misp-circl-feed/feeds/circl/stix-2.1/595d508c-dc3c-49e8-8288-4a6002de0b81.json

842 lines
37 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--595d508c-dc3c-49e8-8288-4a6002de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--595d508c-dc3c-49e8-8288-4a6002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"name": "OSINT - The MeDoc Connection",
"published": "2017-07-05T20:51:47Z",
"object_refs": [
"x-misp-attribute--595d509a-d224-4645-b1ac-439102de0b81",
"observed-data--595d50a4-bd20-437d-8737-434802de0b81",
"url--595d50a4-bd20-437d-8737-434802de0b81",
"x-misp-attribute--595d50c5-f144-46fd-b6ff-46db02de0b81",
"x-misp-attribute--595d50c6-db5c-4e7e-9db0-4d1002de0b81",
"x-misp-attribute--595d50c6-569c-4921-b849-47d002de0b81",
"x-misp-attribute--595d50c6-3ab8-40f2-bf02-4c4a02de0b81",
"x-misp-attribute--595d50c6-8674-4393-aaa3-434a02de0b81",
"x-misp-attribute--595d50c6-f770-47d6-a061-496202de0b81",
"indicator--595d50d5-2328-427b-9535-4fe302de0b81",
"indicator--595d50d5-f8e8-4769-93b1-400e02de0b81",
"indicator--595d50e8-d3f0-4552-9306-437c02de0b81",
"indicator--595d50e8-307c-4a7f-b19b-4e0502de0b81",
"indicator--595d50e8-7a6c-493f-a1c8-452502de0b81",
"indicator--595d50fb-f4a8-4e59-8d73-436402de0b81",
"indicator--595d50fb-3ac8-473b-82c8-45f002de0b81",
"indicator--595d50fb-1dcc-4ac3-9755-4ff802de0b81",
"indicator--595d514c-c9ac-4ccd-bb65-499602de0b81",
"indicator--595d514c-d144-4815-98f0-4c9d02de0b81",
"observed-data--595d514c-81e4-4e91-8bc4-4be202de0b81",
"url--595d514c-81e4-4e91-8bc4-4be202de0b81",
"indicator--595d514c-a0ac-487c-a2ba-41f202de0b81",
"indicator--595d514c-4188-483d-9fd9-4a9702de0b81",
"observed-data--595d514c-1d84-4628-99a6-44a102de0b81",
"url--595d514c-1d84-4628-99a6-44a102de0b81",
"indicator--595d514c-857c-4902-81e0-455102de0b81",
"indicator--595d514c-5fe8-42ca-850a-42c002de0b81",
"observed-data--595d514c-d7c0-4e20-ba7f-4b9d02de0b81",
"url--595d514c-d7c0-4e20-ba7f-4b9d02de0b81",
"indicator--595d514c-9030-4303-9902-496d02de0b81",
"indicator--595d514c-b8bc-4293-a0ea-4dff02de0b81",
"observed-data--595d514c-c4e0-49cc-82d7-468802de0b81",
"url--595d514c-c4e0-49cc-82d7-468802de0b81",
"indicator--595d514c-0284-4d7b-9762-494a02de0b81",
"indicator--595d514c-d754-4082-9b7a-451102de0b81",
"observed-data--595d514c-3d18-431e-bcf0-457c02de0b81",
"url--595d514c-3d18-431e-bcf0-457c02de0b81",
"indicator--595d514c-0248-4f6d-a21e-422702de0b81",
"indicator--595d514c-363c-4b80-b083-469102de0b81",
"observed-data--595d514c-a394-41bb-9d53-404102de0b81",
"url--595d514c-a394-41bb-9d53-404102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--595d509a-d224-4645-b1ac-439102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595d50a4-bd20-437d-8737-434802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"first_observed": "2017-07-05T20:51:23Z",
"last_observed": "2017-07-05T20:51:23Z",
"number_observed": 1,
"object_refs": [
"url--595d50a4-bd20-437d-8737-434802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595d50a4-bd20-437d-8737-434802de0b81",
"value": "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--595d50c5-f144-46fd-b6ff-46db02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "W32.Ransomware.Nyetya.Talos"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--595d50c6-db5c-4e7e-9db0-4d1002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "W32.F9D6FE8BD8.Backdoor.Ransomware.Nyetya.Talos"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--595d50c6-569c-4921-b849-47d002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "W32.D462966166.Backdoor.Ransomware.Nyetya.Talos"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--595d50c6-3ab8-40f2-bf02-4c4a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "W32.2FD2863D71.Backdoor.Ransomware.Nyetya.Talos"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--595d50c6-8674-4393-aaa3-434a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "W32.02EF73BD24-95.SBX.TG"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--595d50c6-f770-47d6-a061-496202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "W32.GenericKD:Petya.20h1.1201"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d50d5-2328-427b-9535-4fe302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"description": "MALICIOUS IP ADDRESSES:",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.31.182.167']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d50d5-f8e8-4769-93b1-400e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"description": "MALICIOUS IP ADDRESSES:",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.148.186.214']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d50e8-d3f0-4552-9306-437c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"description": "NYETYA MALWARE",
"pattern": "[file:hashes.SHA256 = '027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d50e8-307c-4a7f-b19b-4e0502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"description": "NYETYA MALWARE",
"pattern": "[file:hashes.SHA256 = '02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d50e8-7a6c-493f-a1c8-452502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"description": "NYETYA MALWARE",
"pattern": "[file:hashes.SHA256 = 'eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d50fb-f4a8-4e59-8d73-436402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR:",
"pattern": "[file:hashes.SHA256 = 'f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d50fb-3ac8-473b-82c8-45f002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR:",
"pattern": "[file:hashes.SHA256 = 'd462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d50fb-1dcc-4ac3-9755-4ff802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:23.000Z",
"modified": "2017-07-05T20:51:23.000Z",
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR:",
"pattern": "[file:hashes.SHA256 = '2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-c9ac-4ccd-bb65-499602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: 2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277",
