misp-circl-feed/feeds/circl/stix-2.1/5a3faeda-9524-4a8c-a329-b4d302de0b81.json

636 lines
3.8 MiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5a3faeda-9524-4a8c-a329-b4d302de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-05-24T09:45:58.000Z",
"modified": "2021-05-24T09:45:58.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5a3faeda-9524-4a8c-a329-b4d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-05-24T09:45:58.000Z",
"modified": "2021-05-24T09:45:58.000Z",
"name": "OSINT - Repository containting orignal and decompiled files of TRISIS/TRITON/HATMAN malware",
"published": "2021-05-25T07:05:15Z",
"object_refs": [
"indicator--5a3faf9a-f514-4358-8ace-b1e202de0b81",
"indicator--5a3fafbc-3504-43c9-be65-4e4d02de0b81",
"observed-data--5a3faff3-8d78-430b-9d19-4cc702de0b81",
"user-account--5a3faff3-8d78-430b-9d19-4cc702de0b81",
"observed-data--5a3fb014-cacc-4379-9b55-4e7102de0b81",
"url--5a3fb014-cacc-4379-9b55-4e7102de0b81",
"observed-data--5a3fb039-5e74-435d-8157-b4d302de0b81",
"url--5a3fb039-5e74-435d-8157-b4d302de0b81",
"observed-data--5a3fb104-c860-4517-a674-b3a102de0b81",
"file--5a3fb104-c860-4517-a674-b3a102de0b81",
"artifact--5a3fb104-c860-4517-a674-b3a102de0b81",
"indicator--043762e7-6aa0-4a14-83d2-81a2109b7490",
"indicator--185d44d0-544a-4e42-839f-d6502950565c",
"indicator--e40170d2-b26f-424f-a788-196651e787fb",
"observed-data--157e2cb3-598b-4663-af34-28358808dd9d",
"file--5a23f9e1-beec-5637-b8ae-3f5160686a66",
"x-misp-object--1f1c1f68-c9e7-43e0-9779-98ba4c889dbe",
"x-misp-object--11861108-bcc4-4e10-9cb9-9d3a3acf27df",
"x-misp-object--5e60369b-411a-40af-92f1-18e01ca64a63",
"x-misp-object--7dbb436b-9e54-4d16-89e8-05f54984e2d0"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"TRISIS\"",
"veris:asset:variety=\"S - SCADA\"",
"circl:topic=\"industry\"",
"admiralty-scale:information-credibility=\"2\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3faf9a-f514-4358-8ace-b1e202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-12T16:56:07.000Z",
"modified": "2018-02-12T16:56:07.000Z",
"description": "Yara rules to match the known binary components of the HatMan malware targeting Triconex safety controllers. Any matching components should hit using the \"hatman\" rule in addition to a more specific \"hatman_*\" rule.",
"pattern": "[/*\r\n * DESCRIPTION: Yara rules to match the known binary components of the HatMan\r\n * malware targeting Triconex safety controllers. Any matching\r\n * components should hit using the \"hatman\" rule in addition to a\r\n * more specific \"hatman_*\" rule.\r\n * AUTHOR: DHS/NCCIC/ICS-CERT\r\n */\r\n\r\n/* Globally only look at small files. */\r\n\r\nprivate global rule hatman_filesize : hatman {\r\n condition:\r\n filesize < 100KB\r\n}\r\n\r\n/* Private rules that are used at the end in the public rules. */\r\n\r\nprivate rule hatman_setstatus : hatman {\r\n strings:\r\n $preset = { 80 00 40 3c 00 00 62 80 40 00 80 3c 40 20 03 7c \r\n ?? ?? 82 40 04 00 62 80 60 00 80 3c 40 20 03 7c \r\n ?? ?? 82 40 ?? ?? 42 38 }\r\n condition:\r\n $preset\r\n}\r\nprivate rule hatman_memcpy : hatman {\r\n strings:\r\n $memcpy_be = { 7c a9 03 a6 38 84 ff ff 38 63 ff ff 8c a4 00 01 \r\n 9c a3 00 01 42 00 ff f8 4e 80 00 20 }\r\n $memcpy_le = { a6 03 a9 7c ff ff 84 38 ff ff 63 38 01 00 a4 8c\r\n 01 00 a3 9c f8 ff 00 42 20 00 80 4e }\r\n condition:\r\n $memcpy_be or $memcpy_le\r\n}\r\nprivate rule hatman_dividers : hatman {\r\n strings:\r\n $div1 = { 9a 78 56 00 }\r\n $div2 = { 34 12 00 00 }\r\n condition:\r\n $div1 and $div2\r\n}\r\nprivate rule hatman_nullsub : hatman {\r\n strings:\r\n $nullsub = { ff ff 60 38 02 00 00 44 20 00 80 4e }\r\n condition:\r\n $nullsub\r\n}\r\nprivate rule hatman_origaddr : hatman {\r\n strings:\r\n $oaddr_be = { 3c 60 00 03 60 63 96 f4 4e 80 00 20 }\r\n $oaddr_le = { 03 00 60 3c f4 96 63 60 20 00 80 4e }\r\n condition:\r\n $oaddr_be or $oaddr_le\r\n}\r\nprivate rule hatman_origcode : hatman {\r\n strings:\r\n $ocode_be = { 3c 00 00 03 60 00 a0 b0 7c 09 03 a6 4e 80 04 20 }\r\n $ocode_le = { 03 00 00 3c b0 a0 00 60 a6 03 09 7c 20 04 80 4e }\r\n condition:\r\n $ocode_be or $ocode_le\r\n}\r\nprivate rule hatman_mftmsr : hatman {\r\n strings:\r\n $mfmsr_be = { 7c 63 00 a6 }\r\n $mfmsr_le = { a6 00 63 7c }\r\n $mtmsr_be = { 7c 63 01 24 }\r\n $mtmsr_le = { 24 01 63 7c }\r\n condition:\r\n ($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)\r\n}\r\nprivate rule hatman_loadoff : hatman {\r\n strings:\r\n $loadoff_be = { 80 60 00 04 48 00 ?? ?? 