959 lines
41 KiB
JSON
959 lines
41 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--57931fd5-3c78-4dab-b1e9-4cc302de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:47:22.000Z",
|
||
|
"modified": "2016-07-23T07:47:22.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--57931fd5-3c78-4dab-b1e9-4cc302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:47:22.000Z",
|
||
|
"modified": "2016-07-23T07:47:22.000Z",
|
||
|
"name": "OSINT - Kovter becomes almost file-less, creates a new file type, and gets some new certificates",
|
||
|
"published": "2016-07-23T07:47:38Z",
|
||
|
"object_refs": [
|
||
|
"indicator--5793200d-b68c-41b3-8296-4d1f02de0b81",
|
||
|
"indicator--5793200d-14b8-4146-b84d-45af02de0b81",
|
||
|
"indicator--5793200d-7c40-41b6-9fed-4fce02de0b81",
|
||
|
"indicator--5793200e-cf2c-40e7-8523-479f02de0b81",
|
||
|
"indicator--5793200e-2cf0-427d-8982-4a6402de0b81",
|
||
|
"indicator--5793200e-eefc-4fcb-85c9-4f9002de0b81",
|
||
|
"indicator--5793200e-f2f0-434f-ad2a-490e02de0b81",
|
||
|
"indicator--5793200e-cab8-4f3e-864d-4e5102de0b81",
|
||
|
"indicator--5793203d-0d10-4cdd-a2dd-404102de0b81",
|
||
|
"indicator--5793203d-c6a4-4753-b3ea-4de602de0b81",
|
||
|
"indicator--5793203e-17b8-4118-93e8-435e02de0b81",
|
||
|
"indicator--5793203e-ccf8-4d8f-a7a5-487f02de0b81",
|
||
|
"indicator--5793203e-1ef8-4134-82f2-4e3402de0b81",
|
||
|
"indicator--5793203e-ad0c-4952-addf-423c02de0b81",
|
||
|
"indicator--5793203f-1bb4-43cd-b5f4-4ca002de0b81",
|
||
|
"indicator--57932073-e494-4aa4-aadb-4db602de0b81",
|
||
|
"indicator--57932073-86d0-423f-a8d6-4ff202de0b81",
|
||
|
"indicator--57932074-9d0c-49a4-bd99-45eb02de0b81",
|
||
|
"indicator--57932074-f678-4467-a322-4f3d02de0b81",
|
||
|
"indicator--57932074-c224-4667-9752-435202de0b81",
|
||
|
"indicator--57932074-32e4-44bb-b8ed-4b5602de0b81",
|
||
|
"indicator--57932074-8868-4798-83d1-4c9002de0b81",
|
||
|
"indicator--57932095-f574-45fd-b1f6-4b9d02de0b81",
|
||
|
"indicator--57932095-ad7c-4efc-ba28-407d02de0b81",
|
||
|
"observed-data--57932095-6dc8-42f4-b071-400e02de0b81",
|
||
|
"url--57932095-6dc8-42f4-b071-400e02de0b81",
|
||
|
"indicator--57932096-c044-4f67-a760-485a02de0b81",
|
||
|
"indicator--57932096-bfe4-4010-8f08-43ec02de0b81",
|
||
|
"observed-data--57932096-7a0c-4d72-a7cd-482e02de0b81",
|
||
|
"url--57932096-7a0c-4d72-a7cd-482e02de0b81",
|
||
|
"indicator--57932096-2970-4903-bf44-4c3a02de0b81",
|
||
|
"indicator--57932096-32a4-433b-a558-4f1d02de0b81",
|
||
|
"observed-data--57932097-6b24-4988-9716-48c302de0b81",
|
||
|
"url--57932097-6b24-4988-9716-48c302de0b81",
|
||
|
"indicator--57932097-ef18-48e3-ae1c-48ff02de0b81",
|
||
|
"indicator--57932097-bf8c-48cd-b559-4a7302de0b81",
|
||
|
"observed-data--57932097-2e98-428f-9354-4e4c02de0b81",
|
||
|
"url--57932097-2e98-428f-9354-4e4c02de0b81",
|
||
|
"observed-data--579320af-d86c-4d75-bf38-42de02de0b81",
|
||
|
"url--579320af-d86c-4d75-bf38-42de02de0b81",
|
||
|
"x-misp-attribute--579320ce-a6bc-4bbc-8cf4-4d2902de0b81",
|
||
|
"x-misp-attribute--5793210a-2368-429a-992f-431f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"circl:incident-classification=\"malware\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793200d-b68c-41b3-8296-4d1f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:09.000Z",
|
||
|
"modified": "2016-07-23T07:43:09.000Z",
|
||
|
"description": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"pattern": "[url:value = 'https://eepheverseoftheday.org/2811826639187/2811826639187/146819749948281/FlashPlayer.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793200d-14b8-4146-b84d-45af02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:09.000Z",
|
||
|
"modified": "2016-07-23T07:43:09.000Z",
|
||
|
"description": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"pattern": "[url:value = 'https://deequglutenfreeclub.org/8961166952189/8961166952189/146809673281840/FlashPlayer.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793200d-7c40-41b6-9fed-4fce02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:09.000Z",
|
||
|
"modified": "2016-07-23T07:43:09.000Z",
|
||
|
"description": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"pattern": "[url:value = 'https://zaixovinmonopolet.net/5261173544131/5261173544131/146785099939564/FlashPlayer.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793200e-cf2c-40e7-8523-479f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:10.000Z",
|
||
|
"modified": "2016-07-23T07:43:10.000Z",
|
||
|
"description": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"pattern": "[url:value = 'https://feehacitysocialising.net/7561659755159/1468089713424429/firefox-patch.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793200e-2cf0-427d-8982-4a6402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:10.000Z",
