2862 lines
121 KiB
JSON
2862 lines
121 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5819948b-b170-4872-b8f6-5934950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:01.000Z",
|
||
|
"modified": "2016-11-02T08:00:01.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5819948b-b170-4872-b8f6-5934950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:01.000Z",
|
||
|
"modified": "2016-11-02T08:00:01.000Z",
|
||
|
"name": "OSINT - Flying Dragon Eye: Uyghur Themed Threat Activity",
|
||
|
"published": "2016-11-02T08:03:19Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--581994d6-aa60-461d-9870-5930950d210f",
|
||
|
"observed-data--58199523-6178-43d6-8b1f-592e950d210f",
|
||
|
"url--58199523-6178-43d6-8b1f-592e950d210f",
|
||
|
"observed-data--58199523-0100-4667-81dc-592e950d210f",
|
||
|
"url--58199523-0100-4667-81dc-592e950d210f",
|
||
|
"observed-data--58199523-3db4-4c81-b411-592e950d210f",
|
||
|
"url--58199523-3db4-4c81-b411-592e950d210f",
|
||
|
"indicator--58199662-6d4c-4bf8-9d4e-69a2950d210f",
|
||
|
"indicator--58199662-0a20-4530-8464-69a2950d210f",
|
||
|
"indicator--58199662-4f08-47d8-aa1e-69a2950d210f",
|
||
|
"indicator--58199663-b44c-4e29-b015-69a2950d210f",
|
||
|
"indicator--58199663-f604-4123-b0c1-69a2950d210f",
|
||
|
"indicator--58199663-3e64-4c5f-b2d9-69a2950d210f",
|
||
|
"indicator--58199663-c4d8-41ac-812f-69a2950d210f",
|
||
|
"indicator--58199664-74ac-4083-b6c9-69a2950d210f",
|
||
|
"indicator--58199664-66a8-477a-8f98-69a2950d210f",
|
||
|
"indicator--58199664-51f8-41dd-a14a-69a2950d210f",
|
||
|
"indicator--58199664-95d0-4232-8769-69a2950d210f",
|
||
|
"indicator--58199664-c480-4c4d-b02b-69a2950d210f",
|
||
|
"indicator--58199665-68f4-440a-8c11-69a2950d210f",
|
||
|
"indicator--58199665-e514-45d4-b192-69a2950d210f",
|
||
|
"indicator--58199665-59c4-4e69-b920-69a2950d210f",
|
||
|
"indicator--58199665-2eac-4570-aa90-69a2950d210f",
|
||
|
"indicator--58199666-07a0-443d-84aa-69a2950d210f",
|
||
|
"indicator--58199666-fec4-48b9-88d1-69a2950d210f",
|
||
|
"indicator--5819969b-6a80-454a-86c3-7756950d210f",
|
||
|
"indicator--58199710-c854-4314-a62c-5936950d210f",
|
||
|
"indicator--58199711-6b68-4151-a624-5936950d210f",
|
||
|
"indicator--58199793-682c-4562-8b4b-5930950d210f",
|
||
|
"indicator--58199793-7cac-4fea-976e-5930950d210f",
|
||
|
"indicator--581997bb-ace0-406a-9f0b-69b0950d210f",
|
||
|
"indicator--581997bc-5918-45e0-9e31-69b0950d210f",
|
||
|
"indicator--581999d8-b7bc-4e14-9b82-5931950d210f",
|
||
|
"indicator--581999ff-a8a8-4c8c-b647-5932950d210f",
|
||
|
"indicator--581999ff-ea9c-4ad2-8984-5932950d210f",
|
||
|
"indicator--58199aae-5a18-4ced-86c8-69b0950d210f",
|
||
|
"indicator--58199aae-14dc-4896-969c-69b0950d210f",
|
||
|
"indicator--58199aae-c690-4324-b536-69b0950d210f",
|
||
|
"indicator--58199aaf-1e80-4115-be88-69b0950d210f",
|
||
|
"indicator--58199aaf-18e8-4d01-8825-69b0950d210f",
|
||
|
"indicator--58199aaf-1df0-4c0d-8ce4-69b0950d210f",
|
||
|
"indicator--58199aaf-1514-452d-b6ee-69b0950d210f",
|
||
|
"indicator--58199ab0-3254-498e-b91c-69b0950d210f",
|
||
|
"indicator--58199ab0-e800-497f-9335-69b0950d210f",
|
||
|
"indicator--58199ab0-341c-4644-ae0c-69b0950d210f",
|
||
|
"indicator--58199ab0-eab8-4ba6-9506-69b0950d210f",
|
||
|
"indicator--58199ab1-0700-4e3e-88a2-69b0950d210f",
|
||
|
"indicator--58199ab1-bb2c-4631-9ef1-69b0950d210f",
|
||
|
"indicator--58199ac5-c9dc-4d15-bd66-5932950d210f",
|
||
|
"indicator--58199b90-8720-459a-9cc4-69b0950d210f",
|
||
|
"indicator--58199b90-a7c4-44fa-9165-69b0950d210f",
|
||
|
"indicator--58199b90-87d0-4d4a-8edd-69b0950d210f",
|
||
|
"indicator--58199b90-ad1c-4a4e-a85a-69b0950d210f",
|
||
|
"indicator--58199b91-80b4-4ef5-b984-69b0950d210f",
|
||
|
"indicator--58199b91-9930-4730-abd7-69b0950d210f",
|
||
|
"indicator--58199b91-41ec-43b9-b895-69b0950d210f",
|
||
|
"indicator--58199b91-8928-4177-8bc6-69b0950d210f",
|
||
|
"indicator--58199b91-8910-4c5b-84d5-69b0950d210f",
|
||
|
"indicator--58199b92-3990-40e3-99ae-69b0950d210f",
|
||
|
"indicator--58199b92-5f60-4bc9-bc55-69b0950d210f",
|
||
|
"indicator--58199b92-1da0-4cd8-aa4a-69b0950d210f",
|
||
|
"indicator--58199b92-fa98-476a-b72c-69b0950d210f",
|
||
|
"indicator--58199b93-fbd0-4a5f-bf4c-69b0950d210f",
|
||
|
"indicator--58199b93-cc98-4b20-8bed-69b0950d210f",
|
||
|
"indicator--58199d01-ddbc-4294-976e-593002de0b81",
|
||
|
"indicator--58199d01-e758-4f49-8c30-593002de0b81",
|
||
|
"observed-data--58199d01-d9a0-4d93-a953-593002de0b81",
|
||
|
"url--58199d01-d9a0-4d93-a953-593002de0b81",
|
||
|
"indicator--58199d02-52cc-4f23-903b-593002de0b81",
|
||
|
"indicator--58199d02-16a8-4a5c-9879-593002de0b81",
|
||
|
"observed-data--58199d02-d948-4059-8c23-593002de0b81",
|
||
|
"url--58199d02-d948-4059-8c23-593002de0b81",
|
||
|
"indicator--58199d03-955c-4de5-9ba9-593002de0b81",
|
||
|
"indicator--58199d03-c30c-48a2-bc88-593002de0b81",
|
||
|
"observed-data--58199d03-0da4-4b22-96c6-593002de0b81",
|
||
|
"url--58199d03-0da4-4b22-96c6-593002de0b81",
|
||
|
"indicator--58199d03-6b38-470f-aaf8-593002de0b81",
|
||
|
"indicator--58199d04-ace4-4566-b96d-593002de0b81",
|
||
|
"observed-data--58199d04-8f68-4815-b5fd-593002de0b81",
|
||
|
"url--58199d04-8f68-4815-b5fd-593002de0b81",
|
||
|
"indicator--58199d04-b1fc-4c68-973e-593002de0b81",
|
||
|
"indicator--58199d04-22e4-42fc-a180-593002de0b81",
|
||
|
"observed-data--58199d05-e6d4-46c7-809f-593002de0b81",
|
||
|
"url--58199d05-e6d4-46c7-809f-593002de0b81",
|
||
|
"indicator--58199d05-a17c-4c0b-8842-593002de0b81",
|
||
|
"indicator--58199d05-3dec-4053-9bd8-593002de0b81",
|
||
|
"observed-data--58199d05-a3d4-4ab0-8d16-593002de0b81",
|
||
|
"url--58199d05-a3d4-4ab0-8d16-593002de0b81",
|
||
|
"indicator--58199d06-8b1c-41bf-9739-593002de0b81",
|
||
|
"indicator--58199d06-2f2c-40dc-b101-593002de0b81",
|
||
|
"observed-data--58199d06-5488-450d-95a0-593002de0b81",
|
||
|
"url--58199d06-5488-450d-95a0-593002de0b81",
|
||
|
"indicator--58199d06-7d04-48bd-9241-593002de0b81",
|
||
|
"indicator--58199d06-0020-414d-adda-593002de0b81",
|
||
|
"observed-data--58199d07-c2c4-4782-9cd6-593002de0b81",
|
||
|
"url--58199d07-c2c4-4782-9cd6-593002de0b81",
|
||
|
"indicator--58199d07-78e4-4225-8b38-593002de0b81",
|
||
|
"indicator--58199d07-36c0-4736-a131-593002de0b81",
|
||
|
"observed-data--58199d07-898c-486b-8f12-593002de0b81",
|
||
|
"url--58199d07-898c-486b-8f12-593002de0b81",
|
||
|
"indicator--58199d07-b870-4c96-a744-593002de0b81",
|
||
|
"indicator--58199d08-c570-45d7-a8ec-593002de0b81",
|
||
|
"observed-data--58199d08-efcc-4637-9a08-593002de0b81",
