2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5ce6aa86-9cd8-4302-9dc9-4a59950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-07-19T09:20:54.000Z" ,
"modified" : "2019-07-19T09:20:54.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5ce6aa86-9cd8-4302-9dc9-4a59950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-07-19T09:20:54.000Z" ,
"modified" : "2019-07-19T09:20:54.000Z" ,
"name" : "OSINT - A journey to Zebrocy land" ,
"published" : "2019-07-19T09:21:33Z" ,
"object_refs" : [
"observed-data--5ce793fc-bc54-401b-9e5b-4a08950d210f" ,
"url--5ce793fc-bc54-401b-9e5b-4a08950d210f" ,
"x-misp-attribute--5ce79415-9bf8-440b-9a53-4159950d210f" ,
"observed-data--5ce7b1db-b884-4b38-a71e-43b4950d210f" ,
"file--5ce7b1db-b884-4b38-a71e-43b4950d210f" ,
"artifact--5ce7b1db-b884-4b38-a71e-43b4950d210f" ,
"indicator--5ce7b861-bc80-4e19-9006-4056950d210f" ,
"indicator--5ce7b861-0228-4ce2-b25a-4385950d210f" ,
"indicator--5ce7beff-ef98-4836-9ab1-44c3950d210f" ,
"indicator--5ce6ac5b-6d34-455b-b17d-765d950d210f" ,
"indicator--5ce7968d-a158-4d3a-aa56-4b70950d210f" ,
"indicator--5ce7c0fb-4f58-487e-b5d6-4593950d210f" ,
"indicator--5ce7c11c-1cec-4498-b21f-4ae8950d210f" ,
"indicator--5ce7c145-8fe8-4bc0-b828-463e950d210f" ,
"indicator--77e080d7-7231-44bb-a661-34fb1e1e2070" ,
"x-misp-object--f315bc29-020c-41cd-8585-cf94f546aa63" ,
2024-04-05 12:15:17 +00:00
"relationship--09cfe96c-cf61-4377-8a2f-cf3465971b94"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"" ,
"misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"" ,
"misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"" ,
"misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"" ,
"misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"" ,
"misp-galaxy:mitre-attack-pattern=\"Component Object Model Hijacking - T1122\"" ,
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"" ,
"misp-galaxy:mitre-attack-pattern=\"Disabling Security Tools - T1089\"" ,
"misp-galaxy:mitre-attack-pattern=\"File Deletion - T1107\"" ,
"misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"" ,
"misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"" ,
"misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"" ,
"misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"" ,
"misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"" ,
"misp-galaxy:mitre-attack-pattern=\"Data from Network Shared Drive - T1039\"" ,
"misp-galaxy:mitre-attack-pattern=\"Data from Removable Media - T1025\"" ,
"misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"" ,
"misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"" ,
"misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"" ,
"misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"" ,
"misp-galaxy:mitre-attack-pattern=\"Data Encrypted - T1022\"" ,
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"" ,
"misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\"" ,
"misp-galaxy:mitre-attack-pattern=\"Custom Cryptographic Protocol - T1024\"" ,
"misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"" ,
"misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"" ,
"misp-galaxy:mitre-attack-pattern=\"Fallback Channels - T1008\"" ,
"misp-galaxy:mitre-attack-pattern=\"Multilayer Encryption - T1079\"" ,
"misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\"" ,
"misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\"" ,
"misp-galaxy:malpedia=\"Zebrocy\"" ,
"misp-galaxy:malpedia=\"Zebrocy (AutoIT)\"" ,
"misp-galaxy:mitre-malware=\"Zebrocy - S0251\"" ,
"misp-galaxy:tool=\"ZEBROCY\"" ,
"ecsirt:intrusions=\"backdoor\"" ,
"veris:action:malware:variety=\"Backdoor\"" ,
"ms-caro-malware:malware-type=\"Backdoor\"" ,
"ms-caro-malware-full:malware-type=\"Backdoor\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"workflow:todo=\"expansion\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5ce793fc-bc54-401b-9e5b-4a08950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-05-24T06:49:32.000Z" ,
"modified" : "2019-05-24T06:49:32.000Z" ,
"first_observed" : "2019-05-24T06:49:32Z" ,
"last_observed" : "2019-05-24T06:49:32Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5ce793fc-bc54-401b-9e5b-4a08950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5ce793fc-bc54-401b-9e5b-4a08950d210f" ,
"value" : "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5ce79415-9bf8-440b-9a53-4159950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-05-24T06:49:57.000Z" ,
