misp-circl-feed/feeds/circl/stix-2.1/5cf0f134-f504-42dd-b11e-9071950d210f.json

1720 lines
70 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5cf0f134-f504-42dd-b11e-9071950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T12:59:24.000Z",
"modified": "2019-05-31T12:59:24.000Z",
"name": "CthulhuSPRL.be",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5cf0f134-f504-42dd-b11e-9071950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T12:59:24.000Z",
"modified": "2019-05-31T12:59:24.000Z",
"name": "Emissary Panda Attacks Middle East Government Sharepoint Servers by Palo Alto Unit42",
"published": "2019-05-31T13:00:17Z",
"object_refs": [
"observed-data--5cf10f7b-00d4-443f-b2b0-4531950d210f",
"url--5cf10f7b-00d4-443f-b2b0-4531950d210f",
"vulnerability--5cf10f86-a5f8-4de9-8883-4d73950d210f",
"indicator--5cf11062-7c4c-4b1d-ac88-4cc5950d210f",
"indicator--5cf11062-9fa0-4692-9750-4257950d210f",
"indicator--5cf11062-1914-4a55-b137-41d6950d210f",
"indicator--5cf11062-894c-4f76-b99c-4639950d210f",
"indicator--5cf11062-c2d4-4269-be73-4db5950d210f",
"indicator--5cf11062-377c-4de2-9448-4a0a950d210f",
"indicator--5cf11062-99ec-40c0-9281-4512950d210f",
"indicator--5cf11062-8234-4c77-8250-4850950d210f",
"indicator--5cf11062-f5e0-4d73-915e-4ab8950d210f",
"indicator--5cf11062-9538-4612-a125-4dc8950d210f",
"vulnerability--5cf11062-b3a8-48bd-84b1-4da8950d210f",
"indicator--5cf11062-a1c4-488d-ac46-4eee950d210f",
"indicator--5cf110fa-0344-4fbd-bca7-eea7950d210f",
"indicator--5cf111e1-4024-41aa-be42-44d3950d210f",
"indicator--5cf111e1-1334-42c9-9570-4b16950d210f",
"indicator--5cf111e1-ebb0-46ec-80c2-40f2950d210f",
"indicator--5cf111e1-58f4-4cbf-8c66-4045950d210f",
"indicator--5cf111e1-254c-4d8f-9e26-41be950d210f",
"indicator--5cf111e1-50bc-4182-a819-430f950d210f",
"indicator--5cf111e1-2d28-46e0-8572-4b45950d210f",
"indicator--5cf111e1-b518-4e6d-a90d-44c3950d210f",
"indicator--5cf111e1-b34c-4a3e-b0b4-4b9f950d210f",
"indicator--5cf111e1-d3cc-4c2c-85b1-414d950d210f",
"indicator--5cf111e1-4f10-4eb6-8b1c-4ff7950d210f",
"indicator--5cf111e1-c4dc-42c8-9d67-44e5950d210f",
"indicator--5cf111e1-4df0-4ddd-a140-43ae950d210f",
"indicator--5cf111e1-c7e4-4ed5-9635-4af9950d210f",
"indicator--5cf111e1-d158-42da-8dbe-4828950d210f",
"indicator--5cf113e1-a61c-4572-a3c6-eea7950d210f",
"indicator--5cf113e1-b5e8-46e1-a5dd-eea7950d210f",
"indicator--5cf113e1-8b94-42cd-a8e7-eea7950d210f",
"indicator--5cf113e1-6c9c-4b25-8078-eea7950d210f",
"indicator--5cf113e1-52b8-41c9-a7a0-eea7950d210f",
"indicator--5cf113e1-7308-40da-bd53-eea7950d210f",
"indicator--5cf113e1-dc00-44b0-8e34-eea7950d210f",
"indicator--5cf113e1-5a74-409c-9602-eea7950d210f",
"indicator--5cf113e1-323c-46cd-b6ec-eea7950d210f",
"indicator--5cf113e1-2bd8-467f-91d5-eea7950d210f",
"indicator--5cf113e1-b070-45e2-b7dd-eea7950d210f",
"indicator--5cf113e1-4ef4-4334-af42-eea7950d210f",
"indicator--5cf113e1-7f90-4c5f-b7bb-eea7950d210f",
"indicator--5cf113e1-ac9c-44c1-9bd7-eea7950d210f",
"indicator--5cf113e1-b28c-4298-b433-eea7950d210f",
"indicator--5cf113e1-a4fc-4db4-ba07-eea7950d210f",
"indicator--5cf113e1-5d40-45c1-942b-eea7950d210f",
"indicator--5cf113e1-0750-4a43-b314-eea7950d210f",
"indicator--5cf113e1-098c-4c83-925d-eea7950d210f",
"indicator--5cf113e1-3b3c-4982-a3ff-eea7950d210f",
"indicator--5cf113e1-83ec-41db-aa5a-eea7950d210f",
"indicator--5cf113e1-241c-4f87-8049-eea7950d210f",
"indicator--5cf113e1-c35c-4c47-977d-eea7950d210f",
"indicator--5cf113e1-58b8-426c-9116-eea7950d210f",
"indicator--5cf113e1-1e04-46d5-b0e2-eea7950d210f",
"indicator--5cf113e2-85a4-4b17-8a79-eea7950d210f",
"indicator--5cf113e2-a6fc-489d-830d-eea7950d210f",
"indicator--5cf11443-5c1c-4ec6-8361-4188950d210f",
"indicator--5cf11443-71e0-4c02-9469-4fea950d210f",
"indicator--5cf11443-5c00-4428-957f-4052950d210f",
"indicator--5cf1146c-8d1c-45c7-b23f-4985950d210f",
"indicator--5cf1146c-a964-4838-8be2-4434950d210f",
"indicator--5cf1146c-d820-4389-a536-4ab5950d210f",
"indicator--5cf1146c-048c-4a4c-83e4-4c94950d210f",
"indicator--5cf1146c-8c60-486c-a98a-4965950d210f",
"indicator--5cf114fc-4dbc-4f3a-a659-4540950d210f",
"indicator--5cf1150d-6518-4fbe-b7c1-4dcf950d210f",
"x-misp-attribute--5cf124be-1fa4-49c1-81e4-de6c950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-3390\"",
"misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\"",
"misp-galaxy:threat-actor=\"Emissary Panda\"",
"misp-galaxy:threat-actor=\"LuckyMouse\"",