|
||
|
"url--58199d08-efcc-4637-9a08-593002de0b81",
|
||
|
"indicator--58199d08-6324-4078-8911-593002de0b81",
|
||
|
"indicator--58199d08-8cac-4304-afaf-593002de0b81",
|
||
|
"observed-data--58199d09-9b1c-40a9-8c1b-593002de0b81",
|
||
|
"url--58199d09-9b1c-40a9-8c1b-593002de0b81",
|
||
|
"indicator--58199d09-cb20-4457-b416-593002de0b81",
|
||
|
"observed-data--58199d09-e9f0-446e-85be-593002de0b81",
|
||
|
"url--58199d09-e9f0-446e-85be-593002de0b81",
|
||
|
"indicator--58199d09-2004-4f16-964d-593002de0b81",
|
||
|
"observed-data--58199d0a-66e0-416c-9dcb-593002de0b81",
|
||
|
"url--58199d0a-66e0-416c-9dcb-593002de0b81",
|
||
|
"indicator--58199d0a-a2c4-4ab5-9e4d-593002de0b81",
|
||
|
"observed-data--58199d0a-7e44-45e0-9fa5-593002de0b81",
|
||
|
"url--58199d0a-7e44-45e0-9fa5-593002de0b81",
|
||
|
"indicator--58199d0a-3c70-422f-ab84-593002de0b81",
|
||
|
"observed-data--58199d0a-9d4c-4a30-b875-593002de0b81",
|
||
|
"url--58199d0a-9d4c-4a30-b875-593002de0b81",
|
||
|
"indicator--58199d0b-98f8-44bb-999b-593002de0b81",
|
||
|
"observed-data--58199d0b-a2ac-4420-aa83-593002de0b81",
|
||
|
"url--58199d0b-a2ac-4420-aa83-593002de0b81",
|
||
|
"indicator--58199d0c-45cc-4ac6-816e-593002de0b81",
|
||
|
"observed-data--58199d0c-6ec8-4d0b-a9cc-593002de0b81",
|
||
|
"url--58199d0c-6ec8-4d0b-a9cc-593002de0b81",
|
||
|
"indicator--58199d0d-41e0-4732-9124-593002de0b81",
|
||
|
"observed-data--58199d0d-5df0-4539-9c22-593002de0b81",
|
||
|
"url--58199d0d-5df0-4539-9c22-593002de0b81",
|
||
|
"indicator--58199d0e-6504-460f-8263-593002de0b81",
|
||
|
"observed-data--58199d0e-a3a0-4794-96ac-593002de0b81",
|
||
|
"url--58199d0e-a3a0-4794-96ac-593002de0b81",
|
||
|
"indicator--58199d0f-9834-4d37-9332-593002de0b81",
|
||
|
"observed-data--58199d0f-7bbc-447e-8b45-593002de0b81",
|
||
|
"url--58199d0f-7bbc-447e-8b45-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"osint:source-type=\"technical-report\"",
|
||
|
"misp-galaxy:tool=\"PlugX\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--581994d6-aa60-461d-9870-5930950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:25:10.000Z",
|
||
|
"modified": "2016-11-02T07:25:10.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "This paper documents attempted exploitation activity aimed at Uyghur interests outside of China. Exploitation is being attempted via the usual tactic of spear phishing containing malicious attachments to targets. The exploit code attached used for dropping the malware is older \u00e2\u20ac\u201c CVE-2012-0158 \u00e2\u20ac\u201c and from our vantage point, we have no indication of successful or failed exploitation. Nonetheless, we can obtain targeting information and insight into tactics from the spearphish messages used by the threat actors. Successful exploitation typically results in malware calling back to one or more Uyghur themed domain names. The malware payloads observed to be associated with the Uyghur themed C2 domains so far consist of PlugX, Gh0st RAT, and Saker/Xbox, although there may be others that are yet to be discovered.\r\n\r\nIt is possible that additional targeting well beyond CVE-2012-0158 is at play, although in this case it appears that threat actors still thought they could obtain benefit from using a four-year-old vulnerability that has been widely associated with numerous cyber-espionage operations over the years. This may be due to the weakness of defensive posture among those targeted and an attempt at higher return on investment by using exploit code that might still be adequate considering the targets. Pivots on threat infrastructure suggest that the same or related threat actors have direct or indirect access to other types of exploit code such as the \u00e2\u20ac\u0153Four Element Sword\u00e2\u20ac\u009d builder and the numerous types of malware delivered with it (PlugX, 9002 RAT 3102 variant, T9000, Grabber, Gh0st RAT LURK0 variant and perhaps others), profiled in previous ASERT threat intelligence products."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199523-6178-43d6-8b1f-592e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:26:27.000Z",
|
||
|
"modified": "2016-11-02T07:26:27.000Z",
|
||
|
"first_observed": "2016-11-02T07:26:27Z",
|
||
|
"last_observed": "2016-11-02T07:26:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199523-6178-43d6-8b1f-592e950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199523-6178-43d6-8b1f-592e950d210f",
|
||
|
"value": "https://www.arbornetworks.com/blog/asert/flying-dragon-eye-uyghur-themed-threat-activity/"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199523-0100-4667-81dc-592e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:26:27.000Z",
|
||
|
"modified": "2016-11-02T07:26:27.000Z",
|
||
|
"first_observed": "2016-11-02T07:26:27Z",
|
||
|
"last_observed": "2016-11-02T07:26:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199523-0100-4667-81dc-592e950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199523-0100-4667-81dc-592e950d210f",
|
||
|
"value": "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/11/TLP-WHITE-Flying-Dragon-Eye-Uyghur-Themed-Threat-Activity.pdf"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199523-3db4-4c81-b411-592e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:26:27.000Z",
|
||
|
"modified": "2016-11-02T07:26:27.000Z",
|
||
|
"first_observed": "2016-11-02T07:26:27Z",
|
||
|
"last_observed": "2016-11-02T07:26:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199523-3db4-4c81-b411-592e950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199523-3db4-4c81-b411-592e950d210f",
|
||
|
"value": "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/09/FlyingDragonEye_IOC.csv"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199662-6d4c-4bf8-9d4e-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:46.000Z",
|
||
|
"modified": "2016-11-02T07:31:46.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'www.turkistanuyghur.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199662-0a20-4530-8464-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:46.000Z",
|
||
|
"modified": "2016-11-02T07:31:46.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'www.yawropauyghur.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199662-4f08-47d8-aa1e-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:46.000Z",
|
||
|
"modified": "2016-11-02T07:31:46.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'www.whitewall.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199663-b44c-4e29-b015-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:47.000Z",