|
||
|
"modified": "2016-07-23T07:43:10.000Z",
|
||
|
"description": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"pattern": "[url:value = 'https://eepheverseoftheday.org/1851760268603/1851760268603/1468192094476645/firefox-patch.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793200e-eefc-4fcb-85c9-4f9002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:10.000Z",
|
||
|
"modified": "2016-07-23T07:43:10.000Z",
|
||
|
"description": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"pattern": "[url:value = 'https://uchuhfsbox.net/8031143191240/8031143191240/1467996389305283/firefox-patch.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793200e-f2f0-434f-ad2a-490e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:10.000Z",
|
||
|
"modified": "2016-07-23T07:43:10.000Z",
|
||
|
"description": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"pattern": "[url:value = 'https://ierairosihanari.org/1461656983266/1461656983266/1467987174641688/firefox-patch.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793200e-cab8-4f3e-864d-4e5102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:10.000Z",
|
||
|
"modified": "2016-07-23T07:43:10.000Z",
|
||
|
"description": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"pattern": "[url:value = 'https://anayimovilyeuros.net/7601143032510/7601143032510/1465468888898207/chrome-patch.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793203d-0d10-4cdd-a2dd-404102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:57.000Z",
|
||
|
"modified": "2016-07-23T07:43:57.000Z",
|
||
|
"description": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"pattern": "[x509-certificate:hashes.SHA1 = '7e93cc85ed87ddfb31ac84154f28ae9d6bee0116']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"x509-fingerprint-sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793203d-c6a4-4753-b3ea-4de602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:57.000Z",
|
||
|
"modified": "2016-07-23T07:43:57.000Z",
|
||
|
"description": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"pattern": "[x509-certificate:hashes.SHA1 = '78d98ccccc41e0dea1791d24595c2e90f796fd48']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"x509-fingerprint-sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793203e-17b8-4118-93e8-435e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:58.000Z",
|
||
|
"modified": "2016-07-23T07:43:58.000Z",
|
||
|
"description": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"pattern": "[x509-certificate:hashes.SHA1 = 'c6305ea8aba8b095d31a7798f957d9c91fc17cf6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"x509-fingerprint-sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793203e-ccf8-4d8f-a7a5-487f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:58.000Z",
|
||
|
"modified": "2016-07-23T07:43:58.000Z",
|
||
|
"description": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"pattern": "[x509-certificate:hashes.SHA1 = 'b780af39e1bf684b7d2579edfff4ed26519b05f6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"x509-fingerprint-sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793203e-1ef8-4134-82f2-4e3402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:58.000Z",
|
||
|
"modified": "2016-07-23T07:43:58.000Z",
|
||
|
"description": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"pattern": "[x509-certificate:hashes.SHA1 = 'a286affc5f6e92bdc93374646676ebc49e21bcae']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"x509-fingerprint-sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793203e-ad0c-4952-addf-423c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:58.000Z",
|
||
|
"modified": "2016-07-23T07:43:58.000Z",
|
||
|
"description": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"pattern": "[x509-certificate:hashes.SHA1 = 'ac4325c9837cd8fa72d6bcaf4b00186957713414']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"x509-fingerprint-sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5793203f-1bb4-43cd-b5f4-4ca002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:43:59.000Z",
|
||
|
"modified": "2016-07-23T07:43:59.000Z",
|
||
|
"description": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"pattern": "[x509-certificate:hashes.SHA1 = 'ce75af3b8be1ecef9d0eb51f2f3281b846add3fc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:43:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"x509-fingerprint-sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932073-e494-4aa4-aadb-4db602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:44:51.000Z",
|
||
|
"modified": "2016-07-23T07:44:51.000Z",
|
||
|
"description": "Kovter SHA1",
|
||
|