"OSINT",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cf10f7b-00d4-443f-b2b0-4531950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:26:51.000Z",
"modified": "2019-05-31T11:26:51.000Z",
"first_observed": "2019-05-31T11:26:51Z",
"last_observed": "2019-05-31T11:26:51Z",
"number_observed": 1,
"object_refs": [
"url--5cf10f7b-00d4-443f-b2b0-4531950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cf10f7b-00d4-443f-b2b0-4531950d210f",
"value": "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5cf10f86-a5f8-4de9-8883-4d73950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:27:02.000Z",
"modified": "2019-05-31T11:27:02.000Z",
"name": "CVE-2019-0604",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"External analysis\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2019-0604"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11062-7c4c-4b1d-ac88-4cc5950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:32:14.000Z",
"modified": "2019-05-31T11:32:14.000Z",
"pattern": "[file:hashes.SHA256 = '006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:32:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11062-9fa0-4692-9750-4257950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:32:20.000Z",
"modified": "2019-05-31T11:32:20.000Z",
"pattern": "[file:name = '/_layouts/15/error2.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:32:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11062-1914-4a55-b137-41d6950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:32:23.000Z",
"modified": "2019-05-31T11:32:23.000Z",
"pattern": "[file:name = '/_layouts/15/errr.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:32:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11062-894c-4f76-b99c-4639950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:32:28.000Z",
"modified": "2019-05-31T11:32:28.000Z",
"pattern": "[file:name = 'stylecs.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:32:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11062-c2d4-4269-be73-4db5950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:32:10.000Z",
"modified": "2019-05-31T11:32:10.000Z",
"description": "stylecs.aspx",
"pattern": "[file:hashes.SHA256 = '2feae7574a2cc4dea2bff4eceb92e3a77cf682c0a1e78ee70be931a251794b86']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:32:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11062-377c-4de2-9448-4a0a950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:32:05.000Z",
"modified": "2019-05-31T11:32:05.000Z",
"pattern": "[file:name = 'stylecss.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:32:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11062-99ec-40c0-9281-4512950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:31:50.000Z",
"modified": "2019-05-31T11:31:50.000Z",
"description": "stylecss.aspx",
"pattern": "[file:hashes.SHA256 = 'd1ab0dff44508bac9005e95299704a887b0ffc42734a34b30ebf6d3916053dbe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:31:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11062-8234-4c77-8250-4850950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:31:54.000Z",
"modified": "2019-05-31T11:31:54.000Z",
"pattern": "[file:name = 'test.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:31:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11062-f5e0-4d73-915e-4ab8950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:31:59.000Z",
"modified": "2019-05-31T11:31:59.000Z",
"description": "test.aspx",
"pattern": "[file:hashes.SHA256 = '6b3f835acbd954af168184f57c9d8e6798898e9ee650bd543ea6f2e9d5cf6378']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:31:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11062-9538-4612-a125-4dc8950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:31:31.000Z",
"modified": "2019-05-31T11:31:31.000Z",
"pattern": "[file:name = 'tool.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:31:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5cf11062-b3a8-48bd-84b1-4da8950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:30:42.000Z",
"modified": "2019-05-31T11:30:42.000Z",
"name": "CVE-2017-0144",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"External analysis\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2017-0144"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11062-a1c4-488d-ac46-4eee950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:30:58.000Z",
"modified": "2019-05-31T11:30:58.000Z",
