597 lines
26 KiB
JSON
597 lines
26 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--58a883f4-a2f8-4901-9d5f-a16602de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--58a883f4-a2f8-4901-9d5f-a16602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"name": "OSINT - Demystifying targeted malware used against Polish banks",
|
||
|
"published": "2017-02-18T17:34:08Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--58a8842b-bf7c-40d9-97af-a16e02de0b81",
|
||
|
"url--58a8842b-bf7c-40d9-97af-a16e02de0b81",
|
||
|
"x-misp-attribute--58a8843f-e9b0-48c4-8081-a16302de0b81",
|
||
|
"indicator--58a884cb-05ac-4ab1-9637-568a02de0b81",
|
||
|
"indicator--58a884cc-b7ec-422b-bc5d-568a02de0b81",
|
||
|
"indicator--58a884cd-41d0-4a0d-8e45-568a02de0b81",
|
||
|
"indicator--58a884ce-8f30-41ec-8f85-568a02de0b81",
|
||
|
"indicator--58a884fe-28e0-4cdc-b437-569502de0b81",
|
||
|
"indicator--58a884ff-2798-4d65-a9dd-569502de0b81",
|
||
|
"indicator--58a884ff-76f4-4eae-8513-569502de0b81",
|
||
|
"indicator--58a88500-3b1c-4c05-97b1-569502de0b81",
|
||
|
"indicator--58a88560-396c-4bde-a174-a16a02de0b81",
|
||
|
"indicator--58a88561-131c-42f2-b22f-a16a02de0b81",
|
||
|
"observed-data--58a88562-0938-43d4-a375-a16a02de0b81",
|
||
|
"url--58a88562-0938-43d4-a375-a16a02de0b81",
|
||
|
"indicator--58a88563-fe54-45ef-b63e-a16a02de0b81",
|
||
|
"indicator--58a88564-1760-4f31-b86f-a16a02de0b81",
|
||
|
"observed-data--58a88565-c3ac-4f2a-9897-a16a02de0b81",
|
||
|
"url--58a88565-c3ac-4f2a-9897-a16a02de0b81",
|
||
|
"indicator--58a88565-e914-49da-88cd-a16a02de0b81",
|
||
|
"indicator--58a88566-647c-4069-8021-a16a02de0b81",
|
||
|
"observed-data--58a88567-7d2c-4f4a-be49-a16a02de0b81",
|
||
|
"url--58a88567-7d2c-4f4a-be49-a16a02de0b81",
|
||
|
"indicator--58a88568-4f10-4a12-9d26-a16a02de0b81",
|
||
|
"indicator--58a88569-b83c-4426-83c3-a16a02de0b81",
|
||
|
"observed-data--58a88569-82dc-4c8e-8ea9-a16a02de0b81",
|
||
|
"url--58a88569-82dc-4c8e-8ea9-a16a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"circl:topic=\"finance\"",
|
||
|
"misp-galaxy:threat-actor=\"Lazarus Group\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a8842b-bf7c-40d9-97af-a16e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"first_observed": "2017-02-18T17:33:12Z",
|
||
|
"last_observed": "2017-02-18T17:33:12Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a8842b-bf7c-40d9-97af-a16e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"admiralty-scale:source-reliability=\"b\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a8842b-bf7c-40d9-97af-a16e02de0b81",
|
||
|
"value": "http://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--58a8843f-e9b0-48c4-8081-a16302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"admiralty-scale:source-reliability=\"b\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Hot news about successful attacks on Polish banks appeared recently on the Polish security portal ZaufanaTrzeciaStrona.pl (translated in English here). The impact of the attacks was described dramatically with adjectives like \u00e2\u20ac\u0153the most serious\u00e2\u20ac\u009d. The initial reports were very recently supported by two blogposts by Symantec and BAE Systems. The nationalities of affected institutions were extended also to Mexico and Uruguay, with even more high-profile targets in the attackers\u00e2\u20ac\u2122 viewfinder that are located worldwide. There are many interesting aspects to these attacks starting from the targets, moving on to the vector of compromise, right up to the specific features of the malicious executables used. While the first two aspects have been quite thoroughly examined so far, the malicious binaries involved haven\u00e2\u20ac\u2122t received much attention so far. The purpose of this blog post is to deliver technical details of this as-yet minimally documented malware."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a884cb-05ac-4ab1-9637-568a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"description": "Win64/Spy.Banker.AX\tDropper;gpsvc.exe",
|
||
|
"pattern": "[file:hashes.SHA1 = 'bedceafa2109139c793cb158cec9fa48f980ff2b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a884cc-b7ec-422b-bc5d-568a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"description": "Win64/Spy.Banker.AX\tEnigma-protected loader",
|
||
|
"pattern": "[file:hashes.SHA1 = 'aa115e6587a535146b7493d6c02896a7d322879e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a884cd-41d0-4a0d-8e45-568a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"description": "Win64/Spy.Banker.AX\tEnigma-protected module; RAT; libcurl v. 7.47.",
|
||
|
"pattern": "[file:hashes.SHA1 = 'a107f1046f5224fdb3a5826fa6f940a981fe65a1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a884ce-8f30-41ec-8f85-568a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"description": "Win32/Spy.Banker.ADQH\t32-bit Enigma-protected dropper;gpsvc.exe",
|
||
|
"pattern": "[file:hashes.SHA1 = '4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a884fe-28e0-4cdc-b437-569502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"description": "Win64/Spy.Banker.AX\tDropper;fdsvc.exe",
|
||
|
"pattern": "[file:hashes.SHA1 = 'fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a884ff-2798-4d65-a9dd-569502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"description": "Win64/Spy.Banker.AX\tEncrypted module;fdsvc.dll",
|
||
|
"pattern": "[file:hashes.SHA1 = '11568dffd6325ade217fbe49ce56a3ee5001cbcc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a884ff-76f4-4eae-8513-569502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"description": "Win64/Spy.Banker.AX\tDecrypted module; RAT;libcurl v. 7.49.1 (*)",
|
||
|