"pattern": "[file:hashes.SHA1 = '7177811e2f7be8db2a7d9b1f690dc9e764fdc8a2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:44:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932073-86d0-423f-a8d6-4ff202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:44:51.000Z",
|
||
|
"modified": "2016-07-23T07:44:51.000Z",
|
||
|
"description": "Kovter SHA1",
|
||
|
"pattern": "[file:hashes.SHA1 = 'da3261ceff37a56797b47b998dafe6e0376f8446']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:44:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932074-9d0c-49a4-bd99-45eb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:44:52.000Z",
|
||
|
"modified": "2016-07-23T07:44:52.000Z",
|
||
|
"description": "Kovter SHA1",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c3f3ecf24b6d39b0e4ff51af31002f3d37677476']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:44:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932074-f678-4467-a322-4f3d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:44:52.000Z",
|
||
|
"modified": "2016-07-23T07:44:52.000Z",
|
||
|
"description": "Kovter SHA1",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c49febe1e240e47364a649b4cd19e37bb14534d0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:44:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932074-c224-4667-9752-435202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:44:52.000Z",
|
||
|
"modified": "2016-07-23T07:44:52.000Z",
|
||
|
"description": "Kovter SHA1",
|
||
|
"pattern": "[file:hashes.SHA1 = '3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:44:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932074-32e4-44bb-b8ed-4b5602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:44:52.000Z",
|
||
|
"modified": "2016-07-23T07:44:52.000Z",
|
||
|
"description": "Kovter SHA1",
|
||
|
"pattern": "[file:hashes.SHA1 = 'e428de0899cb13de47ac16618a53c5831337c5e6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:44:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932074-8868-4798-83d1-4c9002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:44:52.000Z",
|
||
|
"modified": "2016-07-23T07:44:52.000Z",
|
||
|
"description": "Kovter SHA1",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b8cace9f517bad05d8dc89d7f76f79aae8717a24']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:44:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932095-f574-45fd-b1f6-4b9d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:25.000Z",
|
||
|
"modified": "2016-07-23T07:45:25.000Z",
|
||
|
"description": "Kovter SHA1 - Xchecked via VT: c3f3ecf24b6d39b0e4ff51af31002f3d37677476",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cd7a7ef59534293d8f059fef4ebd2cacf5dc3f598c2a34ae1bf9b952f9b022a0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:45:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932095-ad7c-4efc-ba28-407d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:25.000Z",
|
||
|
"modified": "2016-07-23T07:45:25.000Z",
|
||
|
"description": "Kovter SHA1 - Xchecked via VT: c3f3ecf24b6d39b0e4ff51af31002f3d37677476",
|
||
|
"pattern": "[file:hashes.MD5 = '7df17844ee9f36c35629c54646953445']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:45:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57932095-6dc8-42f4-b071-400e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:25.000Z",
|
||
|
"modified": "2016-07-23T07:45:25.000Z",
|
||
|
"first_observed": "2016-07-23T07:45:25Z",
|
||
|
"last_observed": "2016-07-23T07:45:25Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57932095-6dc8-42f4-b071-400e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57932095-6dc8-42f4-b071-400e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cd7a7ef59534293d8f059fef4ebd2cacf5dc3f598c2a34ae1bf9b952f9b022a0/analysis/1468240910/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932096-c044-4f67-a760-485a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:26.000Z",
|
||
|
"modified": "2016-07-23T07:45:26.000Z",
|
||
|
"description": "Kovter SHA1 - Xchecked via VT: 3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39",
|
||
|
"pattern": "[file:hashes.SHA256 = '3bc1d770a7ecc99c014739e7db3b0ed6cf8f0063e593e0f501df701c85ce6e22']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:45:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932096-bfe4-4010-8f08-43ec02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:26.000Z",
|
||
|
"modified": "2016-07-23T07:45:26.000Z",
|
||
|
"description": "Kovter SHA1 - Xchecked via VT: 3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39",
|
||
|
"pattern": "[file:hashes.MD5 = '4167da9574e5e334205f5be8b9181aab']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:45:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57932096-7a0c-4d72-a7cd-482e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:26.000Z",
|
||
|
