2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5a29b981-af60-4e6f-af70-480b950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:11:11.000Z" ,
"modified" : "2018-10-26T10:11:11.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "grouping" ,
"spec_version" : "2.1" ,
"id" : "grouping--5a29b981-af60-4e6f-af70-480b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:11:11.000Z" ,
"modified" : "2018-10-26T10:11:11.000Z" ,
"name" : "OSINT - THE SHADOWS OF GHOSTS INSIDE THE RESPONSE OF A UNIQUE CARBANAK INTRUSION" ,
"context" : "suspicious-activity" ,
"object_refs" : [
"observed-data--5a29b997-3ed0-4604-bfc8-4dcd950d210f" ,
"url--5a29b997-3ed0-4604-bfc8-4dcd950d210f" ,
"indicator--5a2fa0b0-1dac-4180-866f-4933950d210f" ,
"indicator--5a2fa0b1-bab4-4930-8497-4933950d210f" ,
"indicator--5a2fa0b2-14b4-4773-ac02-4933950d210f" ,
"indicator--5a2fa0b2-6704-405c-94d4-4933950d210f" ,
"indicator--5a2fa0b2-b574-43d4-8765-4933950d210f" ,
"indicator--5a2fa0b2-10f8-4461-9ea5-4933950d210f" ,
"indicator--5a2fad90-0854-4508-9b1a-4889950d210f" ,
"indicator--5a2fad91-5048-4a72-934e-471e950d210f" ,
"indicator--5a2fad92-1bf0-4fc7-8825-409b950d210f" ,
"indicator--5a2fad93-02fc-46f3-a23e-4bb5950d210f" ,
"indicator--5a2fad93-bba0-45ef-a648-45e9950d210f" ,
"indicator--5a2fad94-2034-4a1a-a49e-4826950d210f" ,
"indicator--5a2fad95-d9d0-4aab-b427-4177950d210f" ,
"indicator--5a2fad95-7e60-4860-b6fe-42b9950d210f" ,
"indicator--5a2fad96-5484-48ce-b77e-47b3950d210f" ,
"indicator--5a2fb05d-c778-4fbe-b043-4e56950d210f" ,
"indicator--5a2fb05d-35b8-4ab7-a7f0-42e3950d210f" ,
"indicator--5a2fb05e-ff64-4760-8516-43bc950d210f" ,
"indicator--5a2fb05f-6cd0-45a2-99b2-4ff8950d210f" ,
"indicator--5a2fb05f-6338-4c73-9185-4dcc950d210f" ,
"indicator--5a2fb060-05d0-4bf6-a42d-4598950d210f" ,
"indicator--5a2fb061-92fc-400e-a558-410a950d210f" ,
"indicator--5a2fb061-28e4-4908-8d24-4c41950d210f" ,
"indicator--5a310fac-7af4-44fd-b616-da3b02de0b81" ,
"indicator--5a310fac-a020-462a-8ac7-da3b02de0b81" ,
"observed-data--5a310fac-4260-4700-8a51-da3b02de0b81" ,
"url--5a310fac-4260-4700-8a51-da3b02de0b81" ,
"x-misp-attribute--5bd2e2ab-7b04-4327-acbb-4d71950d210f" ,
"indicator--5a2f8bf2-f160-4b0f-9e7a-493e950d210f" ,
"indicator--5a2f8c82-07a8-45b4-9457-4200950d210f" ,
"indicator--5a2f8d2a-dec0-4067-b077-4e7d950d210f" ,
"indicator--5a2f8d6f-5e3c-43b1-a21b-4f5b950d210f" ,
"indicator--5a2f8dca-2278-4017-835c-4e9b950d210f" ,
"indicator--5a2f8e07-cd40-4b64-9b3f-4cc0950d210f" ,
"indicator--5a2f8e44-5d50-48a8-be17-4d0a950d210f" ,
"indicator--5a2f950e-862c-4a2b-a94e-45a3950d210f" ,
"indicator--5a2f9576-3c3c-4790-9339-397e950d210f" ,
"indicator--5a2f95ab-28d4-49bf-ac64-1e00950d210f" ,
"indicator--5a2f95f0-4c64-4b47-a395-4a58950d210f" ,
"indicator--5a2f9643-08a8-4902-b7f4-4843950d210f" ,
"indicator--5a2f99b1-a784-4add-bcf7-4933950d210f" ,
"indicator--5a2f99dc-c454-41e9-a090-458d950d210f" ,
"indicator--5a2f9a7d-1ccc-48f4-a0d0-1d7a950d210f" ,
"indicator--5a2f9e7f-cbd0-4050-845b-4a58950d210f" ,
"indicator--5a2f9e9a-48a0-4ed3-91fe-825f950d210f" ,
"indicator--5a2f9f45-8874-4ec0-9e5f-7e7d950d210f" ,
"indicator--5a2fa096-2e10-4212-81a1-4a63950d210f" ,
"indicator--5a2fa0d4-3fd4-450d-9d4c-7e7b950d210f" ,
"indicator--89923362-01fd-4462-9078-fa8ec72fb5d9" ,
"x-misp-object--43dfa9b6-ada3-4c52-836c-b9472dacb095" ,
"indicator--9bb176f2-bd20-46fc-b023-173cc70ca916" ,
"x-misp-object--ed40b0bd-3168-4d2b-a6be-55ac4a22f043" ,
"indicator--00aa97a0-e3ba-4abb-9f43-f1050891a7c9" ,
"x-misp-object--24f8e29e-62a4-44f0-a621-8e49495fe6f5" ,
"indicator--b542464d-5ee4-4028-8de3-db54d17c64ce" ,
"x-misp-object--0f1de71f-46a2-475a-87ec-f980d6db213b" ,
"indicator--91f0fa15-c3f6-41d7-bf1b-79bb33f8390b" ,
"x-misp-object--e630b519-28d2-45d2-be53-c5cc2faef367" ,
"indicator--d7de718f-c607-49dd-8c9e-563927bb5164" ,
"x-misp-object--989b543e-eb41-458d-9ac8-e34620fc5226" ,
"x-misp-object--c9a1352e-1cf8-4120-a36a-0ba1412edb36" ,
"x-misp-object--f1c24a94-020b-4842-bd00-554487f85e0c" ,
"x-misp-object--799449bf-c6a1-444f-9361-c8b81002729a" ,
"x-misp-object--d3b462b9-f076-47dd-996e-7b92f83a871d" ,
"x-misp-object--de299626-d70b-4856-8577-71a19b22be1c" ,
"indicator--9bd18f1d-456c-4ba3-b22f-3ac0da8caacf" ,
"x-misp-object--de2cafef-52b7-46ec-b981-f9a5dea89f65" ,
2024-04-05 12:15:17 +00:00
"relationship--39df34dd-9737-442b-9007-95823dfd09bf" ,
"relationship--0a3dd957-54e6-4614-87c6-c87b390e59f1" ,