70 60 ff ff 28 00 00 00\r\n 40 82 ?? ?? 28 03 00 00 41 82 ?? ?? }\r\n $loadoff_le = { 04 00 60 80 ?? ?? 00 48 ff ff 60 70 00 00 00 28 \r\n ?? ?? 82 40 00 00 03 28 ?? ?? 82 41 }\r\n condition:\r\n $loadoff_be or $loadoff_le\r\n}\r\nprivate rule hatman_injector_int : hatman {\r\n condition:\r\n hatman_memcpy and hatman_origaddr and hatman_loadoff\r\n}\r\nprivate rule hatman_payload_int : hatman {\r\n condition:\r\n hatman_memcpy and hatman_origcode and hatman_mftmsr\r\n}\r\n\r\n/* Actual public rules to match using the private rules. */\r\n\r\nrule hatman_compiled_python : hatman {\r\n condition:\r\n hatman_nullsub and hatman_setstatus and hatman_dividers\r\n}\r\nrule hatman_injector : hatman {\r\n condition:\r\n hatman_injector_int and not hatman_payload_int\r\n}\r\nrule hatman_payload : hatman {\r\n condition:\r\n hatman_payload_int and not hatman_injector_int\r\n}\r\nrule hatman_combined : hatman {\r\n condition:\r\n hatman_injector_int and hatman_payload_int and hatman_dividers\r\n}\r\nrule hatman : hatman {\r\n meta:\r\n author = \"DHS/NCCIC/ICS-CERT\"\r\n description = \"Matches the known samples of the HatMan malware.\"\r\n condition:\r\n hatman_compiled_python or hatman_injector or hatman_payload\r\n
"pattern_type": "yara",
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
2023-04-21 14:44:17 +00:00
"valid_from": "2018-02-12T16:56:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3fafbc-3504-43c9-be65-4e4d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-12T16:56:07.000Z",
"modified": "2018-02-12T16:56:07.000Z",
"description": "mandiant.yara",
"pattern": "[rule TRITON_ICS_FRAMEWORK\r\n{\r\n meta:\r\n author = \"nicholas.carr @itsreallynick\"\r\n md5 = \"0face841f7b2953e7c29c064d6886523\"\r\n description = \"TRITON framework recovered during Mandiant ICS incident response\"\r\n strings:\r\n $python_compiled = \".pyc\" nocase ascii wide\r\n $python_module_01 = \"__module__\" nocase ascii wide\r\n $python_module_02 = \"<module>\" nocase ascii wide\r\n $python_script_01 = \"import Ts\" nocase ascii wide\r\n $python_script_02 = \"def ts_\" nocase ascii wide \r\n\r\n $py_cnames_01 = \"TS_cnames.py\" nocase ascii wide\r\n $py_cnames_02 = \"TRICON\" nocase ascii wide\r\n $py_cnames_03 = \"TriStation \" nocase ascii wide\r\n $py_cnames_04 = \" chassis \" nocase ascii wide \r\n\r\n $py_tslibs_01 = \"GetCpStatus\" nocase ascii wide\r\n $py_tslibs_02 = \"ts_\" ascii wide\r\n $py_tslibs_03 = \" sequence\" nocase ascii wide\r\n $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide\r\n $py_tslibs_05 = /module\\s?version/ nocase ascii wide\r\n $py_tslibs_06 = \"bad \" nocase ascii wide\r\n $py_tslibs_07 = \"prog_cnt\" nocase ascii wide \r\n\r\n $py_tsbase_01 = \"TsBase.py\" nocase ascii wide\r\n $py_tsbase_02 = \".TsBase(\" nocase ascii wide \r\n \r\n $py_tshi_01 = \"TsHi.py\" nocase ascii wide\r\n $py_tshi_02 = \"keystate\" nocase ascii wide\r\n $py_tshi_03 = \"GetProjectInfo\" nocase ascii wide\r\n $py_tshi_04 = \"GetProgramTable\" nocase ascii wide\r\n $py_tshi_05 = \"SafeAppendProgramMod\" nocase ascii wide\r\n $py_tshi_06 = \".TsHi(\" ascii nocase wide \r\n\r\n $py_tslow_01 = \"TsLow.py\" nocase ascii wide\r\n $py_tslow_02 = \"print_last_error\" ascii nocase wide\r\n $py_tslow_03 = \".TsLow(\" ascii nocase wide\r\n $py_tslow_04 = \"tcm_\" ascii wide\r\n $py_tslow_05 = \" TCM found\" nocase ascii wide \r\n\r\n $py_crc_01 = \"crc.pyc\" nocase ascii wide\r\n $py_crc_02 = \"CRC16_MODBUS\" ascii wide\r\n $py_crc_03 = \"Kotov Alaxander\" nocase ascii wide\r\n $py_crc_04 = \"CRC_CCITT_XMODEM\" ascii wide\r\n $py_crc_05 = \"crc16ret\" ascii wide\r\n $py_crc_06 = \"CRC16_CCITT_x1D0F\" ascii wide\r\n $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide \r\n\r\n $py_sh_01 = \"sh.pyc\" nocase ascii wide \r\n\r\n $py_keyword_01 = \" FAILURE\" ascii wide\r\n $py_keyword_02 = \"symbol table\" nocase ascii wide \r\n\r\n $py_TRIDENT_01 = \"inject.bin\" ascii nocase wide\r\n $py_TRIDENT_02 = \"imain.bin\" ascii nocase wide \r\n\r\n condition:\r\n 2 of ($python_*) and 7 of ($py_*) and filesize < 3MB\r\n}]",