|
||
|
"modified": "2016-11-02T07:31:47.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'dtsx.uygurinfo.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199663-f604-4123-b0c1-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:47.000Z",
|
||
|
"modified": "2016-11-02T07:31:47.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'ks.uygurinfo.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199663-3e64-4c5f-b2d9-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:47.000Z",
|
||
|
"modified": "2016-11-02T07:31:47.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'uygurinfo.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199663-c4d8-41ac-812f-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:47.000Z",
|
||
|
"modified": "2016-11-02T07:31:47.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'tibettimes.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199664-74ac-4083-b6c9-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:48.000Z",
|
||
|
"modified": "2016-11-02T07:31:48.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'www.amerikauyghur.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199664-66a8-477a-8f98-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:48.000Z",
|
||
|
"modified": "2016-11-02T07:31:48.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'www.japanuyghur.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199664-51f8-41dd-a14a-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:48.000Z",
|
||
|
"modified": "2016-11-02T07:31:48.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'www.hotansft.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199664-95d0-4232-8769-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:48.000Z",
|
||
|
"modified": "2016-11-02T07:31:48.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'turkiyeuyghur.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199664-c480-4c4d-b02b-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:48.000Z",
|
||
|
"modified": "2016-11-02T07:31:48.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'www.tibetimes.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199665-68f4-440a-8c11-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:49.000Z",
|
||
|
"modified": "2016-11-02T07:31:49.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'freetibet.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199665-e514-45d4-b192-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:49.000Z",
|
||
|
"modified": "2016-11-02T07:31:49.000Z",
|
||
|
"description": "suspicious domain",
|
||
|
"pattern": "[domain-name:value = 'russiauyghur.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199665-59c4-4e69-b920-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:49.000Z",
|
||
|
"modified": "2016-11-02T07:31:49.000Z",
|
||
|
"description": "suspicious IP",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.188.83.144']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199665-2eac-4570-aa90-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:49.000Z",
|
||
|
"modified": "2016-11-02T07:31:49.000Z",
|
||
|
"description": "suspicious IP",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.225.133']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199666-07a0-443d-84aa-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:50.000Z",
|
||
|
"modified": "2016-11-02T07:31:50.000Z",
|
||
|
"description": "suspicious IP",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.240.218']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199666-fec4-48b9-88d1-69a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:31:50.000Z",
|
||
|
"modified": "2016-11-02T07:31:50.000Z",
|
||
|
"description": "suspicious IP",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.240.195']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:31:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5819969b-6a80-454a-86c3-7756950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:32:43.000Z",
|
||
|
"modified": "2016-11-02T07:32:43.000Z",
|
||
|
"description": "suspicious email",
|
||
|
"pattern": "[email-message:from_ref.value = '2732115454@qq.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:32:43Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199710-c854-4314-a62c-5936950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:34:40.000Z",
|
||
|
"modified": "2016-11-02T07:34:40.000Z",
|
||
|
"description": "PlugX malware",
|
||
|
"pattern": "[file:hashes.MD5 = 'fa85f8a332ac26892a8ad6f21491404a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:34:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199711-6b68-4151-a624-5936950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:34:41.000Z",
|
||
|
"modified": "2016-11-02T07:34:41.000Z",
|
||
|
"description": "PlugX malware",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a351040c0da2837f19b357baea4bffe194b0cd0d86bf262f8be1126e3a9d44d8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:34:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199793-682c-4562-8b4b-5930950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:36:51.000Z",
|
||
|
"modified": "2016-11-02T07:36:51.000Z",
|
||
|
"description": "Gh0stRAT LURK0",
|
||
|
"pattern": "[file:hashes.SHA256 = 'b625e605932196efbc6c80a18f61a71d27d82935209a1abde2ec591973fed31e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:36:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199793-7cac-4fea-976e-5930950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:36:51.000Z",
|
||
|
"modified": "2016-11-02T07:36:51.000Z",
|
||
|
"description": "Gh0stRAT LURK0",
|
||
|
"pattern": "[file:hashes.MD5 = '4edda0e2a8a415272f475f3af4d17dc1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:36:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--581997bb-ace0-406a-9f0b-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:37:31.000Z",
|
||
|
"modified": "2016-11-02T07:37:31.000Z",
|
||
|
"description": "Saker/Xbox",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c39e0fc30c2604b3eb9694591789a8e3d4cee7bcc4f9b03349e10c45304aef59']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:37:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--581997bc-5918-45e0-9e31-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:37:32.000Z",
|
||
|
"modified": "2016-11-02T07:37:32.000Z",
|
||
|
"description": "Saker/Xbox",
|
||
|