"relationship--e4b2e4ec-8a4b-4db2-91f5-36099746c1c0" ,
"relationship--4014d8f3-281e-45f3-8fbb-d59301f9e214" ,
"relationship--fb952f42-9c74-4683-9946-d5749255f7f3" ,
"relationship--01732542-1f90-4928-b0e1-cfd761d819be"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"workflow:state=\"incomplete\"" ,
"workflow:todo=\"review-for-false-positive\"" ,
"misp-galaxy:mitre-intrusion-set=\"Carbanak\"" ,
"type:OSINT" ,
"misp-galaxy:tool=\"SSHDoor\"" ,
"misp-galaxy:malpedia=\"SSHDoor\"" ,
"misp-galaxy:malpedia=\"MimiKatz\"" ,
"misp-galaxy:tool=\"Mimikatz\"" ,
"misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a29b997-3ed0-4604-bfc8-4dcd950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:39.000Z" ,
"modified" : "2017-12-13T17:22:39.000Z" ,
"first_observed" : "2017-12-13T17:22:39Z" ,
"last_observed" : "2017-12-13T17:22:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5a29b997-3ed0-4604-bfc8-4dcd950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5a29b997-3ed0-4604-bfc8-4dcd950d210f" ,
"value" : "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fa0b0-1dac-4180-866f-4933950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.117.88.97']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fa0b1-bab4-4930-8497-4933950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.45.116']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fa0b2-14b4-4773-ac02-4933950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.46.116']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fa0b2-6704-405c-94d4-4933950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.61.148.96']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fa0b2-b574-43d4-8765-4933950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.61.148.145']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fa0b2-10f8-4461-9ea5-4933950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.86.151.174']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fad90-0854-4508-9b1a-4889950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"description" : "Network Indicators" ,
"pattern" : "[domain-name:value = 'slpar.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fad91-5048-4a72-934e-471e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"description" : "Network Indicators" ,
"pattern" : "[domain-name:value = 'centos-repo.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fad92-1bf0-4fc7-8825-409b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"description" : "Network Indicators" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.165.29.26']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fad93-02fc-46f3-a23e-4bb5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"description" : "Network Indicators" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.165.29.27']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fad93-bba0-45ef-a648-45e9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"description" : "Network Indicators" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.45.179.173']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fad94-2034-4a1a-a49e-4826950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"description" : "Network Indicators" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.47.122']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fad95-d9d0-4aab-b427-4177950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"description" : "Network Indicators" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.99.14.211']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fad95-7e60-4860-b6fe-42b9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"description" : "Network Indicators" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.61.192']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fad96-5484-48ce-b77e-47b3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"description" : "Network Indicators" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.44.129']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fb05d-c778-4fbe-b043-4e56950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T11:31:56.000Z" ,
"modified" : "2017-12-13T11:31:56.000Z" ,
"description" : "Host Indicators" ,
"pattern" : "[file:hashes.MD5 = '1bd7d0c3023c55b5df0201cc5d7bbce1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T11:31:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fb05d-35b8-4ab7-a7f0-42e3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T11:31:56.000Z" ,
