop.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:15:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745511a-1828-434d-bfbe-40fa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:15:38.000Z",
|
||
|
"modified": "2016-05-25T07:15:38.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[domain-name:value = 'local.it-desktop.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:15:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745511b-5548-434d-a276-4bb1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:15:39.000Z",
|
||
|
"modified": "2016-05-25T07:15:39.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[domain-name:value = 'hi.getgo2.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:15:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5745513e-e4c4-429d-98fb-40f5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:16:14.000Z",
|
||
|
"modified": "2016-05-25T07:16:14.000Z",
|
||
|
"first_observed": "2016-05-25T07:16:14Z",
|
||
|
"last_observed": "2016-05-25T07:16:14Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5745513e-e4c4-429d-98fb-40f5950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5745513e-e4c4-429d-98fb-40f5950d210f",
|
||
|
"value": "https://blog.anomali.com/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5745513f-68ac-4629-9b82-480d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:16:15.000Z",
|
||
|
"modified": "2016-05-25T07:16:15.000Z",
|
||
|
"first_observed": "2016-05-25T07:16:15Z",
|
||
|
"last_observed": "2016-05-25T07:16:15Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5745513f-68ac-4629-9b82-480d950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5745513f-68ac-4629-9b82-480d950d210f",
|
||
|
"value": "http://www.volexity.com/blog/?p=158"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5745513f-79fc-4aa8-a5e4-48bf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:16:15.000Z",
|
||
|
"modified": "2016-05-25T07:16:15.000Z",
|
||
|
"first_observed": "2016-05-25T07:16:15Z",
|
||
|
"last_observed": "2016-05-25T07:16:15Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5745513f-79fc-4aa8-a5e4-48bf950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5745513f-79fc-4aa8-a5e4-48bf950d210f",
|
||
|
"value": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5745513f-98a4-4b12-a221-4f50950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:16:15.000Z",
|
||
|
"modified": "2016-05-25T07:16:15.000Z",
|
||
|
"first_observed": "2016-05-25T07:16:15Z",
|
||
|
"last_observed": "2016-05-25T07:16:15Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5745513f-98a4-4b12-a221-4f50950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5745513f-98a4-4b12-a221-4f50950d210f",
|
||
|
"value": "https://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57455140-3e14-4530-a551-4326950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:16:16.000Z",
|
||
|
"modified": "2016-05-25T07:16:16.000Z",
|
||
|
"first_observed": "2016-05-25T07:16:16Z",
|
||
|
"last_observed": "2016-05-25T07:16:16Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57455140-3e14-4530-a551-4326950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57455140-3e14-4530-a551-4326950d210f",
|
||
|
"value": "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57455140-79a4-4aaf-a4e3-4882950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:16:16.000Z",
|
||
|
"modified": "2016-05-25T07:16:16.000Z",
|
||
|
"first_observed": "2016-05-25T07:16:16Z",
|
||
|
"last_observed": "2016-05-25T07:16:16Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57455140-79a4-4aaf-a4e3-4882950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57455140-79a4-4aaf-a4e3-4882950d210f",
|
||
|
"value": "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57455182-0280-4cee-8e2e-4bbb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:17:22.000Z",
|
||
|
"modified": "2016-05-25T07:17:22.000Z",
|
||
|
"first_observed": "2016-05-25T07:17:22Z",
|
||
|
"last_observed": "2016-05-25T07:17:22Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"mutex--57455182-0280-4cee-8e2e-4bbb950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "mutex",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "mutex--57455182-0280-4cee-8e2e-4bbb950d210f",
|
||
|
"name": ")!VoqA.I5"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559b-6988-419d-aa75-4c9302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:51.000Z",
|
||
|
"modified": "2016-05-25T07:34:51.000Z",
|
||
|
"description": "- Xchecked via VT: 456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb",
|
||
|
"pattern": "[file:hashes.SHA1 = '0d620c1c7e64a20a2918c0ec92260afc2716fd17']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559b-b154-4998-98af-425f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:51.000Z",
|
||
|
"modified": "2016-05-25T07:34:51.000Z",
|
||
|
"description": "- Xchecked via VT: 456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb",
|
||
|
"pattern": "[file:hashes.MD5 = '07b9b62fb3b1c068837c188fefbd5de9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5745559b-948c-4fe7-9404-4ef902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:51.000Z",
|
||
|
"modified": "2016-05-25T07:34:51.000Z",
|
||
|
"first_observed": "2016-05-25T07:34:51Z",
|
||
|
"last_observed": "2016-05-25T07:34:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5745559b-948c-4fe7-9404-4ef902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5745559b-948c-4fe7-9404-4ef902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb/analysis/1463822200/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559b-e91c-488c-82cb-479a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:51.000Z",
|
||
|
"modified": "2016-05-25T07:34:51.000Z",
|
||
|
"description": "- Xchecked via VT: 1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094",
|
||
|
"pattern": "[file:hashes.SHA1 = '459d35058d4a5c8ca84638a5ea8fcbc2d4e0c772']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559c-6bac-4960-9e47-445402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:52.000Z",