"description": "used to check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010",
"pattern": "[file:name = 'checker1.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:30:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf110fa-0344-4fbd-bca7-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:34:27.000Z",
"modified": "2019-05-31T11:34:27.000Z",
"description": "Not the psexec from sysinternals but a remote execution functionality offered by a tool similar to PsExec offered by Impacket",
"pattern": "[file:name = 'psexec.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:34:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-4024-41aa-be42-44d3950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"pattern": "[file:name = 'm2.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-1334-42c9-9570-4b16950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "m2.exe",
"pattern": "[file:hashes.SHA256 = 'b279a41359367408c627ffa8d80051ed0f04c76fbf6aed79b3b2963203e08ade']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-ebb0-46ec-80c2-40f2950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"pattern": "[file:hashes.SHA256 = '7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-58f4-4cbf-8c66-4045950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "HyperBro backdoor",
"pattern": "[file:name = 's.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-254c-4d8f-9e26-41be950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "HyperBro backdoor",
"pattern": "[file:hashes.SHA256 = '04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-50bc-4182-a819-430f950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "Legitimate cURL.",
"pattern": "[file:name = 'curl.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-2d28-46e0-8572-4b45950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "Legitimate cURL",
"pattern": "[file:hashes.SHA256 = 'abc16344cdfc78f532870f4dcfbb75794c9a7074e796477382564d7ba2122c7d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-b518-4e6d-a90d-44c3950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "Legitimate cURL.",
"pattern": "[file:hashes.SHA256 = 'bbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-b34c-4a3e-b0b4-4b9f950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "Compiled EternalBlue checker script",
"pattern": "[file:hashes.SHA256 = '090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-d3cc-4c2c-85b1-414d950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "C# Tool, likely from https://github.com/mubix/netview",
"pattern": "[file:name = 'etool.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-4f10-4eb6-8b1c-4ff7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "C# Tool, likely from https://github.com/mubix/netview",
"pattern": "[file:hashes.SHA256 = '38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-c4dc-42c8-9d67-44e5950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "Legitimate Sublime Text plugin host",
"pattern": "[file:name = 'plugin_host.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-4df0-4ddd-a140-43ae950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "Legitimate Sublime Text plugin host",
"pattern": "[file:hashes.SHA256 = '738abaa80e8b6ed21e16302cb91f6566f9322aebf7a22464f11ee9f4501da711']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-c7e4-4ed5-9635-4af9950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "Sideloaded DLL loaded by Sublime Text",
"pattern": "[file:name = 'PYTHON33.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf111e1-d158-42da-8dbe-4828950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:37:05.000Z",
"modified": "2019-05-31T11:37:05.000Z",
"description": "Sideloaded DLL loaded by Sublime Text",
"pattern": "[file:hashes.SHA256 = '2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-a61c-4572-a3c6-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "SMB backdoor based on smbrelay3",
"pattern": "[file:name = 'smb1.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-b5e8-46e1-a5dd-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "SMB backdoor based on smbrelay3",
"pattern": "[file:hashes.SHA256 = '88027a44dc82a97e21f04121eea2e86b4ddf1bd7bbaa4ad009b97b50307570bd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-8b94-42cd-a8e7-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Compiled zzz_exploit.py",
"pattern": "[file:name = 'mcmd.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-6c9c-4b25-8078-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Compiled zzz_exploit.py",