"modified" : "2017-12-13T11:31:56.000Z" ,
"description" : "Host Indicators" ,
"pattern" : "[file:hashes.MD5 = 'c01fd758abb423c8336ee1bd5035a6c7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T11:31:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fb05e-ff64-4760-8516-43bc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T11:31:56.000Z" ,
"modified" : "2017-12-13T11:31:56.000Z" ,
"description" : "Host Indicators" ,
"pattern" : "[file:hashes.MD5 = '0810d239169a13fc0e2e53fc72d2e5f0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T11:31:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fb05f-6cd0-45a2-99b2-4ff8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T11:31:56.000Z" ,
"modified" : "2017-12-13T11:31:56.000Z" ,
"description" : "Host Indicators" ,
"pattern" : "[file:hashes.MD5 = 'd66e31794836dfd2c344d0be435c6d12']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T11:31:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fb05f-6338-4c73-9185-4dcc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T11:31:56.000Z" ,
"modified" : "2017-12-13T11:31:56.000Z" ,
"description" : "Host Indicators" ,
"pattern" : "[file:hashes.MD5 = 'e3c061fa0450056e30285fd44a74cd2a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T11:31:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fb060-05d0-4bf6-a42d-4598950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T11:31:56.000Z" ,
"modified" : "2017-12-13T11:31:56.000Z" ,
"description" : "Host Indicators" ,
"pattern" : "[file:hashes.MD5 = '90d4cc6d4b81b8c462f5aa7166fee6fb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T11:31:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fb061-92fc-400e-a558-410a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T11:31:56.000Z" ,
"modified" : "2017-12-13T11:31:56.000Z" ,
"description" : "Host Indicators" ,
"pattern" : "[file:hashes.MD5 = 'eb87856732236e1ac7e168fe264f1b43']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T11:31:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fb061-28e4-4908-8d24-4c41950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T11:31:56.000Z" ,
"modified" : "2017-12-13T11:31:56.000Z" ,
"description" : "Host Indicators" ,
"pattern" : "[file:hashes.MD5 = '209bc26396e838e4b665fe3d1ccf7787']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T11:31:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a310fac-7af4-44fd-b616-da3b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"description" : "Host Indicators - Xchecked via VT: e3c061fa0450056e30285fd44a74cd2a" ,
"pattern" : "[file:hashes.SHA256 = 'e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a310fac-a020-462a-8ac7-da3b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"description" : "Host Indicators - Xchecked via VT: e3c061fa0450056e30285fd44a74cd2a" ,
"pattern" : "[file:hashes.SHA1 = '8c7659e6ee9fe5ead17cae2969d3148730be509b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a310fac-4260-4700-8a51-da3b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"first_observed" : "2017-12-13T17:22:40Z" ,
"last_observed" : "2017-12-13T17:22:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5a310fac-4260-4700-8a51-da3b02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5a310fac-4260-4700-8a51-da3b02de0b81" ,
"value" : "https://www.virustotal.com/file/e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa/analysis/1513123824/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5bd2e2ab-7b04-4327-acbb-4d71950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T09:47:23.000Z" ,
"modified" : "2018-10-26T09:47:23.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "This report shares actionable threat intelligence and proven threat hunting and incident response methods used by the RSA Incident Response (IR) Team to successfully respond to an intrusion in early-to-mid 2017 by the threat actor group known as CARBANAK, also known as FIN7. The methodology discussed in this report is designed, and has been tested, to be effective on several currently available security technologies. While the majority of examples shown in this document use the RSA NetWitness\u00ae Suite in their illustrations, the methodology, query logic, and behavioral indicators discussed can be