misp-circl-feed/feeds/circl/stix-2.1/58aafac5-c984-43f3-a1b9-493e950d210f.json

809 lines
327 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--58aafac5-c984-43f3-a1b9-493e950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:29:17.000Z",
"modified": "2017-02-20T14:29:17.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58aafac5-c984-43f3-a1b9-493e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:29:17.000Z",
"modified": "2017-02-20T14:29:17.000Z",
"name": "OSINT - LAZARUS\u00e2\u20ac\u2122 FALSE FLAG MALWARE",
"published": "2017-02-20T14:32:18Z",
"object_refs": [
"observed-data--58aafaf8-405c-4b7d-8f4e-4357950d210f",
"url--58aafaf8-405c-4b7d-8f4e-4357950d210f",
"x-misp-attribute--58aafb3a-9b70-48a9-b715-4dab950d210f",
"indicator--58aafb6d-f0b0-4362-9eb4-4ced950d210f",
"indicator--58aafb6e-427c-4e7a-8919-4c2d950d210f",
"indicator--58aafb6f-8294-45f2-bacc-4de2950d210f",
"indicator--58aafb70-5898-4011-b1e4-48d8950d210f",
"indicator--58aafb70-b22c-4584-8088-456d950d210f",
"indicator--58aafb91-71a4-476f-981d-41e1950d210f",
"observed-data--58aafbc7-9d18-43b7-b027-4018950d210f",
"file--58aafbc7-9d18-43b7-b027-4018950d210f",
"artifact--58aafbc7-9d18-43b7-b027-4018950d210f",
"indicator--58aafc38-87f4-4f3e-b6b7-457c950d210f",
"indicator--58aafce1-a080-4233-ab2e-41c002de0b81",
"indicator--58aafce1-0978-4c1f-a438-485d02de0b81",
"observed-data--58aafce2-9380-439a-9174-4bcd02de0b81",
"url--58aafce2-9380-439a-9174-4bcd02de0b81",
"indicator--58aafce3-0740-4625-91da-452f02de0b81",
"indicator--58aafce4-cf48-49f6-86f7-45b902de0b81",
"observed-data--58aafce4-a3dc-4f76-b51e-4a8a02de0b81",
"url--58aafce4-a3dc-4f76-b51e-4a8a02de0b81",
"indicator--58aafce5-02c4-4787-aac4-499f02de0b81",
"indicator--58aafce6-bfe4-42e1-9581-498702de0b81",
"observed-data--58aafce7-bfa4-433b-a122-40b702de0b81",
"url--58aafce7-bfa4-433b-a122-40b702de0b81",
"indicator--58aafce7-0964-457a-bfd5-4fdc02de0b81",
"indicator--58aafce8-a700-4de1-9e84-475f02de0b81",
"observed-data--58aafce9-8adc-4463-8c5a-467a02de0b81",
"url--58aafce9-8adc-4463-8c5a-467a02de0b81",
"indicator--58aafcea-8700-4a01-99c5-4ed902de0b81",
"indicator--58aafcea-c968-4940-9c36-44d902de0b81",
"observed-data--58aafceb-7740-4c6c-97b2-4bce02de0b81",
"url--58aafceb-7740-4c6c-97b2-4bce02de0b81",
"indicator--58aafd1a-be48-4ca5-af2e-482f950d210f",
"indicator--58aafd1a-e8e8-4275-a0b3-4ceb950d210f",
"indicator--58aafd1b-7ca8-4258-a429-4787950d210f",
"indicator--58aafd1c-cc98-4a0c-9c3c-40b0950d210f",
"x-misp-attribute--58aafd3d-a418-4a76-9462-4dcb950d210f",
"x-misp-attribute--58aafd3e-eb98-4596-96f1-4b43950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58aafaf8-405c-4b7d-8f4e-4357950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:38.000Z",
"modified": "2017-02-20T14:27:38.000Z",
"first_observed": "2017-02-20T14:27:38Z",
"last_observed": "2017-02-20T14:27:38Z",
"number_observed": 1,
"object_refs": [
"url--58aafaf8-405c-4b7d-8f4e-4357950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"admiralty-scale:source-reliability=\"b\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58aafaf8-405c-4b7d-8f4e-4357950d210f",