"pattern": "[file:hashes.SHA1 = '3567434e2e49358e8210674641a20b147e0bd23c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-d144-4815-98f0-4c9d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: 2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277",
"pattern": "[file:hashes.MD5 = '3efe62f6cb7285153114f888900a0962']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595d514c-81e4-4e91-8bc4-4be202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"first_observed": "2017-07-05T20:51:24Z",
"last_observed": "2017-07-05T20:51:24Z",
"number_observed": 1,
"object_refs": [
"url--595d514c-81e4-4e91-8bc4-4be202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595d514c-81e4-4e91-8bc4-4be202de0b81",
"value": "https://www.virustotal.com/file/2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277/analysis/1499286304/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-a0ac-487c-a2ba-41f202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac",
"pattern": "[file:hashes.SHA1 = '7f3b1c56c180369ae7891483675bec61f3182f27']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-4188-483d-9fd9-4a9702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac",
"pattern": "[file:hashes.MD5 = '87db6af04613f4bd70467720239117e5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595d514c-1d84-4628-99a6-44a102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"first_observed": "2017-07-05T20:51:24Z",
"last_observed": "2017-07-05T20:51:24Z",
"number_observed": 1,
"object_refs": [
"url--595d514c-1d84-4628-99a6-44a102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595d514c-1d84-4628-99a6-44a102de0b81",
"value": "https://www.virustotal.com/file/d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac/analysis/1499278990/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-857c-4902-81e0-455102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740",
"pattern": "[file:hashes.SHA1 = '7b051e7e7a82f07873fa360958acc6492e4385dd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-5fe8-42ca-850a-42c002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740",
"pattern": "[file:hashes.MD5 = '8f5718be4ba2c6e4f8ce1597248bb03f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595d514c-d7c0-4e20-ba7f-4b9d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"first_observed": "2017-07-05T20:51:24Z",
"last_observed": "2017-07-05T20:51:24Z",
"number_observed": 1,
"object_refs": [
"url--595d514c-d7c0-4e20-ba7f-4b9d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595d514c-d7c0-4e20-ba7f-4b9d02de0b81",
"value": "https://www.virustotal.com/file/f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740/analysis/1499256049/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-9030-4303-9902-496d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "NYETYA MALWARE - Xchecked via VT: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998",
"pattern": "[file:hashes.SHA1 = '56c03d8e43f50568741704aee482704a4f5005ad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-b8bc-4293-a0ea-4dff02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "NYETYA MALWARE - Xchecked via VT: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998",
"pattern": "[file:hashes.MD5 = '2813d34f6197eb4df42c886ec7f234a1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595d514c-c4e0-49cc-82d7-468802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"first_observed": "2017-07-05T20:51:24Z",
"last_observed": "2017-07-05T20:51:24Z",
"number_observed": 1,
"object_refs": [
"url--595d514c-c4e0-49cc-82d7-468802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595d514c-c4e0-49cc-82d7-468802de0b81",
"value": "https://www.virustotal.com/file/eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998/analysis/1498939521/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-0284-4d7b-9762-494a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "NYETYA MALWARE - Xchecked via VT: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f",
"pattern": "[file:hashes.SHA1 = '38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-d754-4082-9b7a-451102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "NYETYA MALWARE - Xchecked via VT: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f",
"pattern": "[file:hashes.MD5 = '7e37ab34ecdcc3e77e24522ddfd4852d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595d514c-3d18-431e-bcf0-457c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"first_observed": "2017-07-05T20:51:24Z",
"last_observed": "2017-07-05T20:51:24Z",
"number_observed": 1,
"object_refs": [
"url--595d514c-3d18-431e-bcf0-457c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595d514c-3d18-431e-bcf0-457c02de0b81",
"value": "https://www.virustotal.com/file/02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f/analysis/1499122164/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-0248-4f6d-a21e-422702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "NYETYA MALWARE - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
"pattern": "[file:hashes.SHA1 = '34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595d514c-363c-4b80-b083-469102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"description": "NYETYA MALWARE - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
"pattern": "[file:hashes.MD5 = '71b6a493388e7d0b40c83ce903bc6b04']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-05T20:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595d514c-a394-41bb-9d53-404102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-05T20:51:24.000Z",
"modified": "2017-07-05T20:51:24.000Z",
"first_observed": "2017-07-05T20:51:24Z",
"last_observed": "2017-07-05T20:51:24Z",
"number_observed": 1,
"object_refs": [
"url--595d514c-a394-41bb-9d53-404102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595d514c-a394-41bb-9d53-404102de0b81",
"value": "https://www.virustotal.com/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/1499267430/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}