used effectively with any security product providing the necessary visibility. The intrusion and response described in this paper highlight key behavioral tactics, techniques, and procedures (TTP) unique to this engagement, giving significant insight into the thought processes, preparation, and adaptive nature of actors within the CARBANAK threat actor group. This paper also illustrates the RSA Incident Response Team\u2019s Incident Response and Threat Hunting Methodology: an unorthodox, adaptive and highly effective methodology used to successfully detect, investigate, scope, track, contain, and ultimately expel these and many other advanced adversaries."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f8bf2-f160-4b0f-9e7a-493e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T07:57:38.000Z" ,
"modified" : "2017-12-12T07:57:38.000Z" ,
"pattern" : "[file:hashes.MD5 = 'a365fd9076af4d841c84accd58287801' AND file:hashes.SHA1 = 'ba2f90f85cada4be24d925cbff0c2efea6e7f3a8' AND file:name = 'ssh' AND file:size = '1180521']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T07:57:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f8c82-07a8-45b4-9457-4200950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T08:00:02.000Z" ,
"modified" : "2017-12-12T08:00:02.000Z" ,
"pattern" : "[file:hashes.MD5 = '9e2e4df27698615df92822646dc9e16b' AND file:hashes.SHA1 = '96e56c39f38b4ef5ac4196ca12742127f286c6fa' AND file:name = 'sshd' AND file:size = '1614437']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T08:00:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f8d2a-dec0-4067-b077-4e7d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:35.000Z" ,
"modified" : "2018-10-26T10:07:35.000Z" ,
"pattern" : "[file:hashes.MD5 = 'b57dc2bc16dfdb3de55923aef9a98401' AND file:hashes.SHA1 = '1d3501b30183ba213fb4c22a00d89db6fd50cc34' AND file:name = 'auditd' AND file:size = '21616']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-10-26T10:07:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f8d6f-5e3c-43b1-a21b-4f5b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T08:03:59.000Z" ,
"modified" : "2017-12-12T08:03:59.000Z" ,
"pattern" : "[file:hashes.MD5 = 'edce844a219c7534e6a1e7c77c3cb020' AND file:hashes.SHA1 = '286bf53934aa33ddf220d61c394af79221a152f1' AND file:name = 'winexe' AND file:size = '8126714']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T08:03:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f8dca-2278-4017-835c-4e9b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T08:05:30.000Z" ,
"modified" : "2017-12-12T08:05:30.000Z" ,
"pattern" : "[file:hashes.MD5 = '771fa63231fb42ee97aa17818a53f432' AND file:hashes.SHA1 = '149a9270d9160120229b7c088975c2754e3b5333' AND file:name = 'l' AND file:size = '16333']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T08:05:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f8e07-cd40-4b64-9b3f-4cc0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T08:06:31.000Z" ,
"modified" : "2017-12-12T08:06:31.000Z" ,
"pattern" : "[file:hashes.MD5 = '0f1c4a2a795fb58bd3c5724af6f1f71a' AND file:hashes.SHA1 = '039f814cdd4ac6f675c908067d5be1d6f9acc31f' AND file:name = 'pscan' AND file:size = '10340']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T08:06:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f8e44-5d50-48a8-be17-4d0a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:36.000Z" ,
"modified" : "2018-10-26T10:07:36.000Z" ,
"pattern" : "[file:hashes.MD5 = '370d420948672e04ba8eac10bfe6fc9c' AND file:hashes.SHA1 = '450605b6761ff8dd025978f44724b11e0c5eadcc' AND file:name = 'ctlmon.exe' AND file:size = '4392448']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-10-26T10:07:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f950e-862c-4a2b-a94e-45a3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T08:36:30.000Z" ,
"modified" : "2017-12-12T08:36:30.000Z" ,
"pattern" : "[file:hashes.MD5 = '5ddf9683692154986494ca9dd74b588f' AND file:hashes.SHA1 = '08f527bef45cb001150ef12ad9ab91d1822bb9c7' AND file:name = 'ctlmon_v2.exe' AND file:size = '4047691']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T08:36:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f9576-3c3c-4790-9339-397e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T08:38:14.000Z" ,
"modified" : "2017-12-12T08:38:14.000Z" ,