"pattern_type": "yara",
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
2023-04-21 14:44:17 +00:00
"valid_from": "2018-02-12T16:56:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a3faff3-8d78-430b-9d19-4cc702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-12T16:56:07.000Z",
"modified": "2018-02-12T16:56:07.000Z",
"first_observed": "2018-02-12T16:56:07Z",
"last_observed": "2018-02-12T16:56:07Z",
"number_observed": 1,
"object_refs": [
"user-account--5a3faff3-8d78-430b-9d19-4cc702de0b81"
],
"labels": [
"misp:type=\"github-username\"",
"misp:category=\"Social network\""
]
},
{
"type": "user-account",
"spec_version": "2.1",
"id": "user-account--5a3faff3-8d78-430b-9d19-4cc702de0b81",
"account_login": "ICSrepo",
"account_type": "github"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a3fb014-cacc-4379-9b55-4e7102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-12T16:56:07.000Z",
"modified": "2018-02-12T16:56:07.000Z",
"first_observed": "2018-02-12T16:56:07Z",
"last_observed": "2018-02-12T16:56:07Z",
"number_observed": 1,
"object_refs": [
"url--5a3fb014-cacc-4379-9b55-4e7102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"source-code-repository\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a3fb014-cacc-4379-9b55-4e7102de0b81",
"value": "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a3fb039-5e74-435d-8157-b4d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-12T16:56:07.000Z",
"modified": "2018-02-12T16:56:07.000Z",
"first_observed": "2018-02-12T16:56:07Z",
"last_observed": "2018-02-12T16:56:07Z",
"number_observed": 1,
"object_refs": [
"url--5a3fb039-5e74-435d-8157-b4d302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"source-code-repository\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a3fb039-5e74-435d-8157-b4d302de0b81",
"value": "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN/tree/master/decompiled_code"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a3fb104-c860-4517-a674-b3a102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-12T16:56:07.000Z",
"modified": "2018-02-12T16:56:07.000Z",
"first_observed": "2018-02-12T16:56:07Z",
"last_observed": "2018-02-12T16:56:07Z",
"number_observed": 1,
"object_refs": [
"file--5a3fb104-c860-4517-a674-b3a102de0b81",
"artifact--5a3fb104-c860-4517-a674-b3a102de0b81"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5a3fb104-c860-4517-a674-b3a102de0b81",
"name": "TRISIS-TRITON-HATMAN-repo-decompiled-code.tar.gz",
"content_ref": "artifact--5a3fb104-c860-4517-a674-b3a102de0b81"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5a3fb104-c860-4517-a674-b3a102de0b81",
"payload_bin": "H4sIANiwP1oAA+w8CXAc1ZW2CQWeAHEChLCE8CNjWxqsmb57RobYQhJY2GMbScaAbYY/3X80ve7pHrp7JAvLrCHmcDiXY7GDca1ZY2KoBMxyeNkNwUAVLISzigJCwsKyhcmGLDcpYAv2/d89l6TxjGyXqCzzS7b6eO+/+/33j1ZfT3dvd29rX0933+JFrfPb+xLti6KTDmzjoKmyTH/zqsyV/y60Sbwo8KoqcoIsTeJ4UVSFSUg+wHyM2fKuhx2EJmE9b+J8dbha7/9KW99Y9u/pau9MdEWy+oGhQQ2sSFI1+ys8p46wv6SAuyDuwJDfe/uG23/6dOS7AIoi3wngYj72EthCCWwOYoegHpKzXcOznaFQaDogdBJXc4ycZ9hWKNSXMVzkFCGQZlseNiwX2Y7Rb1jYRC7O5kziImzpSCeanc0ZJtGRa+cdDR7baZQNCGHPw9oqw+qHXrJZ2zKHUN4FUMNC3ZYOlnIM6K8DKDi2iXqHXI9kXdTc3dHbgsJ9jgG0yeow6sVp4g0BCiDks8TyoAsfGDWDpC2MR+jBJI4bQafZDsraQN2w0raTxVQsBALCe+TZqCm8kGAHlAEg4aZIKNSFtQwI148t40IfWGf6SFG+PaqNgjjANlWM47m+GBjpRjpNHOAIWThLULOv+qiv+Kiv9hafJS+DPUDHrm3NhhtC+3ORZSOQcXagH78X4BoZHnAGeKZOHBQuqD4ZqD48hlXSBrUJ4ys1RAkU2WaUNTtvwhvae95iFqAgg4apt4VCw2gRJey3YZTolNFe2zCzGaM/DiQg01psqPxm7DYapC4kIAN+Zdr9EfVCyhiXkoiqkJiUxpKu4LjKK3osDjlKERQdx1OoCE9Wk4I0iibGNTEtYS6mi7oaSwskFVdFHJdSuqryMUbGNFIOdoYonWGkKumYpIuYEFlMCTFZkVVZi6dlGXBiKlFRCf5CIxeQ4dJYA874tJoS4rJIVE2Ia5BbdSUWU2RBZGSMLGiaCQMYOq+KJMbxClHFNJcWNF5NyZBqscjzQJigAjy4b9E2kqimeVFOYV6Nx+U4lmOcxAtEBkIiKCLNyGDT9IlQDFlSBRIniq6mtZQIwKIQU2JqjPBpoqVjMoC0mwWnwyl7gBJu3bsDUBcIUSzsaBljgCKCd7pEyzvgtIOGl0E57LqDtqO3oTBEL9Eg0sOhUCEMSskmqdk6KYuCsjSUG/IyEEmMs9mF8PBoLKcdO4vCJVuHGRBLY+Ey04QL/BXyAI10KiELlMWsw4Jie4ibN72xAiRBgA197zGwF3+u9qbcvZm7DiM/dyc94nqR3FA5D3krNyRQqJPgkipoyCRKhedSTxxGpzErglRpX9HBW9ZDEa3SjAWTDGEHJ518ZU6iDxF7iJpZ8ulGOIswS0Z2ugX06oFpR6ZXpl7KSrkI7XlQo1M7ndRIDgw6C5Y2sOVFGH/DaJ7huZCQTXPIMrRVqDkRvG/xo05zWzXiFKE75/dGF3V0dHdEYXhq7ejq6StTBx1Fl2WG0JJ8yjTcDIg2F3W71iwPEjnSsdVPHDvvzg2Fem3IszliQxYv5GCa+vOWAQPcIB0UHGy4vmroAOHmg/ydK/bM3tQYg7NGf8aj2b5IO0KN0O8QAMpbnmHSXlzik7TsoH+NQmXwQGGUYDxYmpnXAS1d8BLgxoRxzEPeoB3gwcCOB7Bh4hTIFTAx22c8S7BF+RyCcQ5pUIXo9qBl2linqjHSaJVlD6JBNh7C6OwSGnwRUCagUt+AUXo2MJUipkEGAl2UD9ZuNNDmYMYuDXKMD+jOITAgUkJUT0wwpnGcwynDpCoHGJ3kTHuIcQOy0SHaDAoXHwOb8EgHATUQilUvIL9N7WCALXG/HUEja6YsXkVV5fl1iI9oUJbo0F6yN2UKa1gnWQMz/n2zQQJcBVUB5PGcYw9Qi+skTSyXatbMM6EZqotpDnWpRzFWAMW0bVZuUTpFt4CiyPdQv/ChPEGshVkZ6Hi0Wuh0QAwXHiKU8byc2xaN6uxRBLqIpiDZRCHnuIYbDaYXHB/J6enKTgrhg5pPMxzSNURaKjocHByMpOEFGSJlvWZAt16rQ3y7RwWYSER5IerrHzhv9a3TapHBVhqR/ovWtAP1CtVTK/Dl2VYk42XNSnaKUdrMoraSmWJw54Pf/fZAFIxH3CjoGkNOjzJ3j+q2xipON5po72nl1VZRFkD6GQLnF3czuoQZMW5GXPJrVHjuF6Zw0Yedfkh0OlwGhXeyV+ZiHQXNLSMwRMNUZWz9D4BFbaYoQYpxsqpIXAiwwu0W1NA5HQOr1HmpO5c5Hs2wQClr0mRiAjYJw/jJijXNa0OU7DwdonlVFjuhIGNrXjP2WuCBZljsHaX6dU9jGm0f25jz/9IofUCWgsa//iPLEtdY/5mIVsv+FUXQPtKosf4j84JUaX+BE3ixsf4zEY1aOVj4ScIQmDytpz3RtWxxz4LQmpBfrmaJh9tCpUIa+yX2KagJyuCMbWIY9bHjjCiPm8owsrpMwWtNXstR9NISE0UNVqaKwziMYRrMsOg8UM87tIIpVhMgBK1BDZ2uskChkIPyhxS6pitIVr9bLs6J/gQwWayJgRzMi7QmKHM1DEUUdjXDgOmmTsbAytrgFiTJ8RQtWbhNjg9ZoMgn+3c/qQ81mMT5dKHwo0VMnzs+XEYWyhfkuWMxjFCoEjmp0eUmNyDa1xvcg7Jq0i2iCoE1OxYvqh9JZEiO0ev56231Y0oUE2kZDPW0OxbeaCE9F6azBSFPJ15HjpLN19ZtEZPJyHRaE5RJBpOYC/LE0kj9JKhc0aLZm+cbwwvtweFTAbdl+Xlt2MxlcNvKaN3d0fCM+v63wp0LceWCmutHV6gUKZih1S+ASlFgutIPpvLqtEsKQArO51JZ6/K8Ah6zSsRHbB6LYglvVA8Zo0h3vlEnVYrDaK4iUOFD/V0vkhg43hLH/luied1W2q4XVSqh9kOq7KPT2npxWYqms5L2XI5YetBFwtbr7UAJFDzfaC54foBYNdDswaJewX/rVCzDEnz/MSwvCQOQlySOYztjkB0bWwxYBaJj8To2ElOup2VrxDUFZbpEfR0Jf12kvuTqaIEy4KquAchHYZro6OnglWRiceepS3v3wh5DYMIvsD17ALWbeDWMm8Spk5YU0ErCDLmvL3k2EOxK1KInBzLxikO8WsBKSRqfxmq+kzutFhbNJtEyrOXnJSH77U3bbiZQtpupouvROBDIdK05QESntXcvXNrTtRfeigjMRu5QNmWbyKsSlKPpwTDZ2bWorzDIWzQb0GX62h5bxBT88iBY399rWMLcXjfo8FpeHAl0d665UDiEW9g6klp4WHjAlj6MCwk6GYmJU0Nrv+6attHqb7XmfxXL2vtIo8b8TxVkYeT8jxcb+/8T0qLhEAqjzq7ejp7uJX3dixe1oXNK2zGejbLY0zJs3ZCuvFuILULSbX6oPi260kmzAX3tL3DS3ipacVeZLW/SqVphox65/j59xW48Xa9kJAFyVF9lRN0MW7vPGB7KF/c/mjLYy2LIc2xWS5fndT+nUUHwaNboarubI5qRNrQCcjLso0coePvSvvmLe9p88NE7OgASDYWiYXS6aafozBexMwt0VZ3uergge7DnGWGQULAMQCWI+hm4z2VAtZhD24InyJ9/j5GWy9Itz3ELIOEyHpYEnQeWoxsfVO/+yQOP6YeUdvL9fRgfuJK5cq5c4rls9jOSrVET6RNzdFHe39o8Ba1BMQ5xHJI4JGqIXsGPItCn9BncxPw3cCPAvYhUrbzsrmxz59KfmEChERQhpb6U/evLv5EEJMaqwUNbW80Qgcyg/7F0lyVZLTdUW3E+XDJFfMUB8zhOpcAKonzFJJRO0x96o4iFmxiAMU1AdVBV2DgAiQEQFROuKDoIK5HAQqCxMYQtZ8wMGAN+KFdxymHABfBGNeffAG/0BkhBt8BbTKvKVwAjUgYpO4BNnUVAzIDMoBKpRKluhJL+bKeM6SpW0Y0BKHucOhwaIPngmoofx0iNIVmh/K2tgBLKoEQJ8ULg79VZZl3TyomhV+HUypumm0/VZrQ
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--043762e7-6aa0-4a14-83d2-81a2109b7490",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-24T13:44:28.000Z",
"modified": "2017-12-24T13:44:28.000Z",
"pattern": "[file:hashes.MD5 = '0face841f7b2953e7c29c064d6886523' AND file:hashes.SHA1 = '1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c' AND file:hashes.SHA256 = 'bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59' AND file:hashes.SHA512 = '8ba13408061876abd7336560cdef24c23b8a619af8c53e29e970e620b8fc79be1910fc02c2a68307c37f7d3e5502d6b14e3392cd95abaf875aa419b618435910' AND file:hashes.SSDEEP = '12288:z4tCV9Jybp/AX2Ng4TBDHbowjbVMdX4lMBydixDoCbs+oKRpT1gLhcFAsLc4z0DL:xkAJ4TB6XIM/70txaYB57ATltTlHu' AND file:name = 'library.zip' AND file:size = '1708616' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAI11mEshbRbCFBMIAEgSGgAgABwAMGZhY2U4NDFmN2IyOTUzZTdjMjljMDY0ZDY4ODY1MjNVVAkAAzmvP1o5rz9adXgLAAEEIQAAAAQhAAAA9C0jKa5y2JeW2rj8o4OdNo0Xpfwscgc4Av8h+22oYmgkXiju7FiVv32ivIWFmC5lAWWMjndg1yFSSbbUVw1S7cg/bY3l740v+4yfuAU/YklUXurG5zCGMHGheVEVZnLL7NHTRghYAi07A2gaAhkut4HVaMXzhaT6rQlIf2jhLALVXnH2710b8PgbkROJ7J/H0gOlKSjMSl31ZOlyvfFKV3O9IXBpepTHY0L17Pm6PrF7F+rmsGSrofRYE/rna9WMuII3HfrMfgV6aQetgiNjxl/7vJdeyejR3cHGIP91jLtEYBOoGXvTeYEEPHtVdMbHzenty+9p5Cl2Ah67Ysujc6bzaaEZnqdrArP7+MDxLwOGnZUyfJMfxdqK/uWKIuKDG7gWMkgOJ5eALeDicrU2jESD9gAePNNoBogGGB0CynwtlAR5DJbpGCA6upcuk/JF9PSGwSvePVLHfnhxRuYZKrT1/YqD/PXIFQBlzN7ueCnSsrbURjDzwyKFlL+Hgsk9dBrI7p6IdPnpvVVpg5IXI0zGuUZW86WL+I2+kproU7B8Cd0CEXs5Nuet6oHoRXieHW0ieOQfJvVVhLDInufLpyhzfE9QYiWDVlfhu/md/LDyhICHj+cg4EsiX81UBkpRX0MZ6ngvBL+HzGE1YJc1VA4oJ9eisKzxguTD5urkloJEjNH1NANB+wR8NMbs267toj2KVvfaThK2qhZ106W/7sT+eic9ca19WWDdnDhoAagNohfBVT+ggjNk2Nnbthp/+Zz2WrwbN0ooZwhXm2khw77dc/kwxejL+LnUBofEGTZDU4i4qnl3rzLlGD4qf67K66ergD0nIiF7BlrdjDUumyy0Wm6rAUisYVOV0PgFE3U7JFCrfWYHr2bRyhzQOYzI59Q9oV/s/OLVd9gGrJdlfz73vs76jUT0C2KPhjRsq1rUYt6inXdHPGHYEf4vWBm0xXj8s7ZaidwVWRaiRrHOgCziajLfdqfWE1QfhN0LgIZ0qC87LSeKrFn3g9k/9nyb5jMWcaPKvI3gcw2PqdzZhxVKFi3CPZjqfYWozrDTOLj6wsUVUAO7cVcqSEjxtKt6m+NsXPWWlJWXv+APe7t+63D2JF0RvXYf8zjRguT9mWQY1PlawHm0X3GF/V7AwMs2QZ4srMf0woPmZDA8olc2uj08UYxRD1tQhlddGh2MbrnkCV95U/ZhBiL7gVpo8GkMC2qfYkd6UIzQiPMaIQtVlZnprbl4D4GVzpkW66+kXLyONJLqesbxCplnE6NEpp2MI69RZ3d2S08gS3oXCyxXdnWUoO2KAlxuoe2qswfDbKa3IAiJP75OTU63Pxjbx+ixCVL1RGL5H7iCbRG6G3d7jQCij/fv7k2KoMhZYZ/TFQ08UArQXS2sD7hf4RG4k24ouYea9GEvKHCD3oljdWZQ8hIowqBHj50dG7r2VkuXIlHAcMc3MzOVlQJ9bJdUn4jYlG24ynkJIM75B03Xy7BqWkj3qzAB7JfPVgp40rOIeEfcZCgI+vJCQTjTsiivwUw8prxwbwHewmkcvzAAhyH2N06TEo6NYex2l+UeWunko51iM5QS4GawrGE5IazEJHeiC/9Mof0nQ6Rv0n42Qykafu+iqbs7yhthh+qPvWZ96O6ErN/TvIZ8lvxByTKAtJQpwAsBaUaG8D07ZTdbGFNY420OWXQKBij90+cfnSYEfpVpVerTxlKuBiW9BJehQ91BoqpgbGFltc4Zz0IGGCfYjwUgng65t5tHhIQT7L07B4Fxfk+5oDB2upG/DV5mea+/T56FSeHF+SSwY8zUPECMMEfntiZQVyTFte5eNrIQYZzuedU3Vfjov71JutxJ65lwpGpDqZLYAUtzIDUonfXo61LuwF016JrslofPj0zZZCSZuqolEzuBrNenYQRkSGfU5DurnjqZhm7s0AQeH9vr1ujWW2pvICnNgOHstQjKq3RlFgNO1pNGIUjFO6kDMAth7hC+FPyJzs19F+2KKiwCUm9qQTixiCMJFu2ZsptY3OuUjLgtc/v4GzJxrwIGTZXXQw1/xG+wzXT5Jb9HXEcIfthp5Ex34Q5QwtygnlvyR9BUeFFqAvGeHQiOGlvEoTJ65nsXzFH16M7AmscRDIfDJIDiAmk3aBHnFrVhf/b3t9pGGl8ulr9aDoyv0BwlHXrr2NoD35K+id4QxadXUKI0ZtTL5f8D+37cVZJMFfejy+uNt2xe3ZEVgFEDtwzXBhiHnmG182DA3bZj5PgVfRI0VcEForXmzdi+/0rt+iat3WKH/pt/7zHE4r2eWwL1R8KebC7aajHqxQAO8byUdV7pTfSP94s73amZqMmLQ3qdlDUQ9Kzj+I0a64FF5gvBnzgqGiRF0TvZsRQGb5b9o0OHuCREL/YxmHn4vSROHzSRfYkfbycYoZU+JYoUYqdLz52InqluzgasqXQSK5eo7qAVW2/TmEh8wLNh6lQdMkV3GfCWBe/bG1VMnW/SnNW5434xZGEzdglUIyzaUAoOxWy6Cz4YW8Zho4Lv649Hq0R0+yY8k+6Pj/vEjXfRMOg3byhJITPGb0oq9Ab7b1RKKrOAKhjZeO/pYe8TS7F41OcM+duaJA+1xVC2220vhTZfM0LwYIgDq/XMibFup6MhZD8VLfWp9xahZS7qXspIBv5wo39ahtqHD3ZLgY3pAKpztSRHjYm35ekV6mkxN5qU9SxQOSzGryXAG3dCwx43tonQ1CRRs5VlZ9UyxkIWEC1eB0d/ssf2ROh/F0Odva8b+EmobSo2e4WHS2PzvCK0J1uMlqc5HY/kE3mvHgy0o+4KvyWs9vGeRRCUdkq3xotlrl1Fv/ml6Hpaj2ij9zXpgjKGGodLCDgCI52In9Z3Rg8FWdeqRY07Y5WjlkgvS4MVrHjJ++EyohgMPNyPTpYjUzBt4VyRe0g7Ow19lAm+h6FR1zetWrQWVbM8+IXP8k1aH1TaJ3xKZ5b33+ZaIOR6I6SnJwsg17ycajKTl7vfv3AuTWzvHSwYDUF4LsE4Zh5R6CfkNlZS8CHUKqS9TXGoDA/cGBbtX2IdlaHNPWJRi0KfaYZ8G3GLamqrWpzKuYIyULeewyXcbbfRQZJTipSBJ5a47WaPCKjXhnv/2Io9zMVFpTdLG97L/K9M9cMDlSjgoMGl3xABHJ3pTfNL2pBco+Ujz3SpCFRSLJ01aSyPQYXzh31aACsTC7vBfEdE5/shyTIVcIA+E2cmfHTD4gki5ole/lduggiRKau7t8BsM8HyDWh4/KzfRYYvDXcBuanYfggNNlJwJO3Gpp5rm9mNcEsEKj6d7t00r+Xvm0BcSG/HK4Ly09xw27RoDv3VvlyhukGHFANvNyOJq1BvW1
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-24T13:44:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--185d44d0-544a-4e42-839f-d6502950565c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-24T13:44:26.000Z",
"modified": "2017-12-24T13:44:26.000Z",
"pattern": "[file:hashes.MD5 = '437f135ba179959a580412e564d3107f' AND file:hashes.SHA1 = 'b47ad4840089247b058121e95732beb82e6311d0' AND file:hashes.SHA256 = '08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949' AND file:hashes.SHA512 = '9db880f9429573c2471c55f1578319bb7eeb2243b64493d79a3caa0ed964f88c2b560a862f54b7b768ce9e184a3763181e233a94ca896275a43d38bef1c6359c' AND file:hashes.SSDEEP = '12:7s5q/29Vdb5t+JuqqNvIlUBrlf+X9tZaf:Qg/0B5titsvIaBrlf+X9tkf' AND file:name = 'imain.bin' AND file:size = '436' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAI11mEuAPgr4aAEAALQBAAAgABwANDM3ZjEzNWJhMTc5OTU5YTU4MDQxMmU1NjRkMzEwN2ZVVAkAAzqvP1o6rz9adXgLAAEEIQAAAAQhAAAAi9qeDRSR3JRmL4y+RbQcBKzTIVcIvvzgBQUJGxpQGo/rsCYwfRiGd6QDSo0rzBqRUwMLQygNUGRUre9SLFUIzKvHOqYz9X0AF1W6ValugkhcHYqKCztpB0yrG+nTmlGGTK/iO/N1Ik6UI6A+y/cV9YAhYZddiuDLdqLHI0VMJ0Oy3XpOkdfIg0h3hcJY0/5GgJ5d6YPV4mFb4jAfQayCi8WoAq01EniDIHzJXqcq7Os73CTqCaI55gtx2uzBacNIgJetRATkdxGvVjzjF2tDUNETabCqDZVdPuRn8z0lOiitbKg/RjbiXurQSPccHG4ELd21Wo5UU93g0fFRErU+h82ca/45279esLNp7yBGk0H9PzUGQwxqB9bkC2zEEaEfdGDf8KFU2CYh0fuD2ZrX3BWJTo8RYlSWp3nULB+Cb8cHwvxw2NHudtkNbLhsH0SoEngmREMXGEIKUVgm55q7Ty/DlG9Ns/7JUEsHCIA+CvhoAQAAtAEAAFBLAwQKAAkAAACNdZhLJh2UbBUAAAAJAAAALQAcADQzN2YxMzViYTE3OTk1OWE1ODA0MTJlNTY0ZDMxMDdmLmZpbGVuYW1lLnR4dFVUCQADOq8/WjqvP1p1eAsAAQQhAAAABCEAAAAP07aDX0AtOaGghobkL0gKKRzjLgxQSwcIJh2UbBUAAAAJAAAAUEsBAh4DFAAJAAgAjXWYS4A+CvhoAQAAtAEAACAAGAAAAAAAAAAAAKSBAAAAADQzN2YxMzViYTE3OTk1OWE1ODA0MTJlNTY0ZDMxMDdmVVQFAAM6rz9adXgLAAEEIQAAAAQhAAAAUEsBAh4DCgAJAAAAjXWYSyYdlGwVAAAACQAAAC0AGAAAAAAAAQAAAKSB0gEAADQzN2YxMzViYTE3OTk1OWE1ODA0MTJlNTY0ZDMxMDdmLmZpbGVuYW1lLnR4dFVUBQADOq8/WnV4CwABBCEAAAAEIQAAAFBLBQYAAAAAAgACANkAAABeAgAAAAA=' AND