"pattern": "[file:hashes.MD5 = '86088922528b4d0a5493046527b29822']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:37:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--581999d8-b7bc-4e14-9b82-5931950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:46:32.000Z",
|
||
|
"modified": "2016-11-02T07:46:32.000Z",
|
||
|
"description": "IP before sinkholing - www.turkiyeuyghur.com - Saker/Xbox",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '210.209.118.87']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:46:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--581999ff-a8a8-4c8c-b647-5932950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:47:11.000Z",
|
||
|
"modified": "2016-11-02T07:47:11.000Z",
|
||
|
"description": "Saker/Xbox",
|
||
|
"pattern": "[file:hashes.SHA256 = '3714058d90b2149169188418773165b620abd1481b47d1551d79679bfe21d28c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:47:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--581999ff-ea9c-4ad2-8984-5932950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:47:11.000Z",
|
||
|
"modified": "2016-11-02T07:47:11.000Z",
|
||
|
"description": "Saker/Xbox",
|
||
|
"pattern": "[file:hashes.MD5 = 'e490174855b8548161613fd5d9955e7a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:47:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199aae-5a18-4ced-86c8-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:06.000Z",
|
||
|
"modified": "2016-11-02T07:50:06.000Z",
|
||
|
"description": "Mutex match",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f15840fbade7a5611391193a4a53f63ef465ab451f7783da21cad7303ea3b68c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199aae-14dc-4896-969c-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:06.000Z",
|
||
|
"modified": "2016-11-02T07:50:06.000Z",
|
||
|
"description": "Mutex match",
|
||
|
"pattern": "[file:hashes.MD5 = 'e49e235b301a4316ef58753c093279f0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199aae-c690-4324-b536-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:06.000Z",
|
||
|
"modified": "2016-11-02T07:50:06.000Z",
|
||
|
"description": "Mutex match",
|
||
|
"pattern": "[file:hashes.SHA256 = '97ec795227818fedc70fad9f2df8cb839d9fb75b502f3598614610d4e8e1be78']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199aaf-1e80-4115-be88-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:07.000Z",
|
||
|
"modified": "2016-11-02T07:50:07.000Z",
|
||
|
"description": "Mutex match",
|
||
|
"pattern": "[file:hashes.MD5 = '0ea68dd9463626082bb96ad373bd84e0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199aaf-18e8-4d01-8825-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:07.000Z",
|
||
|
"modified": "2016-11-02T07:50:07.000Z",
|
||
|
"description": "PEHash of Prior samples",
|
||
|
"pattern": "[file:hashes.PEHASH = '59781db8be6bb162f5c8ee8cf950fe191417baa4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"pehash\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199aaf-1df0-4c0d-8ce4-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:07.000Z",
|
||
|
"modified": "2016-11-02T07:50:07.000Z",
|
||
|
"description": "Sample matching PEHash",
|
||
|
"pattern": "[file:hashes.SHA256 = '444c6589ed030da41ba49d20ac38029e5213978fadef2ee94408e4f91395b488']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199aaf-1514-452d-b6ee-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:07.000Z",
|
||
|
"modified": "2016-11-02T07:50:07.000Z",
|
||
|
"description": "Sample matching PEHash",
|
||
|
"pattern": "[file:hashes.MD5 = '1a169a7e52879bad47e2834abfe50361']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199ab0-3254-498e-b91c-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:08.000Z",
|
||
|
"modified": "2016-11-02T07:50:08.000Z",
|
||
|
"description": "Sample matching PEHash",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ef3e7b1c37aef1d8359169cca9409db4709632b9aa8bf44febe0d91e93ab537e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199ab0-e800-497f-9335-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:08.000Z",
|
||
|
"modified": "2016-11-02T07:50:08.000Z",
|
||
|
"description": "Sample matching PEHash",
|
||
|
"pattern": "[file:hashes.MD5 = '731a9761626e39bb84b34343bdae67b0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199ab0-341c-4644-ae0c-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:08.000Z",
|
||
|
"modified": "2016-11-02T07:50:08.000Z",
|
||
|
"description": "Sample matching PEHash",
|
||
|
"pattern": "[file:hashes.SHA256 = '62a033fc586c6220ee0c0ea8ff207ab038776455505fa2137e9591433ada26e1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199ab0-eab8-4ba6-9506-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:08.000Z",
|
||
|
"modified": "2016-11-02T07:50:08.000Z",
|
||
|
"description": "Sample matching PEHash",
|
||
|
"pattern": "[file:hashes.MD5 = '1dc2e57dbf63051608cff83d8b88d352']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199ab1-0700-4e3e-88a2-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:09.000Z",
|
||
|
"modified": "2016-11-02T07:50:09.000Z",
|
||
|
"description": "Sample matching PEHash",
|
||
|
"pattern": "[file:hashes.SHA256 = '087e45f63ce00c4df07f81837eceb0b322773822feee01cfc005e5fc14e50f5e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199ab1-bb2c-4631-9ef1-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:09.000Z",
|
||
|
"modified": "2016-11-02T07:50:09.000Z",
|
||
|
"description": "Sample matching PEHash",
|
||
|
"pattern": "[file:hashes.MD5 = 'de07dc9e83bfd445ad7cc58baab671f2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199ac5-c9dc-4d15-bd66-5932950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:50:29.000Z",
|
||
|
"modified": "2016-11-02T07:50:29.000Z",
|
||
|
"description": "suspicious mutex in Saker/Xbox",
|
||
|
"pattern": "[mutex:name = 'pcdebug.1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:50:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b90-8720-459a-9cc4-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:52.000Z",
|
||
|
"modified": "2016-11-02T07:53:52.000Z",
|
||
|
"description": "Google aqsakla Rabiye isming.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = '3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b90-a7c4-44fa-9165-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:52.000Z",
|
||
|
"modified": "2016-11-02T07:53:52.000Z",
|
||
|
"description": "agahlandurushname.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = '7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b90-87d0-4d4a-8edd-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:52.000Z",