"pattern" : "[file:hashes.MD5 = 'f9766140642c24d422e19e9cf35f2827' AND file:hashes.SHA1 = '7b27771de1a2540008758e9894bfe168f26bffa0' AND file:name = 'ctlmon_v3.exe' AND file:size = '4063744']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T08:38:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f95ab-28d4-49bf-ac64-1e00950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T08:39:07.000Z" ,
"modified" : "2017-12-12T08:39:07.000Z" ,
"pattern" : "[file:hashes.MD5 = '8b3a91038ecb2f57de5bbd29848b6dc4' AND file:hashes.SHA1 = '54074b3934955d4121d1a01fe2ed5493c3f7f16d' AND file:name = 'svcmd.exe' AND file:size = '47104']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T08:39:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f95f0-4c64-4b47-a395-4a58950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T08:40:16.000Z" ,
"modified" : "2017-12-12T08:40:16.000Z" ,
"pattern" : "[file:hashes.MD5 = '7393cb0f409f8f51b7745981ac30b8b6' AND file:hashes.SHA1 = '6c17113f66efa5115111a9e67c6ddd026ba9b55d' AND file:name = 'TINYP2.bin' AND file:size = '277504']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T08:40:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f9643-08a8-4902-b7f4-4843950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T08:41:39.000Z" ,
"modified" : "2017-12-12T08:41:39.000Z" ,
"pattern" : "[file:hashes.MD5 = 'c4d746b8e5e8e12a50a18c9d61e01864' AND file:hashes.SHA1 = 'c020f8939f136b4785dda7b2e4b80ced96e23663' AND file:name = 'ps.exe' AND file:size = '234496']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T08:41:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f99b1-a784-4add-bcf7-4933950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:36.000Z" ,
"modified" : "2018-10-26T10:07:36.000Z" ,
"pattern" : "[file:hashes.MD5 = 'bd126a7b59d5d1f97ba89a3e71425731' AND file:hashes.SHA1 = '457b1cd985ed07baffd8c66ff40e9c1b6da93753' AND file:name = 'UIAutomationCore.dll.bin' AND file:size = '401408']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-10-26T10:07:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f99dc-c454-41e9-a090-458d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:36.000Z" ,
"modified" : "2018-10-26T10:07:36.000Z" ,
"pattern" : "[file:hashes.MD5 = 'b3135736bcfdab27f891dbe4009a8c80' AND file:hashes.SHA1 = '9240e1744e7272e59e482f68a10f126fdf501be0' AND file:name = 'pscp.bin' AND file:size = '359336']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-10-26T10:07:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f9a7d-1ccc-48f4-a0d0-1d7a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T08:59:41.000Z" ,
"modified" : "2017-12-12T08:59:41.000Z" ,
"pattern" : "[file:hashes.MD5 = '6499863d47b68030f0c5ffafaffb1344' AND file:hashes.SHA1 = '2197e35f14ff9960985c982ed6d16d5bd5366062' AND file:name = 'xxx32.exe' AND file:size = '528896']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T08:59:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f9e7f-cbd0-4050-845b-4a58950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T09:16:47.000Z" ,
"modified" : "2017-12-12T09:16:47.000Z" ,
"pattern" : "[file:hashes.MD5 = '752d245f1026482a967a763dae184569' AND file:hashes.SHA1 = '355603b1922886044884afbdfa9c9a6626b6669a' AND file:name = 'xxx64.exe' AND file:size = '589312']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T09:16:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f9e9a-48a0-4ed3-91fe-825f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T09:17:14.000Z" ,
"modified" : "2017-12-12T09:17:14.000Z" ,
"pattern" : "[file:hashes.MD5 = 'd406e037f034b89c85758af1a98110be' AND file:hashes.SHA1 = '6bc46528da6cd224fa5e58ccd9df5b05c46c673d' AND file:name = 'ccs.bmp' AND file:size = '82944']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T09:17:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2f9f45-8874-4ec0-9e5f-7e7d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:36.000Z" ,
"modified" : "2018-10-26T10:07:36.000Z" ,
"pattern" : "[file:hashes.MD5 = 'ab8bed25f9ff64a4b07be5d3bc34f26b' AND file:hashes.SHA1 = '42ce9c2bd246a0243fa91309938042e434b39876' AND file:name = 'infos.bmp' AND file:size = '494080']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-10-26T10:07:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fa096-2e10-4212-81a1-4a63950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T09:25:42.000Z" ,