"value": "http://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58aafb3a-9b70-48a9-b715-4dab950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:38.000Z",
"modified": "2017-02-20T14:27:38.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "We continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial regulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the involvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most notably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafb6d-f0b0-4362-9eb4-4ced950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:38.000Z",
"modified": "2017-02-20T14:27:38.000Z",
"description": "srservice.chm",
"pattern": "[file:hashes.MD5 = '9216b29114fb6713ef228370cbfe4045']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafb6e-427c-4e7a-8919-4c2d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:38.000Z",
"modified": "2017-02-20T14:27:38.000Z",
"description": "srservice.hlp",
"pattern": "[file:hashes.MD5 = '8e32fccd70cec634d13795bcb1da85ff']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafb6f-8294-45f2-bacc-4de2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:38.000Z",
"modified": "2017-02-20T14:27:38.000Z",
"description": "srservice.dll",
"pattern": "[file:hashes.MD5 = 'e29fe3c181ac9ddbb242688b151f3310']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafb70-5898-4011-b1e4-48d8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:38.000Z",
"modified": "2017-02-20T14:27:38.000Z",
"description": "fdsvc.exe",
"pattern": "[file:hashes.MD5 = '9914075cc687bdc352ee136ac6579707']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafb70-b22c-4584-8088-456d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:38.000Z",
"modified": "2017-02-20T14:27:38.000Z",
"description": "fdsvc.dll",
"pattern": "[file:hashes.MD5 = '9cc6854bc5e217104734043c89dc4ff8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafb91-71a4-476f-981d-41e1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:38.000Z",
"modified": "2017-02-20T14:27:38.000Z",
"description": "cambio.swf",
"pattern": "[file:hashes.MD5 = '6dffcfa68433f886b2e88fd984b4995a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58aafbc7-9d18-43b7-b027-4018950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:38.000Z",
"modified": "2017-02-20T14:27:38.000Z",
"first_observed": "2017-02-20T14:27:38Z",
"last_observed": "2017-02-20T14:27:38Z",
"number_observed": 1,
"object_refs": [
"file--58aafbc7-9d18-43b7-b027-4018950d210f",
"artifact--58aafbc7-9d18-43b7-b027-4018950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--58aafbc7-9d18-43b7-b027-4018950d210f",
"name": "schema.png",
"content_ref": "artifact--58aafbc7-9d18-43b7-b027-4018950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--58aafbc7-9d18-43b7-b027-4018950d210f",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAABkAAAAT2CAIAAAD1YvixAAAAA3NCSVQICAjb4U/gAAAAlnpUWHRSYXcgcHJvZmlsZSB0eXBlIEFQUDEAAHicVY5BDsMgDATvvIInjG0w8BxUkSpS1Vb5/6EHSNvsZaVZa9fhPp7j2G/xfby2/TFCjDFGkRpSS007UJlSMEFQoCzk073VQgJk8cFFGW9uLsV8XhhAmz2JhUxNDaTPfHV9PXf+N/L51yldmf46s1qzuth1S2w+AUD4AOdVNXTvLP3VAAAgAElEQVR4nOzdd1xTVxsH8CcJYe+wkSGg7A1uARe4J25bt3XWUWuXdVutbV/rrK27ratat3WPinsvBLfsPRJCyL7vH9emaQKIbRGsv+9f+Zxz7r3PTSImT55zDodhGAIAAAAAAAAAAKivuHUdAAAAAAAAAAAAQHWQwAIAAAAAAAAAgHoNCSwAAAAAAAAAAKjXkMACAAAAAAAAAIB6DQksAAAAAAAAAACo15DAAgAAAAAAAACAeg0JLAAAAAAAAAAAqNeQwAIAAAAAAAAAgHoNCSwAAAAAAAAAAKjXkMACAAAAAAAAAIB6DQksAAAAAAAAAACo15DAAgAAAAAAAACAes2grgMAAIDXSqVS5eTkpKam8ni8uo4FAACgVqhUqoCAACcnJy4XP9gDAPxHIIEFAPB2kUgkBw4cGD9+fF0HAgAAUIvWrl07cOBAMzOzug4EAAD+HfhFAgDg7cLhcAwNDes6CgAAgNplaGjI4XDqOgoAAPjXIIEFAAAAAAAAAAD1GhJYAAAAAAAAAABQryGBBQAAAAAAAAAA9RoWcQcAeNt1iO84deo0V1cXtVpd17EAAAC8Mi6Xm5GZ9dWSL38/c6quYwEAgNqCBBYAwNvOysoywN/Pw8OtrgMBAAD4mywszC0tzOs6CgAAqEWYQggA8LZjGLVKparrKAAAAP4+lUrFMExdRwEAALUICSwAAAAAAAAAAKjXkMACAAAAAAAAAIB6DQksAAAAAAAAAACo15DAAgAAAAAAAACAeg0JLAAAAAAAAAAAqNeQwAIAAAAAAAAAgHoNCSwAAAAAAAAAAKjXkMACAAAAAAAAAIB6DQksAAAAAAAAAACo15DAAgAAAAAAAACAeg0JLAAAAAAAAAAAqNeQwAIAAAAAAAAAgHoNCSwAAAAAAAAAAKjXkMACAAAAAAAAAIB6DQksAAAAAAAAAACo15DAAgAAAAAAAACAeg0JLAAAAAAAAAAAqNeQwAIAAAAAAAAAgHoNCSwAAAAAAAAAAKjXkMACAAAAAAAAAIB6DQksAAAAAAAAAACo15DAAgAAAAAAAACAeg0JLAAAAAAAAAAAqNeQwAIAAAAAAAAAgHoNCSwAAAAAAAAAAKjXkMACAAAAAAAAAIB6DQksAAAAAAAAAACo15DAAgAAAAAAAACAeg0JLAAAAAAAAAAAqNeQwAIAAAAAAAAAgHoNCSwAAAAAAAAAAKjXkMACAAAAAAAAAIB6DQksAAAAAAAAAACo15DAAgAAAAAAAACAeg0JLAAAAAAAAAAAqNeQwAIAAAAAAAAAgHrNoK4DAAAAAIAXxOJytVrFMIyVlVVdx1IJhmHKy8vVajWXyzU3N6/rcAAAAOAtggosAAAAgPoisV9/Kysra2vrug6kciUlpZ26dLOysoqPj6/rWAAAAODtggosAACA102pVCkUCrVapVKpGIYhIg6Hw+VyeTwDPt/AwAD/O78+crlCKq2oP/VE1lb1NHXF4nI5AltbIhIIBP/6yRmGkcpkCrnc0NDQ2Nj4Xz9/zcnl8oqKCmNjYyMjIyJSKpUSicTAwMDU1LSqQ1QqtUwmVSgUHA7H2NjY0NDwNcYLAADwVkAFFgAAwOujVKqKiouPnzw1Z+78Hj17s7U21tbWVlZW7drHfz577pnfk8rE4roO8y2yZdsOKyur7j16ZWXn1HUsb7vi4pK58xZaWVkt/nJJpf8KlEqlQqms7TBUKtX+/Qesra137vqVbbl167aHp8+cuXNUarX+eLVaLRSJzl+48N7YCdbW1u6eXgcOHKztIAEAAN5C+I0XAADgdWCIRELh70nnV65YefzYYSIyNjZp4Ob+R70V8+jhgyuXLxYVFno19LSoH9VAb4P5c2cT0elTJ3bs/HXa5Il1Hc5braSk+MtFC4ho//79zZq16JjQXtOlUqlyc/Pu3Es2NTWJbd2qVsMQCkXP0zMCg4I1EznLykSlJQVOjs48ru5Pv2Kx+PrNW+vWrf/5x01si5enJ8qvAAAAagMSWAAAAK/D8+dpmzZuWvbtt0JRqYenZ0R4RGRUtGfDhsbGxgxDXC43KzPjt0MH4+M7ODk51XWwb5E+fRJ/2fmLSCQMDgyo61jediYmpol9+505c6Zx48Zu7g20u1JTU4OCgrgGhiuXL6vtBJZCqRSLy5ydXezs7DUtZmaWLi4uOiMrpNJdv+4ePmwoEbVr38HI0PC33w7VamwAAABvMySwAAAAal1BYeHq1au//moJEQ0e8s6AAQPbtm1jaqK7ys+IEcP4BnxDQ35dxPiWWvzloqbNm9vZ2cXF1G5aBF7K1dVlxYrl5y9c8vfzC/D31e7icDhE1NDTg1f7K8RJpdKC/EIDAx6XyyWiouLi23fuOTjaGxoZ6Yw0NjISCGxdXRsMGjxk2LBh6WnPkMACAACoPUhgAQAA1LoD+w/8uPlHIho/YdJHMz50d3erdJhZ1UtEQy3hcbmJvXvWdRTwgpOjY59ePfTb2VwS549MVq1iGEahVDg6OTk6Or5oUavt7R2sLK10RnI4nODgkN179jaJjiSizIy02o4NAADgbYYEFgAAQO26eu36vgMH8/NzR48Z++GHH1SVvaqGWq2Wy+VKpVKpVKrVag6HY2BgwOcbGhkZ6n+fr6iokEqlfD7f1NSUy+XKZDL2WIZhDAwMjIyMjYz+XKBHKpXK5XJ2M0QDA76RsZGR3vI9EolEJpPxDAzMzcy4XK5CoZDJ5AqFnGEYDofD5/ONjIz5fN1PFOXl5TKZzNDIyNzMjGFIKq2QyWQqlcrGxob714WElCqV4o+7Y1v4fEM+38BIr+CFiMRisVwuNzI2NjM1ZRhGKpUqFAo2fj7f0MjYyJD/on6NYZiKigqlUvmi19DQ2MiIz9etbisrK1MoFAzD6G+rJ5PJFEqlXCZjn2Q+n29gYFDp7njsMPZaL54TY2N+tbVCUqlUqVTK5XIi4vF4BgZ8IyPDmm9AWVpayr4TbGxs9HuFQqFKpTIwMLC0tNTvLSoq4nK5BgYGFhYW2u1yuUIul6tUSpVKxeVy2bsw4PGqj6SiQqpQyJVKJYfD4XA4hkZGRoaGvKqPqqiQKpUKdrc+DofL5xvw+YZs1aFKpRKLxdqRq9VqiUSiUqlKSkqISKVWl4vFYrFYoVAQkZGxsamJic752Tcn+4bncrns687VW7uqGuKysju3b4eEBLMvh1hc/uz5c4FAYGmlm8AiIk8Pd08Pd/Yxu6MoAAAA1BLsQggAAFC77ty+ferECWtr2759+3h6eLzq4QqF4sbN2999v3bkyDE2