|
||
|
"modified": "2016-05-25T07:34:52.000Z",
|
||
|
"description": "- Xchecked via VT: 1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094",
|
||
|
"pattern": "[file:hashes.MD5 = 'e5414c5215c9305feeebbe0dbee43567']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5745559c-cffc-4030-b815-486102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:52.000Z",
|
||
|
"modified": "2016-05-25T07:34:52.000Z",
|
||
|
"first_observed": "2016-05-25T07:34:52Z",
|
||
|
"last_observed": "2016-05-25T07:34:52Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5745559c-cffc-4030-b815-486102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5745559c-cffc-4030-b815-486102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094/analysis/1445829715/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559c-c63c-45ac-9f98-43a702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:52.000Z",
|
||
|
"modified": "2016-05-25T07:34:52.000Z",
|
||
|
"description": "- Xchecked via VT: 4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16",
|
||
|
"pattern": "[file:hashes.SHA1 = '326b5dfa775f7479862c8896e1906ba95e530f9b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559c-4324-4a68-ae68-422f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:52.000Z",
|
||
|
"modified": "2016-05-25T07:34:52.000Z",
|
||
|
"description": "- Xchecked via VT: 4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16",
|
||
|
"pattern": "[file:hashes.MD5 = 'd0f79de7bd194c1843e7411c473e4288']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5745559c-2db8-4f32-af0f-498c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:52.000Z",
|
||
|
"modified": "2016-05-25T07:34:52.000Z",
|
||
|
"first_observed": "2016-05-25T07:34:52Z",
|
||
|
"last_observed": "2016-05-25T07:34:52Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5745559c-2db8-4f32-af0f-498c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5745559c-2db8-4f32-af0f-498c02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16/analysis/1445828993/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559d-dba8-4c1b-9fdc-49db02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:53.000Z",
|
||
|
"modified": "2016-05-25T07:34:53.000Z",
|
||
|
"description": "- Xchecked via VT: 9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b",
|
||
|
"pattern": "[file:hashes.SHA1 = '0e989a0867d6385ed0eda780a86a9229ac5b809e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559d-9b54-46fc-b82c-44c202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:53.000Z",
|
||
|
"modified": "2016-05-25T07:34:53.000Z",
|
||
|
"description": "- Xchecked via VT: 9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b",
|
||
|
"pattern": "[file:hashes.MD5 = '985eba97e12c3e5bce9221631fb66d68']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5745559d-5274-4cd4-992a-4d6402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:53.000Z",
|
||
|
"modified": "2016-05-25T07:34:53.000Z",
|
||
|
"first_observed": "2016-05-25T07:34:53Z",
|
||
|
"last_observed": "2016-05-25T07:34:53Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5745559d-5274-4cd4-992a-4d6402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5745559d-5274-4cd4-992a-4d6402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b/analysis/1437393001/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559d-0054-4721-a70e-4d3502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:53.000Z",
|
||
|
"modified": "2016-05-25T07:34:53.000Z",
|
||
|
"description": "- Xchecked via VT: 6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274",
|
||
|
"pattern": "[file:hashes.SHA1 = '1c581a09963109fc526a71adc5cde8e6c89ce615']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559d-5e58-4eaa-bc9b-4d3a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:53.000Z",
|
||
|
"modified": "2016-05-25T07:34:53.000Z",
|
||
|
"description": "- Xchecked via VT: 6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274",
|
||
|
"pattern": "[file:hashes.MD5 = '7b24d17e5f29e27b1c17127839be591a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5745559e-fcb4-4847-a533-419402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:54.000Z",
|
||
|
"modified": "2016-05-25T07:34:54.000Z",
|
||
|
"first_observed": "2016-05-25T07:34:54Z",
|
||
|
"last_observed": "2016-05-25T07:34:54Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5745559e-fcb4-4847-a533-419402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5745559e-fcb4-4847-a533-419402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274/analysis/1447119998/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559e-c110-4754-af54-43a302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:54.000Z",
|
||
|
"modified": "2016-05-25T07:34:54.000Z",
|
||
|
"description": "- Xchecked via VT: da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c6db4ddc514869a41272abba5e10de70b888476a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5745559e-f960-43d3-974a-410702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:54.000Z",
|
||
|
"modified": "2016-05-25T07:34:54.000Z",
|
||
|
"description": "- Xchecked via VT: da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1",
|
||
|
"pattern": "[file:hashes.MD5 = 'e8d58aa76dd97536ac225949a2767e05']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-25T07:34:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5745559e-b6b0-419c-b1fc-469f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-25T07:34:54.000Z",
|
||
|
"modified": "2016-05-25T07:34:54.000Z",
|
||
|
"first_observed": "2016-05-25T07:34:54Z",
|
||
|
"last_observed": "2016-05-25T07:34:54Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5745559e-b6b0-419c-b1fc-469f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5745559e-b6b0-419c-b1fc-469f02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1/analysis/1462960470/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|