"modified" : "2017-12-12T09:25:42.000Z" ,
"pattern" : "[file:hashes.MD5 = 'd825fbd90087d2350e89cbf205a1b71c' AND file:hashes.SHA1 = 'ca5e195692399dca99a4d8299dc9ff816168a6dc' AND file:name = 'pscan.bmp' AND file:size = '65024']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T09:25:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a2fa0d4-3fd4-450d-9d4c-7e7b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-12T09:26:44.000Z" ,
"modified" : "2017-12-12T09:26:44.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.181.246.146') AND network-traffic:dst_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-12T09:26:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--89923362-01fd-4462-9078-fa8ec72fb5d9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:43.000Z" ,
"modified" : "2017-12-13T17:22:43.000Z" ,
"pattern" : "[file:hashes.MD5 = 'e3c061fa0450056e30285fd44a74cd2a' AND file:hashes.SHA1 = '8c7659e6ee9fe5ead17cae2969d3148730be509b' AND file:hashes.SHA256 = 'e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--43dfa9b6-ada3-4c52-836c-b9472dacb095" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa/analysis/1513180609/" ,
"category" : "External analysis" ,
"comment" : "Host Indicators" ,
"uuid" : "5a3161e0-7518-48ff-8668-464302de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "0/67" ,
"category" : "Other" ,
"comment" : "Host Indicators" ,
"uuid" : "5a3161e0-4a20-406c-8f4e-432702de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-12-13 15:56:49" ,
"category" : "Other" ,
"comment" : "Host Indicators" ,
"uuid" : "5a3161e0-2548-4a4e-a11f-461402de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9bb176f2-bd20-46fc-b023-173cc70ca916" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:43.000Z" ,
"modified" : "2017-12-13T17:22:43.000Z" ,
"pattern" : "[file:hashes.MD5 = 'ab8bed25f9ff64a4b07be5d3bc34f26b' AND file:hashes.SHA1 = '42ce9c2bd246a0243fa91309938042e434b39876' AND file:hashes.SHA256 = '91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--ed40b0bd-3168-4d2b-a6be-55ac4a22f043" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:40.000Z" ,
"modified" : "2017-12-13T17:22:40.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81/analysis/1512663932/" ,
"category" : "External analysis" ,
"uuid" : "5a3161e0-b6a4-44ba-9bc7-4a7002de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "0/67" ,
"category" : "Other" ,
"uuid" : "5a3161e0-2ffc-4265-a867-4c3202de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-12-07 16:25:32" ,
"category" : "Other" ,
"uuid" : "5a3161e0-3b04-46b9-a02c-4cf402de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--00aa97a0-e3ba-4abb-9f43-f1050891a7c9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:43.000Z" ,
"modified" : "2017-12-13T17:22:43.000Z" ,
"pattern" : "[file:hashes.MD5 = 'b57dc2bc16dfdb3de55923aef9a98401' AND file:hashes.SHA1 = '1d3501b30183ba213fb4c22a00d89db6fd50cc34' AND file:hashes.SHA256 = '3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--24f8e29e-62a4-44f0-a621-8e49495fe6f5" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:41.000Z" ,
"modified" : "2017-12-13T17:22:41.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523/analysis/1512654000/" ,
"category" : "External analysis" ,
"uuid" : "5a3161e1-b860-4724-ae56-4d9802de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "15/59" ,
"category" : "Other" ,
"uuid" : "5a3161e1-6e0c-4549-af43-450602de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-12-07 13:40:00" ,
"category" : "Other" ,
"uuid" : "5a3161e1-618c-4f11-bdac-4c7e02de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b542464d-5ee4-4028-8de3-db54d17c64ce" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:44.000Z" ,
"modified" : "2017-12-13T17:22:44.000Z" ,
"pattern" : "[file:hashes.MD5 = 'b3135736bcfdab27f891dbe4009a8c80' AND file:hashes.SHA1 = '9240e1744e7272e59e482f68a10f126fdf501be0' AND file:hashes.SHA256 = 'b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--0f1de71f-46a2-475a-87ec-f980d6db213b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:41.000Z" ,
"modified" : "2017-12-13T17:22:41.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e/analysis/1512431431/" ,
"category" : "External analysis" ,
"uuid" : "5a3161e2-673c-4d02-b7f1-460902de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "0/67" ,
"category" : "Other" ,