"pattern": "[file:hashes.SHA1 = 'e45ca027635f904101683413dd58fbd64d602ebe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a88500-3b1c-4c05-97b1-569502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:12.000Z",
|
||
|
"modified": "2017-02-18T17:33:12.000Z",
|
||
|
"description": "Win32/Spy.Banker.ADRO\t32-bit module; RAT;libcurl v. 7.49.1",
|
||
|
"pattern": "[file:hashes.SHA1 = '50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a88560-396c-4bde-a174-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:20.000Z",
|
||
|
"modified": "2017-02-18T17:33:20.000Z",
|
||
|
"description": "Win32/Spy.Banker.ADRO\t32-bit module; RAT;libcurl v. 7.49.1 - Xchecked via VT: 50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a88561-131c-42f2-b22f-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:21.000Z",
|
||
|
"modified": "2017-02-18T17:33:21.000Z",
|
||
|
"description": "Win32/Spy.Banker.ADRO\t32-bit module; RAT;libcurl v. 7.49.1 - Xchecked via VT: 50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c",
|
||
|
"pattern": "[file:hashes.MD5 = '40e698f961eb796728a57ddf81f52b9a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a88562-0938-43d4-a375-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:22.000Z",
|
||
|
"modified": "2017-02-18T17:33:22.000Z",
|
||
|
"first_observed": "2017-02-18T17:33:22Z",
|
||
|
"last_observed": "2017-02-18T17:33:22Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a88562-0938-43d4-a375-a16a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a88562-0938-43d4-a375-a16a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118/analysis/1487306631/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a88563-fe54-45ef-b63e-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:23.000Z",
|
||
|
"modified": "2017-02-18T17:33:23.000Z",
|
||
|
"description": "Win64/Spy.Banker.AX\tEncrypted module;fdsvc.dll - Xchecked via VT: 11568dffd6325ade217fbe49ce56a3ee5001cbcc",
|
||
|
"pattern": "[file:hashes.SHA256 = '752b8e93a8f6803b265dd3a7cd39df86997cf99900426635b1b97dd665bd7f9f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a88564-1760-4f31-b86f-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:24.000Z",
|
||
|
"modified": "2017-02-18T17:33:24.000Z",
|
||
|
"description": "Win64/Spy.Banker.AX\tEncrypted module;fdsvc.dll - Xchecked via VT: 11568dffd6325ade217fbe49ce56a3ee5001cbcc",
|
||
|
"pattern": "[file:hashes.MD5 = '9cc6854bc5e217104734043c89dc4ff8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a88565-c3ac-4f2a-9897-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:25.000Z",
|
||
|
"modified": "2017-02-18T17:33:25.000Z",
|
||
|
"first_observed": "2017-02-18T17:33:25Z",
|
||
|
"last_observed": "2017-02-18T17:33:25Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a88565-c3ac-4f2a-9897-a16a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a88565-c3ac-4f2a-9897-a16a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/752b8e93a8f6803b265dd3a7cd39df86997cf99900426635b1b97dd665bd7f9f/analysis/1487229167/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a88565-e914-49da-88cd-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:25.000Z",
|
||
|
"modified": "2017-02-18T17:33:25.000Z",
|
||
|
"description": "Win64/Spy.Banker.AX\tDropper;fdsvc.exe - Xchecked via VT: fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cd10ffb7a88f0d2ec69326e7a13f00b9ed211a3a719f89a755a29494ff1142e6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a88566-647c-4069-8021-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:26.000Z",
|
||
|
"modified": "2017-02-18T17:33:26.000Z",
|
||
|
"description": "Win64/Spy.Banker.AX\tDropper;fdsvc.exe - Xchecked via VT: fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b",
|
||
|
"pattern": "[file:hashes.MD5 = '9914075cc687bdc352ee136ac6579707']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a88567-7d2c-4f4a-be49-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:27.000Z",
|
||
|
"modified": "2017-02-18T17:33:27.000Z",
|
||
|
"first_observed": "2017-02-18T17:33:27Z",
|
||
|
"last_observed": "2017-02-18T17:33:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a88567-7d2c-4f4a-be49-a16a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a88567-7d2c-4f4a-be49-a16a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cd10ffb7a88f0d2ec69326e7a13f00b9ed211a3a719f89a755a29494ff1142e6/analysis/1487398403/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a88568-4f10-4a12-9d26-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:28.000Z",
|
||
|
"modified": "2017-02-18T17:33:28.000Z",
|
||
|
"description": "Win32/Spy.Banker.ADQH\t32-bit Enigma-protected dropper;gpsvc.exe - Xchecked via VT: 4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a88569-b83c-4426-83c3-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:29.000Z",
|
||
|
"modified": "2017-02-18T17:33:29.000Z",
|
||
|
"description": "Win32/Spy.Banker.ADQH\t32-bit Enigma-protected dropper;gpsvc.exe - Xchecked via VT: 4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2",
|
||
|
"pattern": "[file:hashes.MD5 = '85d316590edfb4212049c4490db08c4b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-18T17:33:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a88569-82dc-4c8e-8ea9-a16a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-18T17:33:29.000Z",
|
||
|
"modified": "2017-02-18T17:33:29.000Z",
|
||
|
"first_observed": "2017-02-18T17:33:29Z",
|
||
|
"last_observed": "2017-02-18T17:33:29Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a88569-82dc-4c8e-8ea9-a16a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a88569-82dc-4c8e-8ea9-a16a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2/analysis/1487344075/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|