"pattern": "[file:hashes.SHA256 = '738128b4f42c8d2335d68383d72734130c0c4184725c06851498a4cf0374a841']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-52b8-41c9-a7a0-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"pattern": "[file:name = 'zzz_exploit.py']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-7308-40da-bd53-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Compiled zzz_exploit.py",
"pattern": "[file:name = 'mcafee.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-dc00-44b0-8e34-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Compiled zzz_exploit.py",
"pattern": "[file:hashes.SHA256 = '3bca0bb708c5dad1c683c6ead857a5ebfa15928a59211432459a3efa6a1afc59']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-5a74-409c-9602-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "pwdump",
"pattern": "[file:name = 'dump.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-323c-46cd-b6ec-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "pwdump",
"pattern": "[file:hashes.SHA256 = '29897f2ae25017455f904595872f2430b5f7fedd00ff1a46f1ea77e50940128e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-2bd8-467f-91d5-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Compiled MS17-010 checker",
"pattern": "[file:hashes.SHA256 = 'd0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-b070-45e2-b7dd-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Packed Mimikatz",
"pattern": "[file:name = 'memory.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-4ef4-4334-af42-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Packed Mimikatz",
"pattern": "[file:hashes.SHA256 = 'a18326f929229da53d4cc340bde830f75e810122c58b523460c8d6ba62ede0e5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-7f90-4c5f-b7bb-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Compiled MS17-010 checker",
"pattern": "[file:name = 'checker.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-ac9c-44c1-9bd7-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "SMB backdoor based on smbrelay3",
"pattern": "[file:name = 'smb.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-b28c-4298-b433-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "SMB backdoor based on smbrelay3",
"pattern": "[file:hashes.SHA256 = '4a26ec5fd16ee13d869d6b0b6177e570444f6a007759ea94f1aa18fa831290a8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-a4fc-4db4-ba07-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Termite",
"pattern": "[file:name = 'agent_Win32.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-5d40-45c1-942b-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Termite",
"pattern": "[file:hashes.SHA256 = 'b2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-0750-4a43-b314-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "httprelay",
"pattern": "[file:name = 'smb_exec.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-098c-4c83-925d-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "httprelay",
"pattern": "[file:hashes.SHA256 = '475c7e88a6d73e619ec585a7c9e6e57d2efc8298b688ebc10a3c703322f1a4a7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-3b3c-4982-a3ff-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Incognito",
"pattern": "[file:name = 'incognito.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-83ec-41db-aa5a-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "Incognito",
"pattern": "[file:hashes.SHA256 = '9f5f3a9ce156213445d08d1a9ea99356d2136924dc28a8ceca6d528f9dbd718b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-241c-4f87-8049-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "nbtscan",
"pattern": "[file:name = 'nbtscan.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-c35c-4c47-977d-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "nbtscan",
"pattern": "[file:hashes.SHA256 = 'c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-58b8-426c-9116-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "pwdump",
"pattern": "[file:name = 'fgdump.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e1-1e04-46d5-b0e2-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:37.000Z",
"modified": "2019-05-31T11:45:37.000Z",
"description": "pwdump",
"pattern": "[file:hashes.SHA256 = 'a6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e2-85a4-4b17-8a79-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:38.000Z",
"modified": "2019-05-31T11:45:38.000Z",