"uuid" : "5a3161e2-4c44-4f90-9448-461502de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-12-04 23:50:31" ,
"category" : "Other" ,
"uuid" : "5a3161e2-7180-4ce2-9e15-4f0d02de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--91f0fa15-c3f6-41d7-bf1b-79bb33f8390b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:45.000Z" ,
"modified" : "2017-12-13T17:22:45.000Z" ,
"pattern" : "[file:hashes.MD5 = 'bd126a7b59d5d1f97ba89a3e71425731' AND file:hashes.SHA1 = '457b1cd985ed07baffd8c66ff40e9c1b6da93753' AND file:hashes.SHA256 = 'a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--e630b519-28d2-45d2-be53-c5cc2faef367" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:42.000Z" ,
"modified" : "2017-12-13T17:22:42.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599/analysis/1513176180/" ,
"category" : "External analysis" ,
"uuid" : "5a3161e2-ba9c-4b83-b774-4ee902de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "2/67" ,
"category" : "Other" ,
"uuid" : "5a3161e2-1ddc-4e37-a6e5-4a1d02de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-12-13 14:43:00" ,
"category" : "Other" ,
"uuid" : "5a3161e2-6204-4d87-bca0-4b1402de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d7de718f-c607-49dd-8c9e-563927bb5164" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:45.000Z" ,
"modified" : "2017-12-13T17:22:45.000Z" ,
"pattern" : "[file:hashes.MD5 = '370d420948672e04ba8eac10bfe6fc9c' AND file:hashes.SHA1 = '450605b6761ff8dd025978f44724b11e0c5eadcc' AND file:hashes.SHA256 = '9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-13T17:22:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--989b543e-eb41-458d-9ac8-e34620fc5226" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-13T17:22:42.000Z" ,
"modified" : "2017-12-13T17:22:42.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765/analysis/1512431431/" ,
"category" : "External analysis" ,
"uuid" : "5a3161e2-152c-4e9c-8885-4ae402de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "33/68" ,
"category" : "Other" ,
"uuid" : "5a3161e2-8d84-4fbd-8c38-490602de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-12-04 23:50:31" ,
"category" : "Other" ,
"uuid" : "5a3161e2-3fc8-4bbb-811c-478302de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--c9a1352e-1cf8-4120-a36a-0ba1412edb36" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:36.000Z" ,
"modified" : "2018-10-26T10:07:36.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-10-26 09:45:28" ,
"category" : "Other" ,
"uuid" : "aec805a5-83b1-4d39-add2-491096984907"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e/analysis/1540547128/" ,
"category" : "External analysis" ,
"uuid" : "74184839-2f88-4a23-b69d-0d13d8c62102"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "0/67" ,
"category" : "Other" ,
"uuid" : "4f0e29fc-09d6-4152-9243-651af8bfb108"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--f1c24a94-020b-4842-bd00-554487f85e0c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:38.000Z" ,
"modified" : "2018-10-26T10:07:38.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-12-07 13:40:00" ,
"category" : "Other" ,
"uuid" : "a16db00e-858c-4e85-8cdd-3935eafb0e32"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523/analysis/1512654000/" ,
"category" : "External analysis" ,
"uuid" : "eb41cadf-ee59-43e8-9759-9579024141ff"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "15/59" ,
"category" : "Other" ,
"uuid" : "967b51b7-7183-4d8c-8416-c4dd3f4a383c"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--799449bf-c6a1-444f-9361-c8b81002729a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:39.000Z" ,
"modified" : "2018-10-26T10:07:39.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-10-26 06:34:45" ,
"category" : "Other" ,
"uuid" : "1eca75fd-0135-4438-9b98-108913702714"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599/analysis/1540535685/" ,
"category" : "External analysis" ,
"uuid" : "0184c0bd-362e-47d3-87d3-392a1a875865"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "1/65" ,
"category" : "Other" ,
"uuid" : "9b2ff29b-3590-4f10-973d-896279089abf"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--d3b462b9-f076-47dd-996e-7b92f83a871d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:40.000Z" ,
"modified" : "2018-10-26T10:07:40.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-06-18 00:06:58" ,
"category" : "Other" ,