NjYCgcDW1vbdd4d/v3bd4ydPVSqVzvgff/rZ1tZ22vSPsnNy0zMy1m/c3Cexv62trUAg6NU78ceft+Tk5hGRSqV68vTpipWru3XvyfYm9u3785Ztefn5OidcvXqNra3tiBGjCwoKFArF/oO/TXp/CnuIra3tmPfGHzx0uKSkVOeob/63VCAQLPziS6FQ9OTp06+/+dbXN8DOzi43N1d7mFwuP5t07pulywcMGGz7h0nvT9n805b8/AL9jMDns+YIBIIvl3wjlckePHz0zdLl7dsnsMGMGDlqz9794vJyIlIolPdTUmfPmR8X147tHTVqzN79ByWSCp0Tvj95qkAgsLOz07mWXC7fsOmnyZOnsbdpa2s7bvzEVd+t1X+BpFLp4SPHPvr4s+bNW7GDx42fePjIMZlMVtVrWlYmXvPDhvETJgkEAoFA0LpV7Ceffn70+Em1Ws3jvfyzmUql6ty5O3stUZnubn0SiSQ6uplAIOjbt7/
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafc38-87f4-4f3e-b6b7-457c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:38.000Z",
"modified": "2017-02-20T14:27:38.000Z",
"description": "The file fdsvc.dll is an encrypted file, successfully decrypted into a valid DLL (MD5: 889e320cf66520485e1a0475107d7419) by the aforementioned executable fdsvc.exe.",
"pattern": "[file:hashes.MD5 = '889e320cf66520485e1a0475107d7419']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafce1-a080-4233-ab2e-41c002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:45.000Z",
"modified": "2017-02-20T14:27:45.000Z",
"description": "srservice.dll - Xchecked via VT: e29fe3c181ac9ddbb242688b151f3310",
"pattern": "[file:hashes.SHA256 = '6c1d8c4afbc7f85f05fb2e4d17e5553255b0195a0b56ba5309e362e2156debfc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafce1-0978-4c1f-a438-485d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:45.000Z",
"modified": "2017-02-20T14:27:45.000Z",
"description": "srservice.dll - Xchecked via VT: e29fe3c181ac9ddbb242688b151f3310",
"pattern": "[file:hashes.SHA1 = '7260340b7d7b08b7a9c7e27d9226e17b7170a436']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58aafce2-9380-439a-9174-4bcd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:46.000Z",
"modified": "2017-02-20T14:27:46.000Z",
"first_observed": "2017-02-20T14:27:46Z",
"last_observed": "2017-02-20T14:27:46Z",
"number_observed": 1,
"object_refs": [
"url--58aafce2-9380-439a-9174-4bcd02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58aafce2-9380-439a-9174-4bcd02de0b81",
"value": "https://www.virustotal.com/file/6c1d8c4afbc7f85f05fb2e4d17e5553255b0195a0b56ba5309e362e2156debfc/analysis/1487239802/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafce3-0740-4625-91da-452f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:47.000Z",
"modified": "2017-02-20T14:27:47.000Z",
"description": "fdsvc.exe - Xchecked via VT: 9914075cc687bdc352ee136ac6579707",
"pattern": "[file:hashes.SHA256 = 'cd10ffb7a88f0d2ec69326e7a13f00b9ed211a3a719f89a755a29494ff1142e6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafce4-cf48-49f6-86f7-45b902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:48.000Z",
"modified": "2017-02-20T14:27:48.000Z",
"description": "fdsvc.exe - Xchecked via VT: 9914075cc687bdc352ee136ac6579707",
"pattern": "[file:hashes.SHA1 = 'fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58aafce4-a3dc-4f76-b51e-4a8a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:48.000Z",
"modified": "2017-02-20T14:27:48.000Z",
"first_observed": "2017-02-20T14:27:48Z",
"last_observed": "2017-02-20T14:27:48Z",
"number_observed": 1,
"object_refs": [