|
||
|
"modified": "2016-11-02T07:53:52.000Z",
|
||
|
"description": "chaqiriq.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = '4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b90-ad1c-4a4e-a85a-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:52.000Z",
|
||
|
"modified": "2016-11-02T07:53:52.000Z",
|
||
|
"description": "chaqiriq.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = '940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b91-80b4-4ef5-b984-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:53.000Z",
|
||
|
"modified": "2016-11-02T07:53:53.000Z",
|
||
|
"description": "chqiriq.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = '0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b91-9930-4730-abd7-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:53.000Z",
|
||
|
"modified": "2016-11-02T07:53:53.000Z",
|
||
|
"description": "tetqiqat doklati.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = '5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b91-41ec-43b9-b895-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:53.000Z",
|
||
|
"modified": "2016-11-02T07:53:53.000Z",
|
||
|
"description": "istepaname.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b91-8928-4177-8bc6-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:53.000Z",
|
||
|
"modified": "2016-11-02T07:53:53.000Z",
|
||
|
"description": "jedwel.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = '45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b91-8910-4c5b-84d5-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:53.000Z",
|
||
|
"modified": "2016-11-02T07:53:53.000Z",
|
||
|
"description": "teklipname.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b92-3990-40e3-99ae-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:54.000Z",
|
||
|
"modified": "2016-11-02T07:53:54.000Z",
|
||
|
"description": "Tetqiqat doklati.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = '9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b92-5f60-4bc9-bc55-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:54.000Z",
|
||
|
"modified": "2016-11-02T07:53:54.000Z",
|
||
|
"description": "uqturush.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = '3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b92-1da0-4cd8-aa4a-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:54.000Z",
|
||
|
"modified": "2016-11-02T07:53:54.000Z",
|
||
|
"description": "malware",
|
||
|
"pattern": "[file:hashes.SHA256 = '69c2da4061890050dc0ca28db6f240c8ed6c4897f4174bcd5d1bca00ade537d5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b92-fa98-476a-b72c-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:54.000Z",
|
||
|
"modified": "2016-11-02T07:53:54.000Z",
|
||
|
"description": "malware",
|
||
|
"pattern": "[file:hashes.MD5 = '9de14f249afc4e6979d8f2106e405b21']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b93-fbd0-4a5f-bf4c-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:55.000Z",
|
||
|
"modified": "2016-11-02T07:53:55.000Z",
|
||
|
"description": "malware",
|
||
|
"pattern": "[file:hashes.SHA256 = 'be7a14927ff11536a5bfd6c21d3f4a304659001f1f13b6d90ce0e031522817e5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199b93-cc98-4b20-8bed-69b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T07:53:55.000Z",
|
||
|
"modified": "2016-11-02T07:53:55.000Z",
|
||
|
"description": "malware",
|
||
|
"pattern": "[file:hashes.MD5 = '2f981ac92284f1c710e53a5a2d41257a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T07:53:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d01-ddbc-4294-976e-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:01.000Z",
|
||
|
"modified": "2016-11-02T08:00:01.000Z",
|
||
|
"description": "uqturush.doc - Xchecked via VT: 3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2",
|
||
|
"pattern": "[file:hashes.SHA1 = '3f4719e1132fbe99c61ba2860c01a59c1bb9eee4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d01-e758-4f49-8c30-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:01.000Z",
|
||
|
"modified": "2016-11-02T08:00:01.000Z",
|
||
|
"description": "uqturush.doc - Xchecked via VT: 3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2",
|
||
|
"pattern": "[file:hashes.MD5 = 'e680b0b3e1679d64044795ea9800d52e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d01-d9a0-4d93-a953-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:01.000Z",
|
||
|
"modified": "2016-11-02T08:00:01.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:01Z",
|
||
|
"last_observed": "2016-11-02T08:00:01Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d01-d9a0-4d93-a953-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d01-d9a0-4d93-a953-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2/analysis/1457003870/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d02-52cc-4f23-903b-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:02.000Z",
|
||
|
"modified": "2016-11-02T08:00:02.000Z",
|
||
|
"description": "Tetqiqat doklati.doc - Xchecked via VT: 9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8",
|
||
|
"pattern": "[file:hashes.SHA1 = '2fd166e52f0a4daa795763eb66207b1a14d8e59e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d02-16a8-4a5c-9879-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:02.000Z",
|
||
|
"modified": "2016-11-02T08:00:02.000Z",
|
||
|
"description": "Tetqiqat doklati.doc - Xchecked via VT: 9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8",
|
||
|
"pattern": "[file:hashes.MD5 = '7d808f496a8e66adfa6af76838f1c3a4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d02-d948-4059-8c23-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:02.000Z",
|
||
|
"modified": "2016-11-02T08:00:02.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:02Z",
|
||
|
"last_observed": "2016-11-02T08:00:02Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d02-d948-4059-8c23-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d02-d948-4059-8c23-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8/analysis/1467389786/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d03-955c-4de5-9ba9-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:03.000Z",
|
||
|
"modified": "2016-11-02T08:00:03.000Z",
|
||
|
"description": "teklipname.doc - Xchecked via VT: f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ec8816b82bab16ae26777b17eea95883bea5c3fb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d03-c30c-48a2-bc88-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:03.000Z",