file:content_ref.x_misp_filename = 'imain.bin' AND file:content_ref.hashes.MD5 = '437f135ba179959a580412e564d3107f' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected') AND file:x_misp_mimetype = 'data' AND file:x_misp_entropy = '5.44610603085']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-24T13:44:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e40170d2-b26f-424f-a788-196651e787fb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-24T13:44:31.000Z",
"modified": "2017-12-24T13:44:31.000Z",
"pattern": "[file:hashes.MD5 = '6c39c3f4a08d3d78f2eb973a94bd7718' AND file:hashes.SHA1 = 'dc81f383624955e0c0441734f9f1dabfe03f373c' AND file:hashes.SHA256 = 'e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230' AND file:hashes.SHA512 = '57c4aa07aede473e5b8424e4ed8173d0a6215306cf9cc44ab91e4745025a01a720929a02a25f4db24eff81b624d6d6ddfda191be06014bb319a933b9bad12eec' AND file:hashes.SSDEEP = '384:eIn2vPeqUfmEZ+nUn0fJCfMdXWgugoL2RrXdUWJCXXtB:eBPeqYmEb0kUX9XdUzXv' AND file:name = 'trilog.exe' AND file:size = '21504' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAI51mEuwUn4I5SkAAABUAAAgABwANmMzOWMzZjRhMDhkM2Q3OGYyZWI5NzNhOTRiZDc3MThVVAkAAzuvP1o7rz9adXgLAAEEIQAAAAQhAAAAwcsVoJcmVtjiXTmFZ8v2Au3R9plCnp19GO9cyIdXlre/8QMdJFw0r6RL8mYD7EsHmBtEBxEZqbuZnto+XXZ2Y2plxW0/cfSTU1cOvIGyd4HE8OnINTPTt5rU2dRZiRJNTYxkJ5GBNgqf7gTfpwG0Do1MhNc9i+DVjLYzFGEQghMnUQc6qnLY2p6/U20X4OpV2GMv9k7jzQZSF/OJ4yIwtK6/YSt7mkzMZM9Jx6+cbx1Nn/b02dIna3BBSGXfdkZjOmpWu+Udew5zncVuavu5aW88IX7WYhIVOXJ7OcGSrHtc16WjNAwym2G2iOaQRA/0Nnh8MxioMs5eH3bY0nEXh5v+0s1eO82I9UJ9VNTI1m0cxXVMpIoiCKmSciJ/Z1Vhw8ZKa6I4YbrRfvd1m14dMc57lro706tuOCP/H0pRe9MWoBhAegjgPDsgXheJWPw80EBeQS2/8lihpnlhsfbpXIRk/G4o8ByilycyX4WxxTkAsHBxXVqtuXvIOwtIpFyPOQoOx3bseOAQ+pgvg4qUmxFWT4x/n4Hv2JtGqAGn2+9rNn2PDOGu6QpqOHVgglSvPOltWpkmltuVY/XQjVBPzwoVBxHXdfBnO1dXQil9ayOGxAGnqFucPXHbrSl69TEX9G/84RKP7G9tvwsg6lYWgrReY36Oswn8YyAxqiYrpcjNoziu2TrteZ+PHNqIjRrds/ChgCRPqzTRzwiUfDW4bhkt0piobo2FsPs5ozHbr1zxou2CKBrrBVOkfD8kjRSrLlkj8rUoGreXEQ3QiwIdaVx5zrPIk5W/gfvslkEdep6n+/RFlBhvFcgzkceX/0xPrudDtiwmG4WzndsDON7vUJ3q/6MkH9KElp/1yP3/j3t2KTYz3wbiYfdBEVVNtgFg+s2ktjnQ/EveICPsmMG3rfmNDZ8dXWuHlCZFK8tcyKWY1GOUh5IubQd16rfXZ512bdiqU8PHZNWs4SHT3Bg4co85FfQ71U7Ntfh+9YI7Hsnlzs7Ol4I/hkozlXJA9TPeUM17wkpnHaZoW7GnQGZrDr1zoGN/gdJeoyI3CusdlDQph45RQo8GG4PfAnz4Dr/SvjqjBe3/tQOpjUU/yFkUNrIWFD58y2Ebz64CzkTzNkkmnh3QhH3ayEGp13oWdsAGuEicqYo9Wo6ggY3jKNVDZjgz0ocRhRPzO92W1IS4IYm100hjY32DkiBmWLcX5xUoO3W6DNgrOZjQg0nX5aKAH9xcON9Y5kGB9DENIoAZ8mbM/QWO9hVk+O0xJ+0o0bbe7P8tQ71oQV2Wyod/i9qjAabfqFRuyCXdsGskethUyEWhCeSG6ZtOh82Bq4BCdINbY+A0o+A+bnrwkpIilRr1B1iebGA8rVvYZn8N5nk09DBYuK+Igj7rjkzBFHtw8wnM8HYdp6g+p6KJK/zn6RMjb5LmJyXQPo9uMZmh0reRAPBgYfML1Zb00YQcUZqAwQFBT7X5DaAH4k2ofmg/NU0ppLljPwuvUpKXooaf+knShCC06fOrUI6XsXttcBQ8z0aUnzaM7gS9kigO8tt6d+YKb5qKgqY3HM69X2bFaYkj76fgTsednSpneKIoXI1pqeP2F0QLjaKP3K5mGVVzUP8bPwUyfKavlzg4PPe/NlfVM6lg6Jv2NQ8/mgcmGf70ObIMWRD1mtv+Jy1jTlInR70dl2W8PCBkh1mTfQoUYV9kApH4jBewDfORo8HWsR9oZaPD/YQoT5Gb6Tv4paWZDbW3WmVtl2H1MYGXFopDP2uWuA1PUAIgR3J5TKQzqOgvrJAf+mtHqKNyMgZHWHB8zkQSmapHa8luIh/1xezapN9cY4W3vtfBg2gX6ZVKDpn4Wix/bKIyWwNDvYCqL90E9+zeIlq9LSUkwSQhmGI2Xrtt93ijYASyoBx/scTko8R/ubzdCRY4b97yRJLWDgsWkhYUDwVRzPOLbsa14r1Ggh92ujC1NbzoQ+Im5bvZZWXIsJozj+Q3iD78kMHuavr/U9meuKEqaiZgDpRn3rTo17p7BJYUNiwsyBAgS0wBTxkL88DvBL9LpdBSMrh+JVf20afarrWLLiu9DHhtqufuTKmn6N5EGKND19BRu5nhNau6EbvuKI2kPd/XasklTQklTMYC5/qNRVR/y9vV+ai861bVV2LVHZ943SEqp+S4eTBTWKTH2aLzIu/kP4StoeNCpeJpDpy2iOwk+MOLsxkTNG5GLdf/Ab18z+a6Y1KVHTAIIAwe4dWOm3wX4STeuIos/AjK8M7lXoMAKdnUta2GLOMXUJopi5dFzz4Ac2Dy/+BgXzX4rIhaPIC4cLH+NSu4Q08hFpFa43KsGPI/W1285C97RXsDThuyZySlUv1gkoTKSbwv8Vz/rY90M94huwnybFyr2R2YTPcAWb6YuyItZhnqvE2rGu6HjOxH14QBTb+pnlnTkvL3WfhI55bg9E7kr4BTupuBSZcgLUdvRZbYXiFHh+njTFz+EBj0EUtRLlFK2YI51Rw7vexPpwx+TQ72qcYq3Vt6hAW5/6ztKOBYWPtb68dbjJN8UwVZxOGAKN518P5Cr8JspScN+Mbl4q3tJr2NXhDCrRRxWEfv2IRiApYtQLag9