"url--58aafce4-a3dc-4f76-b51e-4a8a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58aafce4-a3dc-4f76-b51e-4a8a02de0b81",
"value": "https://www.virustotal.com/file/cd10ffb7a88f0d2ec69326e7a13f00b9ed211a3a719f89a755a29494ff1142e6/analysis/1487564884/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafce5-02c4-4787-aac4-499f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:49.000Z",
"modified": "2017-02-20T14:27:49.000Z",
"description": "fdsvc.dll - Xchecked via VT: 9cc6854bc5e217104734043c89dc4ff8",
"pattern": "[file:hashes.SHA256 = '752b8e93a8f6803b265dd3a7cd39df86997cf99900426635b1b97dd665bd7f9f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafce6-bfe4-42e1-9581-498702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:50.000Z",
"modified": "2017-02-20T14:27:50.000Z",
"description": "fdsvc.dll - Xchecked via VT: 9cc6854bc5e217104734043c89dc4ff8",
"pattern": "[file:hashes.SHA1 = '11568dffd6325ade217fbe49ce56a3ee5001cbcc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58aafce7-bfa4-433b-a122-40b702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:51.000Z",
"modified": "2017-02-20T14:27:51.000Z",
"first_observed": "2017-02-20T14:27:51Z",
"last_observed": "2017-02-20T14:27:51Z",
"number_observed": 1,
"object_refs": [
"url--58aafce7-bfa4-433b-a122-40b702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58aafce7-bfa4-433b-a122-40b702de0b81",
"value": "https://www.virustotal.com/file/752b8e93a8f6803b265dd3a7cd39df86997cf99900426635b1b97dd665bd7f9f/analysis/1487229167/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafce7-0964-457a-bfd5-4fdc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:51.000Z",
"modified": "2017-02-20T14:27:51.000Z",
"description": "cambio.swf - Xchecked via VT: 6dffcfa68433f886b2e88fd984b4995a",
"pattern": "[file:hashes.SHA256 = 'c1b29afcfddb79cfd57545b8600922150843ae2b170fff9aeacdeaa17adbf792']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafce8-a700-4de1-9e84-475f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:52.000Z",
"modified": "2017-02-20T14:27:52.000Z",
"description": "cambio.swf - Xchecked via VT: 6dffcfa68433f886b2e88fd984b4995a",
"pattern": "[file:hashes.SHA1 = 'ba5a2230ff2068b7fb22de3b83031457d18c3298']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58aafce9-8adc-4463-8c5a-467a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:53.000Z",
"modified": "2017-02-20T14:27:53.000Z",
"first_observed": "2017-02-20T14:27:53Z",
"last_observed": "2017-02-20T14:27:53Z",
"number_observed": 1,
"object_refs": [
"url--58aafce9-8adc-4463-8c5a-467a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58aafce9-8adc-4463-8c5a-467a02de0b81",
"value": "https://www.virustotal.com/file/c1b29afcfddb79cfd57545b8600922150843ae2b170fff9aeacdeaa17adbf792/analysis/1487563770/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafcea-8700-4a01-99c5-4ed902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:54.000Z",
"modified": "2017-02-20T14:27:54.000Z",
"description": "The file fdsvc.dll is an encrypted file, successfully decrypted into a valid DLL (MD5: 889e320cf66520485e1a0475107d7419) by the aforementioned executable fdsvc.exe. - Xchecked via VT: 889e320cf66520485e1a0475107d7419",