|
||
|
"modified": "2016-11-02T08:00:03.000Z",
|
||
|
"description": "teklipname.doc - Xchecked via VT: f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54",
|
||
|
"pattern": "[file:hashes.MD5 = '190b6d19b3d2088acbd56323dbd98973']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d03-0da4-4b22-96c6-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:03.000Z",
|
||
|
"modified": "2016-11-02T08:00:03.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:03Z",
|
||
|
"last_observed": "2016-11-02T08:00:03Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d03-0da4-4b22-96c6-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d03-0da4-4b22-96c6-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54/analysis/1467397149/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d03-6b38-470f-aaf8-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:03.000Z",
|
||
|
"modified": "2016-11-02T08:00:03.000Z",
|
||
|
"description": "jedwel.doc - Xchecked via VT: 45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767",
|
||
|
"pattern": "[file:hashes.SHA1 = '3b59b1b2d5416bbb4a28da2a45414bc0605bcead']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d04-ace4-4566-b96d-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:04.000Z",
|
||
|
"modified": "2016-11-02T08:00:04.000Z",
|
||
|
"description": "jedwel.doc - Xchecked via VT: 45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767",
|
||
|
"pattern": "[file:hashes.MD5 = '9985b1ab655f26e8a05f8402ad0ea300']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d04-8f68-4815-b5fd-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:04.000Z",
|
||
|
"modified": "2016-11-02T08:00:04.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:04Z",
|
||
|
"last_observed": "2016-11-02T08:00:04Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d04-8f68-4815-b5fd-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d04-8f68-4815-b5fd-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767/analysis/1467395826/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d04-b1fc-4c68-973e-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:04.000Z",
|
||
|
"modified": "2016-11-02T08:00:04.000Z",
|
||
|
"description": "istepaname.doc - Xchecked via VT: e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601",
|
||
|
"pattern": "[file:hashes.SHA1 = 'fbc27bcf672d1ea3d4ff9cb3a8fd6a55d92d8b74']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d04-22e4-42fc-a180-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:04.000Z",
|
||
|
"modified": "2016-11-02T08:00:04.000Z",
|
||
|
"description": "istepaname.doc - Xchecked via VT: e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601",
|
||
|
"pattern": "[file:hashes.MD5 = '6d9091def6fbf3ead3136eaa1861113c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d05-e6d4-46c7-809f-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:04.000Z",
|
||
|
"modified": "2016-11-02T08:00:04.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:04Z",
|
||
|
"last_observed": "2016-11-02T08:00:04Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d05-e6d4-46c7-809f-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d05-e6d4-46c7-809f-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601/analysis/1458644189/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d05-a17c-4c0b-8842-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:05.000Z",
|
||
|
"modified": "2016-11-02T08:00:05.000Z",
|
||
|
"description": "tetqiqat doklati.doc - Xchecked via VT: 5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337",
|
||
|
"pattern": "[file:hashes.SHA1 = '29283c126924dca11b05af968a1de2ad46e8dc9c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d05-3dec-4053-9bd8-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:05.000Z",
|
||
|
"modified": "2016-11-02T08:00:05.000Z",
|
||
|
"description": "tetqiqat doklati.doc - Xchecked via VT: 5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337",
|
||
|
"pattern": "[file:hashes.MD5 = 'dad5fca029351bde31de9fff3541fdf5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d05-a3d4-4ab0-8d16-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:05.000Z",
|
||
|
"modified": "2016-11-02T08:00:05.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:05Z",
|
||
|
"last_observed": "2016-11-02T08:00:05Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d05-a3d4-4ab0-8d16-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d05-a3d4-4ab0-8d16-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337/analysis/1467970728/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d06-8b1c-41bf-9739-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:06.000Z",
|
||
|
"modified": "2016-11-02T08:00:06.000Z",
|
||
|
"description": "chqiriq.doc - Xchecked via VT: 0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6",
|
||
|
"pattern": "[file:hashes.SHA1 = '4d697c3afd6b948ec28b7c4e9b0f1d63577ef170']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d06-2f2c-40dc-b101-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:06.000Z",
|
||
|
"modified": "2016-11-02T08:00:06.000Z",
|
||
|
"description": "chqiriq.doc - Xchecked via VT: 0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6",
|
||
|
"pattern": "[file:hashes.MD5 = '740d347f595983b88d8c4b415e900388']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d06-5488-450d-95a0-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:06.000Z",
|
||
|
"modified": "2016-11-02T08:00:06.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:06Z",
|
||
|
"last_observed": "2016-11-02T08:00:06Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d06-5488-450d-95a0-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d06-5488-450d-95a0-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6/analysis/1467385502/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d06-7d04-48bd-9241-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:06.000Z",
|
||
|
"modified": "2016-11-02T08:00:06.000Z",
|
||
|
"description": "chaqiriq.doc - Xchecked via VT: 940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f7eab4176799794121cd9a8b288bcea09ad7e695']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d06-0020-414d-adda-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:06.000Z",
|
||
|
"modified": "2016-11-02T08:00:06.000Z",
|
||
|
"description": "chaqiriq.doc - Xchecked via VT: 940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69",
|
||
|
"pattern": "[file:hashes.MD5 = '24b6088b65b1f67cf04dfadd4719f807']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d07-c2c4-4782-9cd6-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:07.000Z",