"uuid" : "fe2d043e-f81e-41c8-94d5-780c68b08520"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765/analysis/1529280418/" ,
"category" : "External analysis" ,
"uuid" : "d7b94bd9-d044-4ba3-92d9-09fcf121b98f"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "36/68" ,
"category" : "Other" ,
"uuid" : "63f46b9d-5d23-416f-bba8-76c30370b049"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--de299626-d70b-4856-8577-71a19b22be1c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:48.000Z" ,
"modified" : "2018-10-26T10:07:48.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-12-07 16:25:32" ,
"category" : "Other" ,
"uuid" : "c49a7d33-16db-499d-a52e-147a32818bbf"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81/analysis/1512663932/" ,
"category" : "External analysis" ,
"uuid" : "07006736-b056-47cb-9f62-b5fc0da977cf"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "0/67" ,
"category" : "Other" ,
"uuid" : "5e3c1df6-c79f-4d33-a8fc-0343fe4e14fb"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9bd18f1d-456c-4ba3-b22f-3ac0da8caacf" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:53.000Z" ,
"modified" : "2018-10-26T10:07:53.000Z" ,
"pattern" : "[file:hashes.MD5 = '7393cb0f409f8f51b7745981ac30b8b6' AND file:hashes.SHA1 = '6c17113f66efa5115111a9e67c6ddd026ba9b55d' AND file:hashes.SHA256 = 'a1d3fa684d406f82a2d93f4617c5b2dba5b70336db7e7a83b5a2822afe56fb0b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-10-26T10:07:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--de2cafef-52b7-46ec-b981-f9a5dea89f65" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T10:07:55.000Z" ,
"modified" : "2018-10-26T10:07:55.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-07-19 12:25:03" ,
"category" : "Other" ,
"uuid" : "5f0cc7ad-b6e0-408c-9006-8ae86e66228c"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/a1d3fa684d406f82a2d93f4617c5b2dba5b70336db7e7a83b5a2822afe56fb0b/analysis/1532003103/" ,
"category" : "External analysis" ,
"uuid" : "e35f9d09-6da2-4827-9556-c49ee43ef0bf"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "21/67" ,
"category" : "Other" ,
"uuid" : "4406a5d5-7d31-43c6-bd2d-9ccad5886875"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--39df34dd-9737-442b-9007-95823dfd09bf" ,
2023-04-21 14:44:17 +00:00
"created" : "2017-12-13T17:22:42.000Z" ,
"modified" : "2017-12-13T17:22:42.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--89923362-01fd-4462-9078-fa8ec72fb5d9" ,
"target_ref" : "x-misp-object--43dfa9b6-ada3-4c52-836c-b9472dacb095"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--0a3dd957-54e6-4614-87c6-c87b390e59f1" ,
2023-04-21 14:44:17 +00:00
"created" : "2017-12-13T17:22:42.000Z" ,
"modified" : "2017-12-13T17:22:42.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--9bb176f2-bd20-46fc-b023-173cc70ca916" ,
"target_ref" : "x-misp-object--ed40b0bd-3168-4d2b-a6be-55ac4a22f043"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--e4b2e4ec-8a4b-4db2-91f5-36099746c1c0" ,
2023-04-21 14:44:17 +00:00
"created" : "2017-12-13T17:22:42.000Z" ,
"modified" : "2017-12-13T17:22:42.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--00aa97a0-e3ba-4abb-9f43-f1050891a7c9" ,
"target_ref" : "x-misp-object--24f8e29e-62a4-44f0-a621-8e49495fe6f5"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--4014d8f3-281e-45f3-8fbb-d59301f9e214" ,
2023-04-21 14:44:17 +00:00
"created" : "2017-12-13T17:22:42.000Z" ,
"modified" : "2017-12-13T17:22:42.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--b542464d-5ee4-4028-8de3-db54d17c64ce" ,
"target_ref" : "x-misp-object--0f1de71f-46a2-475a-87ec-f980d6db213b"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--fb952f42-9c74-4683-9946-d5749255f7f3" ,
2023-04-21 14:44:17 +00:00
"created" : "2017-12-13T17:22:42.000Z" ,
"modified" : "2017-12-13T17:22:42.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--91f0fa15-c3f6-41d7-bf1b-79bb33f8390b" ,
"target_ref" : "x-misp-object--e630b519-28d2-45d2-be53-c5cc2faef367"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--01732542-1f90-4928-b0e1-cfd761d819be" ,
2023-04-21 14:44:17 +00:00
"created" : "2017-12-13T17:22:42.000Z" ,
"modified" : "2017-12-13T17:22:42.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--d7de718f-c607-49dd-8c9e-563927bb5164" ,
"target_ref" : "x-misp-object--989b543e-eb41-458d-9ac8-e34620fc5226"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}