"pattern": "[file:hashes.SHA256 = '8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafcea-c968-4940-9c36-44d902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:54.000Z",
"modified": "2017-02-20T14:27:54.000Z",
"description": "The file fdsvc.dll is an encrypted file, successfully decrypted into a valid DLL (MD5: 889e320cf66520485e1a0475107d7419) by the aforementioned executable fdsvc.exe. - Xchecked via VT: 889e320cf66520485e1a0475107d7419",
"pattern": "[file:hashes.SHA1 = 'f5fc9d893ae99f97e43adcef49801782daced2d7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:27:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58aafceb-7740-4c6c-97b2-4bce02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:27:55.000Z",
"modified": "2017-02-20T14:27:55.000Z",
"first_observed": "2017-02-20T14:27:55Z",
"last_observed": "2017-02-20T14:27:55Z",
"number_observed": 1,
"object_refs": [
"url--58aafceb-7740-4c6c-97b2-4bce02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58aafceb-7740-4c6c-97b2-4bce02de0b81",
"value": "https://www.virustotal.com/file/8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1/analysis/1487179033/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafd1a-be48-4ca5-af2e-482f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:28:42.000Z",
"modified": "2017-02-20T14:28:42.000Z",
"pattern": "[file:name = 'cambio.xap']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:28:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafd1a-e8e8-4275-a0b3-4ceb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:28:42.000Z",
"modified": "2017-02-20T14:28:42.000Z",
"pattern": "[file:name = 'mark180789172360.ico']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:28:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafd1b-7ca8-4258-a429-4787950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:28:43.000Z",
"modified": "2017-02-20T14:28:43.000Z",
"pattern": "[file:name = 'meml102783047891.dat']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:28:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58aafd1c-cc98-4a0c-9c3c-40b0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:28:44.000Z",
"modified": "2017-02-20T14:28:44.000Z",
"pattern": "[file:name = 'back283671047171.dat']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T14:28:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58aafd3d-a418-4a76-9462-4dcb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:29:17.000Z",
"modified": "2017-02-20T14:29:17.000Z",
"labels": [
"misp:type=\"pattern-in-traffic\"",
"misp:category=\"Network activity\""
],
"x_misp_category": "Network activity",
"x_misp_type": "pattern-in-traffic",
"x_misp_value": "view.jsp?pagenum=1"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58aafd3e-eb98-4596-96f1-4b43950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T14:29:18.000Z",
"modified": "2017-02-20T14:29:18.000Z",
"labels": [
"misp:type=\"pattern-in-traffic\"",
"misp:category=\"Network activity\""
],
"x_misp_category": "Network activity",
"x_misp_type": "pattern-in-traffic",
"x_misp_value": "view.jsp?uid="
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}