|
||
|
"modified": "2016-11-02T08:00:07.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:07Z",
|
||
|
"last_observed": "2016-11-02T08:00:07Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d07-c2c4-4782-9cd6-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d07-c2c4-4782-9cd6-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69/analysis/1467396978/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d07-78e4-4225-8b38-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:07.000Z",
|
||
|
"modified": "2016-11-02T08:00:07.000Z",
|
||
|
"description": "chaqiriq.doc - Xchecked via VT: 4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d",
|
||
|
"pattern": "[file:hashes.SHA1 = 'e4ad541c4386f24a7ab6e8f9be46e5100c759704']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d07-36c0-4736-a131-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:07.000Z",
|
||
|
"modified": "2016-11-02T08:00:07.000Z",
|
||
|
"description": "chaqiriq.doc - Xchecked via VT: 4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d",
|
||
|
"pattern": "[file:hashes.MD5 = '62d2cdce3736dc5d9a2f036d27ffc780']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d07-898c-486b-8f12-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:07.000Z",
|
||
|
"modified": "2016-11-02T08:00:07.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:07Z",
|
||
|
"last_observed": "2016-11-02T08:00:07Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d07-898c-486b-8f12-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d07-898c-486b-8f12-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d/analysis/1457591232/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d07-b870-4c96-a744-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:07.000Z",
|
||
|
"modified": "2016-11-02T08:00:07.000Z",
|
||
|
"description": "agahlandurushname.doc - Xchecked via VT: 7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698",
|
||
|
"pattern": "[file:hashes.SHA1 = '911d6bcf69b881df38971ae4c0d07c624cea9daf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d08-c570-45d7-a8ec-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:08.000Z",
|
||
|
"modified": "2016-11-02T08:00:08.000Z",
|
||
|
"description": "agahlandurushname.doc - Xchecked via VT: 7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698",
|
||
|
"pattern": "[file:hashes.MD5 = '5ddded4e5686ad25a02db8ef534173f1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d08-efcc-4637-9a08-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:08.000Z",
|
||
|
"modified": "2016-11-02T08:00:08.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:08Z",
|
||
|
"last_observed": "2016-11-02T08:00:08Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d08-efcc-4637-9a08-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d08-efcc-4637-9a08-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698/analysis/1458310333/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d08-6324-4078-8911-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:08.000Z",
|
||
|
"modified": "2016-11-02T08:00:08.000Z",
|
||
|
"description": "Google aqsakla Rabiye isming.doc - Xchecked via VT: 3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f",
|
||
|
"pattern": "[file:hashes.SHA1 = '4879022a39c2917e629edffc3af1c57cf81c58ad']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d08-8cac-4304-afaf-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:08.000Z",
|
||
|
"modified": "2016-11-02T08:00:08.000Z",
|
||
|
"description": "Google aqsakla Rabiye isming.doc - Xchecked via VT: 3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f",
|
||
|
"pattern": "[file:hashes.MD5 = '5d16e305ef6dc2db9c0ff1b498277e8c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d09-9b1c-40a9-8c1b-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:09.000Z",
|
||
|
"modified": "2016-11-02T08:00:09.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:09Z",
|
||
|
"last_observed": "2016-11-02T08:00:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d09-9b1c-40a9-8c1b-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d09-9b1c-40a9-8c1b-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f/analysis/1456781229/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d09-cb20-4457-b416-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:09.000Z",
|
||
|
"modified": "2016-11-02T08:00:09.000Z",
|
||
|
"description": "Sample matching PEHash - Xchecked via VT: 087e45f63ce00c4df07f81837eceb0b322773822feee01cfc005e5fc14e50f5e",
|
||
|
"pattern": "[file:hashes.SHA1 = '24378312a80c9be83f2b7c294a168dd8e030a8b5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d09-e9f0-446e-85be-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:09.000Z",
|
||
|
"modified": "2016-11-02T08:00:09.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:09Z",
|
||
|
"last_observed": "2016-11-02T08:00:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d09-e9f0-446e-85be-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d09-e9f0-446e-85be-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/087e45f63ce00c4df07f81837eceb0b322773822feee01cfc005e5fc14e50f5e/analysis/1442671182/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d09-2004-4f16-964d-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:09.000Z",
|
||
|
"modified": "2016-11-02T08:00:09.000Z",
|
||
|
"description": "Sample matching PEHash - Xchecked via VT: ef3e7b1c37aef1d8359169cca9409db4709632b9aa8bf44febe0d91e93ab537e",
|
||
|
"pattern": "[file:hashes.SHA1 = '94b9a2835df032a5907cdd6bac8172270a4b7282']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d0a-66e0-416c-9dcb-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:10.000Z",
|
||
|
"modified": "2016-11-02T08:00:10.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:10Z",
|
||
|
"last_observed": "2016-11-02T08:00:10Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d0a-66e0-416c-9dcb-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d0a-66e0-416c-9dcb-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ef3e7b1c37aef1d8359169cca9409db4709632b9aa8bf44febe0d91e93ab537e/analysis/1462788842/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d0a-a2c4-4ab5-9e4d-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:10.000Z",
|
||
|
"modified": "2016-11-02T08:00:10.000Z",
|
||
|
"description": "Sample matching PEHash - Xchecked via VT: 444c6589ed030da41ba49d20ac38029e5213978fadef2ee94408e4f91395b488",
|
||
|