D1VDIaOtTbtvk1zASfjhPTJ6nOKwzkwFxC/5ldSIPv7GrK+4gKDTQjP01EpZbcR14wfVCBZ3+qz1Pa3yKUVOxpmPlAV6owe0FHOMvFqyJlh/Rr15Gqxu5Eyw+vba9RSJdaPyUI6u+6UqXvTXSaj5gMQUivnOGwxRE4+oIoc+kt0WMkfeSvjHkn7fvhWH7oQSzw9+JAad+Dvb619/Z+sG2s/Xod0gotvQ6mhsFh8qoGWLge7kczQy8WN96rcy/mWuAVR5yqAi2GPZ+UmqLv1/YwR8r1NC1hXSfiROfE4+JmSYvE1G6o1MBsmHawU5/ErUbzhKn31pLj0vdole9AZhD/z1n/hPypUYpeCrn7/BJYN6+rEBaQOwW0luBvP4e8s42v/IDKIT+JmWhNXiAxGZ79gK2aiVoq6NLFEwPjmbFdLwnwbKSlT0KFCt4OlHnW1gw5vgBURIKDuWWEcoH3WS/W3FBDpUlbPcB+MZs/liUQu/V+k29826zF/x+NX0CFktEtiFhTdTfIMCYBk6rYWswkIGNVJDHvn/NuFlQ4LGyhd7/W8Ygtl4JiybtxX+QPtBPfz3+9g/jyHR/KGa1H1/w8PVNOeo8rEkr3U2b8p3OOxkNSQwo/c2yvwoZCseV/DvPwe2j4Ow1CcS59hDuPXEZNMnStlAfIOmiaagjyOVNZc255jxSP1lu77Xq83/r2OTKKlLSIa4e5ZUq5sDxlEz6h9xSXj177yRzdfcKS5qH1gHv+n0YNpTyRdkR6zLTIpE2b9xLGiwJ69gwdmMFOoKXO7
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-24T13:44:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--157e2cb3-598b-4663-af34-28358808dd9d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-24T13:44:31.000Z",
"modified": "2017-12-24T13:44:31.000Z",
"first_observed": "2017-12-24T13:44:31Z",
"last_observed": "2017-12-24T13:44:31Z",
"number_observed": 1,
"object_refs": [
"file--5a23f9e1-beec-5637-b8ae-3f5160686a66"
],
"labels": [
"misp:name=\"pe\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"False\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5a23f9e1-beec-5637-b8ae-3f5160686a66",
"name": "",
"extensions": {
"windows-pebinary-ext": {
"pe_type": "exe",
"number_of_sections": 4,
"optional_header": {
"address_of_entry_point": 4205352
},
"x_misp_compilation_timestamp": "2008-11-10T09:40:34"
}
}
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--1f1c1f68-c9e7-43e0-9779-98ba4c889dbe",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-24T13:44:27.000Z",
"modified": "2017-12-24T13:44:27.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "sha1",
"object_relation": "sha1",
"value": "3f1ac2364c8e06237f6f841a302f249108aeaf9b",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3b-1f74-4a7f-bf41-4c6d02de0b81"
},
{
"type": "text",
"object_relation": "name",
"value": ".text",
"category": "Other",
"uuid": "5a3faf3b-7c44-459a-b890-46e402de0b81"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "8704",
"category": "Other",
"uuid": "5a3faf3b-00cc-4562-860b-4a1f02de0b81"
},
{
"type": "float",
"object_relation": "entropy",
"value": "6.24017560026",
"category": "Other",
"uuid": "5a3faf3b-8cf4-48d1-85a6-461302de0b81"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "768:W7fTBN81tL4OGpnvnRzLC5uE4LCwtbyhmjBBvpLJzpVA8NQ8oazAlo1sBG87jGrk:dlQOb7TH",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3b-cab0-45f9-82d5-493a02de0b81"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "bf235b24aec5b15ea5255261dee81284137c2f31ae64e03c6311377a00ac114b",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-2ab0-440e-afc9-4cea02de0b81"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "818a9eea1164f02a20207c906c0d007ec98bc589a323d9993fd0859f6b9aa59f4c85e9966afc05281bab7feddad5e25a8039d2bf7a98b0e60b3214cf89ed008f",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-5608-4b73-9045-4ac602de0b81"
},
{
"type": "md5",
"object_relation": "md5",
"value": "1d2a14142d0e98c0ede881657be0b620",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-b134-453e-9d99-41ee02de0b81"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--11861108-bcc4-4e10-9cb9-9d3a3acf27df",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-24T13:44:28.000Z",
"modified": "2017-12-24T13:44:28.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "sha1",
"object_relation": "sha1",
"value": "a07c2e5b0b903b4d4602474a2c3e26300cb5de71",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-b884-46ce-9b6b-468e02de0b81"
},
{
"type": "text",
"object_relation": "name",
"value": ".rdata",
"category": "Other",
"uuid": "5a3faf3c-f938-40c4-9bf8-483f02de0b81"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "2560",
"category": "Other",
"uuid": "5a3faf3c-9cec-450e-bced-4d0702de0b81"
},
{
"type": "float",
"object_relation": "entropy",
"value": "5.02793750695",
"category": "Other",