"pattern": "[file:name = 'smbexec.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf113e2-a6fc-489d-830d-eea7950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:45:38.000Z",
"modified": "2019-05-31T11:45:38.000Z",
"pattern": "[file:hashes.SHA256 = 'e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:45:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11443-5c1c-4ec6-8361-4188950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:48:36.000Z",
"modified": "2019-05-31T11:48:36.000Z",
"description": "Legitimate CreateMedia.exe application from Microsoft\u00e2\u20ac\u2122s System Center 2012 Configuration Manager",
"pattern": "[file:name = 'CreateMedia.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:48:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11443-71e0-4c02-9469-4fea950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:48:45.000Z",
"modified": "2019-05-31T11:48:45.000Z",
"description": "Legitimate CreateMedia.exe application from Microsoft\u00e2\u20ac\u2122s System Center 2012 Configuration Manager",
"pattern": "[file:hashes.SHA256 = '2bb22c7b97e4c4d07e17a259cbc48d72f7e3935aa873e3dd78d01c5bbf426088']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:48:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf11443-5c00-4428-957f-4052950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:48:55.000Z",
"modified": "2019-05-31T11:48:55.000Z",
"description": "Sideloaded DLL loaded by CreateMedia.exe",
"pattern": "[file:name = 'CreateTsMediaAdm.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:48:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf1146c-8d1c-45c7-b23f-4985950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:48:14.000Z",
"modified": "2019-05-31T11:48:14.000Z",
"description": "Symantec pcAnywhere thinprobe application",
"pattern": "[file:name = 'thinprobe.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:48:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf1146c-a964-4838-8be2-4434950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:48:17.000Z",
"modified": "2019-05-31T11:48:17.000Z",
"description": "Symantec pcAnywhere thinprobe application",
"pattern": "[file:hashes.SHA256 = '76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:48:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf1146c-d820-4389-a536-4ab5950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:48:20.000Z",
"modified": "2019-05-31T11:48:20.000Z",
"description": "Sideloaded DLL loaded by thinprobe.exe",
"pattern": "[file:name = 'thinhostprobedll.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:48:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf1146c-048c-4a4c-83e4-4c94950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:48:25.000Z",
"modified": "2019-05-31T11:48:25.000Z",
"description": "Sideloaded DLL loaded by thinprobe.exe",
"pattern": "[file:hashes.SHA256 = 'd40414b1173d59597ed1122361fe60303d3526f15320aede355c6ad9e7e239af']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:48:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf1146c-8c60-486c-a98a-4965950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:48:30.000Z",
"modified": "2019-05-31T11:48:30.000Z",
"description": "thumb.db Contains encrypted and compressed DLL payload run by sideloaded DLL",
"pattern": "[file:hashes.SHA256 = '270ea24f2cef655bd89439ab76c1d49c80caaa8899ffa6f0ef36dc1beb894530']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:48:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf114fc-4dbc-4f3a-a659-4540950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:50:20.000Z",
"modified": "2019-05-31T11:50:20.000Z",
"pattern": "[url:value = 'https://185.12.45.134:443/ajax']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:50:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cf1150d-6518-4fbe-b7c1-4dcf950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T11:50:37.000Z",
"modified": "2019-05-31T11:50:37.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.12.45.134']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-31T11:50:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5cf124be-1fa4-49c1-81e4-de6c950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2019-05-31T12:57:34.000Z",
"modified": "2019-05-31T12:57:34.000Z",
"labels": [
"misp:type=\"named pipe\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "named pipe",
"x_misp_value": "\\\\.\\pipe\\testpipe"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}