"modified": "2016-07-23T07:45:26.000Z",
|
||
|
"first_observed": "2016-07-23T07:45:26Z",
|
||
|
"last_observed": "2016-07-23T07:45:26Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57932096-7a0c-4d72-a7cd-482e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57932096-7a0c-4d72-a7cd-482e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/3bc1d770a7ecc99c014739e7db3b0ed6cf8f0063e593e0f501df701c85ce6e22/analysis/1466283391/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932096-2970-4903-bf44-4c3a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:26.000Z",
|
||
|
"modified": "2016-07-23T07:45:26.000Z",
|
||
|
"description": "Kovter SHA1 - Xchecked via VT: c49febe1e240e47364a649b4cd19e37bb14534d0",
|
||
|
"pattern": "[file:hashes.SHA256 = '45b2ceb2ed61d75156a001d7c1aa64f5d3f71c188c433c085f2d2383543d24bf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:45:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932096-32a4-433b-a558-4f1d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:26.000Z",
|
||
|
"modified": "2016-07-23T07:45:26.000Z",
|
||
|
"description": "Kovter SHA1 - Xchecked via VT: c49febe1e240e47364a649b4cd19e37bb14534d0",
|
||
|
"pattern": "[file:hashes.MD5 = '5d908526f1a84e96ce00f5bb1e093ede']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:45:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57932097-6b24-4988-9716-48c302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:27.000Z",
|
||
|
"modified": "2016-07-23T07:45:27.000Z",
|
||
|
"first_observed": "2016-07-23T07:45:27Z",
|
||
|
"last_observed": "2016-07-23T07:45:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57932097-6b24-4988-9716-48c302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57932097-6b24-4988-9716-48c302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/45b2ceb2ed61d75156a001d7c1aa64f5d3f71c188c433c085f2d2383543d24bf/analysis/1463744476/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932097-ef18-48e3-ae1c-48ff02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:27.000Z",
|
||
|
"modified": "2016-07-23T07:45:27.000Z",
|
||
|
"description": "Kovter SHA1 - Xchecked via VT: e428de0899cb13de47ac16618a53c5831337c5e6",
|
||
|
"pattern": "[file:hashes.SHA256 = '744c3eba00f668e5e766ff6268b73c419b204fc51fe48fd1f75359c528d5681b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:45:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57932097-bf8c-48cd-b559-4a7302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:27.000Z",
|
||
|
"modified": "2016-07-23T07:45:27.000Z",
|
||
|
"description": "Kovter SHA1 - Xchecked via VT: e428de0899cb13de47ac16618a53c5831337c5e6",
|
||
|
"pattern": "[file:hashes.MD5 = '1885e38dce5d58cf8e7436256e019065']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-07-23T07:45:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57932097-2e98-428f-9354-4e4c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:27.000Z",
|
||
|
"modified": "2016-07-23T07:45:27.000Z",
|
||
|
"first_observed": "2016-07-23T07:45:27Z",
|
||
|
"last_observed": "2016-07-23T07:45:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57932097-2e98-428f-9354-4e4c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57932097-2e98-428f-9354-4e4c02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/744c3eba00f668e5e766ff6268b73c419b204fc51fe48fd1f75359c528d5681b/analysis/1464087978/"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--579320af-d86c-4d75-bf38-42de02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:45:51.000Z",
|
||
|
"modified": "2016-07-23T07:45:51.000Z",
|
||
|
"first_observed": "2016-07-23T07:45:51Z",
|
||
|
"last_observed": "2016-07-23T07:45:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--579320af-d86c-4d75-bf38-42de02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--579320af-d86c-4d75-bf38-42de02de0b81",
|
||
|
"value": "https://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-file-less-creates-a-new-file-type-and-gets-some-new-certificates/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--579320ce-a6bc-4bbc-8cf4-4d2902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:46:22.000Z",
|
||
|
"modified": "2016-07-23T07:46:22.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter\u00e2\u20ac\u2122s persistence method and some updates on their latest malvertising campaigns.\r\n\r\nNew persistence method\r\nSince June 2016, Kovter has changed their persistence method to make remediation harder for antivirus software."
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5793210a-2368-429a-992f-431f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-07-23T07:47:22.000Z",
|
||
|
"modified": "2016-07-23T07:47:22.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Trojan:Win32/Kovter"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|