"uuid": "5a3faf3c-3664-49e1-bc80-4b1602de0b81"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "192:bPwY+mHo4aSgsRPwY+mHo4GF4M+7xzGtXH5dJL7VGO7tr0F:UNmxgTNm0QF",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-0900-4dba-bbab-486902de0b81"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "f510bee135f800f910f5987c2684c3051756e7182939b93dfddc457c4be8a005",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-33cc-4f2f-b1c9-4c0c02de0b81"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "990bd0267b536b3768fdbb768e5dd3035c0f420f807c31e54eee794144b97e2a13390e0d40b33da6d84b600bb83d8d64f207ccffc9784243fc0c54f0241df514",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-bf00-4a5e-bd96-4a9302de0b81"
},
{
"type": "md5",
"object_relation": "md5",
"value": "4959dc6a9b68e9d55b254ce76c458eed",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-de90-4c8b-8ec0-444502de0b81"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5e60369b-411a-40af-92f1-18e01ca64a63",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-24T13:44:28.000Z",
"modified": "2017-12-24T13:44:28.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "sha1",
"object_relation": "sha1",
"value": "196e027a8328ce2ac5fa1431d501c257a9a79f1a",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-4cbc-49af-95a7-45d502de0b81"
},
{
"type": "text",
"object_relation": "name",
"value": ".data",
"category": "Other",
"uuid": "5a3faf3c-335c-4646-96d2-499c02de0b81"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "3072",
"category": "Other",
"uuid": "5a3faf3c-af84-470a-8d32-473c02de0b81"
},
{
"type": "float",
"object_relation": "entropy",
"value": "4.52960066296",
"category": "Other",
"uuid": "5a3faf3c-87f8-4286-9f2b-44d802de0b81"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "96:o1uiM+CMvScnq2p20lZ+IG6Vg8xHj6tJlDiABF3Z+qd9NUjHJ2C:o1uirCmlZ+/8xHuRDzX2pB",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-1334-4264-bbf8-46f202de0b81"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "eda3c565062b52ab2ff5cd7ec7e7a9e3198da40387d916c0e74881b4636a2d5c",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-4c3c-4587-bf34-40e702de0b81"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "fd978c87f845c632997d723ea3d1ec6d8fd61f4f30f8c3a95e71015b3ee693538ad5878d99f5111c096e22020e6363ce2642ab09a5b52e5c8de1ad0797659c63",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-df08-42b7-a668-4f7902de0b81"
},
{
"type": "md5",
"object_relation": "md5",
"value": "2354a2e07869f9a732f463fe084ad6c5",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-5780-46c3-92b9-468d02de0b81"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--7dbb436b-9e54-4d16-89e8-05f54984e2d0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-24T13:44:28.000Z",
"modified": "2017-12-24T13:44:28.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "sha1",
"object_relation": "sha1",
"value": "b9511de0a85e2bcba775228260c748ed0b9faff0",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3c-bab4-480c-9a98-42bb02de0b81"
},
{
"type": "text",
"object_relation": "name",
"value": ".rsrc",
"category": "Other",
"uuid": "5a3faf3c-9140-4ee9-85e0-4cef02de0b81"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "6144",
"category": "Other",
"uuid": "5a3faf3d-50c0-4c80-bd70-4e0d02de0b81"
},
{
"type": "float",
"object_relation": "entropy",
"value": "5.06803807105",
"category": "Other",
"uuid": "5a3faf3d-2ea8-4996-9f9c-4ab202de0b81"
},
{
"type": "ssdeep",
"object_relation": "ssdeep",
"value": "192:cFRr2VNBK3keWukvnmsg7Lapoyl0yrKzNVOQfcdfQDnmnVY7n9:JukvnmhvEwNVOgrmi",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3d-46d4-4580-849f-4a8702de0b81"
},
{
"type": "sha256",
"object_relation": "sha256",
"value": "9b8a7bec5a92a7c61abd1db2afc121c00ffa803422ee2e4e9c419bb2d2533d7a",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3d-c6a0-4765-bf0b-413002de0b81"
},
{
"type": "sha512",
"object_relation": "sha512",
"value": "d89a6dd18dffc82c9a532d925ca1e0177d0ee6152ea3598336aa5f56804330b7dae82891828b83cc11708ce50975dfa089933124f4561ea4aca77f96ad73c320",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3d-7400-4926-bf0f-416902de0b81"
},
{
"type": "md5",
"object_relation": "md5",
"value": "fe8374bfc19886efe88fb53c50e26e35",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5a3faf3d-6af0-4505-9281-4d7002de0b81"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}