"pattern": "[file:hashes.SHA1 = '9ccf2631deab313232966ec49ddb8be4c6c4467d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d0a-7e44-45e0-9fa5-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:10.000Z",
|
||
|
"modified": "2016-11-02T08:00:10.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:10Z",
|
||
|
"last_observed": "2016-11-02T08:00:10Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d0a-7e44-45e0-9fa5-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d0a-7e44-45e0-9fa5-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/444c6589ed030da41ba49d20ac38029e5213978fadef2ee94408e4f91395b488/analysis/1441268734/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d0a-3c70-422f-ab84-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:10.000Z",
|
||
|
"modified": "2016-11-02T08:00:10.000Z",
|
||
|
"description": "Mutex match - Xchecked via VT: 97ec795227818fedc70fad9f2df8cb839d9fb75b502f3598614610d4e8e1be78",
|
||
|
"pattern": "[file:hashes.SHA1 = '1142f615293497837744d81e53b8490caf490c27']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d0a-9d4c-4a30-b875-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:10.000Z",
|
||
|
"modified": "2016-11-02T08:00:10.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:10Z",
|
||
|
"last_observed": "2016-11-02T08:00:10Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d0a-9d4c-4a30-b875-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d0a-9d4c-4a30-b875-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/97ec795227818fedc70fad9f2df8cb839d9fb75b502f3598614610d4e8e1be78/analysis/1442165720/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d0b-98f8-44bb-999b-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:11.000Z",
|
||
|
"modified": "2016-11-02T08:00:11.000Z",
|
||
|
"description": "Mutex match - Xchecked via VT: f15840fbade7a5611391193a4a53f63ef465ab451f7783da21cad7303ea3b68c",
|
||
|
"pattern": "[file:hashes.SHA1 = '9db5c270a803e98b0135d16a1fa51c212de5d07d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d0b-a2ac-4420-aa83-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:11.000Z",
|
||
|
"modified": "2016-11-02T08:00:11.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:11Z",
|
||
|
"last_observed": "2016-11-02T08:00:11Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d0b-a2ac-4420-aa83-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d0b-a2ac-4420-aa83-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f15840fbade7a5611391193a4a53f63ef465ab451f7783da21cad7303ea3b68c/analysis/1442165665/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d0c-45cc-4ac6-816e-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:12.000Z",
|
||
|
"modified": "2016-11-02T08:00:12.000Z",
|
||
|
"description": "Saker/Xbox - Xchecked via VT: 3714058d90b2149169188418773165b620abd1481b47d1551d79679bfe21d28c",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f2d65afc2c1f59dc0bd4e1faaa41c0c976195408']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d0c-6ec8-4d0b-a9cc-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:12.000Z",
|
||
|
"modified": "2016-11-02T08:00:12.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:12Z",
|
||
|
"last_observed": "2016-11-02T08:00:12Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d0c-6ec8-4d0b-a9cc-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d0c-6ec8-4d0b-a9cc-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/3714058d90b2149169188418773165b620abd1481b47d1551d79679bfe21d28c/analysis/1462960434/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d0d-41e0-4732-9124-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:13.000Z",
|
||
|
"modified": "2016-11-02T08:00:13.000Z",
|
||
|
"description": "Saker/Xbox - Xchecked via VT: c39e0fc30c2604b3eb9694591789a8e3d4cee7bcc4f9b03349e10c45304aef59",
|
||
|
"pattern": "[file:hashes.SHA1 = '2dbd9349bcfb243398648e46f9994b727642e7cd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d0d-5df0-4539-9c22-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:13.000Z",
|
||
|
"modified": "2016-11-02T08:00:13.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:13Z",
|
||
|
"last_observed": "2016-11-02T08:00:13Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d0d-5df0-4539-9c22-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d0d-5df0-4539-9c22-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c39e0fc30c2604b3eb9694591789a8e3d4cee7bcc4f9b03349e10c45304aef59/analysis/1471881852/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d0e-6504-460f-8263-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:14.000Z",
|
||
|
"modified": "2016-11-02T08:00:14.000Z",
|
||
|
"description": "Gh0stRAT LURK0 - Xchecked via VT: b625e605932196efbc6c80a18f61a71d27d82935209a1abde2ec591973fed31e",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b6a78ea984a34a3ae00b5aca3445f1c12118029c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d0e-a3a0-4794-96ac-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:14.000Z",
|
||
|
"modified": "2016-11-02T08:00:14.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:14Z",
|
||
|
"last_observed": "2016-11-02T08:00:14Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d0e-a3a0-4794-96ac-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d0e-a3a0-4794-96ac-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/b625e605932196efbc6c80a18f61a71d27d82935209a1abde2ec591973fed31e/analysis/1462776856/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58199d0f-9834-4d37-9332-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:15.000Z",
|
||
|
"modified": "2016-11-02T08:00:15.000Z",
|
||
|
"description": "PlugX malware - Xchecked via VT: a351040c0da2837f19b357baea4bffe194b0cd0d86bf262f8be1126e3a9d44d8",
|
||
|
"pattern": "[file:hashes.SHA1 = '9a19a983e5c9db7f7675bbb93173699b12df3955']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-02T08:00:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58199d0f-7bbc-447e-8b45-593002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-02T08:00:15.000Z",
|
||
|
"modified": "2016-11-02T08:00:15.000Z",
|
||
|
"first_observed": "2016-11-02T08:00:15Z",
|
||
|
"last_observed": "2016-11-02T08:00:15Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58199d0f-7bbc-447e-8b45-593002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58199d0f-7bbc-447e-8b45-593002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a351040c0da2837f19b357baea4bffe194b0cd0d86bf262f8be1126e3a9d44d8/analysis/1458560323/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|