"modified" : "2019-05-24T06:49:57.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "What happens when a victim is compromised by a backdoor and the operator is controlling it? It\u00e2\u20ac\u2122s a difficult question that is not possible to answer entirely by reverse engineering the code. In this article we will analyze commands sent by the operator to their targets.\r\n\r\nThe Sednit group \u00e2\u20ac\u201c also known as APT28, Fancy Bear, Sofacy or STRONTIUM \u00e2\u20ac\u201c has been operating since at least 2004 and has made headlines frequently in past years.\r\n\r\nRecently, we unveiled the existence of a UEFI rootkit, called LoJax, which we attribute to the Sednit group. This is a first for an APT group, and shows Sednit has access to very sophisticated tools to conduct its espionage operations.\r\n\r\nThree years ago, the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia. Since then, the number and diversity of components has increased drastically. ESET researchers and colleagues from other companies have documented these components; however, in this article we will focus on what\u00e2\u20ac\u2122s beyond the compromise, what the operators do once a victim system is running a Zebrocy Delphi backdoor."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5ce7b1db-b884-4b38-a71e-43b4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-05-24T08:56:59.000Z" ,
"modified" : "2019-05-24T08:56:59.000Z" ,
"first_observed" : "2019-05-24T08:56:59Z" ,
"last_observed" : "2019-05-24T08:56:59Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5ce7b1db-b884-4b38-a71e-43b4950d210f" ,
"artifact--5ce7b1db-b884-4b38-a71e-43b4950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5ce7b1db-b884-4b38-a71e-43b4950d210f" ,
"name" : "Figure-1-WM.png" ,
"content_ref" : "artifact--5ce7b1db-b884-4b38-a71e-43b4950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5ce7b1db-b884-4b38-a71e-43b4950d210f" ,
"payload_bin" : " i V B O R w 0 K G g o A A A A N S U h E U g A A B Z c A A A K F C A I A A A A / K 0 D V A A A A A X N S R 0 I A r s 4 c 6 Q A A A A R n Q U 1 B A A C x j w v 8 Y Q U A A A A J c E h Z c w A A D s M A A A 7 D A c d v q G Q A A P + l S U R B V H h e 7 N 0 F Y N t G 2 w d w y 2 y H m a l J m k L K z I z r O m Z m 7 K j r 1 v H W j j t m 5 o 6 h w z J z C i m k Y W Y G M 0 r f I 0 t x n c R p s 63 b m u / 9 / z 5 / f a 2 T L J 1 O J 0 3 P 5 X R i O I 6 T A A A A A A A A A A C c 9 q T i / w I A A A A A A A A A n N 7 Q i g E A A A A A A A A A v Q N a M Q A A A A A A A A C g d 0 A r B g A A A A A A A A D 0 D m j F A A A A A A A A A I D e A a 0 Y A A A A A A A A A N A 7 o B U D A A A A A A A A A H o H t G I A A A A A A A A A Q O + A V g w A A A A A A A A A 6 B 3 Q i g E A A A A A A A A A v Q N a M Q A A A A A A A A C g d 0 A r B g A A A A A A A A D 0 D m j F A A A A A A A A A I D e g e E 4 T v w K A A A A A A D w P 4 x t r b d u + s p x b A e r a 5 A w Y i L 8 Z z g J o 1 D K E g c r J 1 + o 6 D d a T I T / e T 1 r x W C d E k Y q Y X A e A w A A A A D A / 0 + c r t n w 0 n W s s U 0 1 b g E T F i + m w n / L Z r Z n b n I U H 9 Z e 9 a R y z H w x 8 V R w F B y 0 7 V / D G Z o p K B a T 4 L / E M b 4 h y l H z 5 C l D x Y T u n a g V g z O 22 Q 9 v c e T v Z 1 s b G L V W F p e m G D 5 L F t V H n H 3 a c j o c 5 b k S m 0 U W k 8 L 4 B o q J A A A A A A A A 3 b O s e s 22 b 43 v f Z 9 J A 0 L F J D g d s K z 5 u x X 2 I 1 v 8 H v y G 8 f E X E / 8e68 Y v z d 89 y x p a J B w r J s F / j p F K f Y M 1 F z + k m n q h m N K N b l s x n J U F p k 8 e d O T v 41 g H I 5 X x i 7 F O a W i c z 5 V P K E b M E R f 6 + 5 w O i V T e o 8 Y v u 0 2 i U I r f u 8e21 J k + e 8 y R u 4 f W L A 2 P 0 1 z 0 o G L Q J H E e A A A A A A B A N / T L z 1 c M m a Z e e J s 4 D a c N t q F C 9 + A c v y d + l U U n i 0 l / A 4 W 6 + m c v 4 f R N E p l c T I L T h M P O B E b 4 L f 3 y x A f a + + i e n K H V 9 N 5 i v i 1 A J m e U G o l c y S h U j E r L N l e Z v 1 v B 6 Z r E 5 f 4 G z m w w r 3 r d 8 N K 1 h l e u t 239 V t J 9 l x C 2 r s z 46 S O 0 p P G t R Y 6 c D D H V K 9 Z p X r n M t v c X z q z n 7 G Z H a Z b p 0 4e5 t k Z x L g A A A A A A Q D c 4 u 0 W i 1 o g T c F p R a T j W e a r 6 T T i K M t m W W j R h n I 7 k C r a 5 y l l 0 W J z s h v d W D O u O H x 3 F m R K l i s 5 l z / Y F R q F 2 V B X Y j 24 X p / 8 q z m Y x f n C / + b v n b I c 32 w 6 s M X 54 n + W 3 d 8 V 5 H b H N N Y b X b 7 W u / d C W t c 268 w f D G z c 7 s n e L 87 p w 1 p T a s 7 Y z K o 1 E K p U w U k a p Z h v K H e X Z 4 m w A A A A A A I D u M M w J / r Y K / 6 V T e 1 z s Z g n n F L / D 6 c b p 5 B x m 8 X s 3 v L V i O J 3 O g v 2 c h J M 4 H Y z K R y J X 8 G 0 Z 7 e j U d u T u F S f + K k f O b v v + P x i l 2 v X R S B i p Z c M n b H 2 F O N u D f d c v z t I j j N r H 1 R n E h 9 M 1 W l a / L 87 r g m 2 p 4 V g H 5 V G c J g z D 6 V v E 7 w A A A A A A A P C / D s N 5 n u Z O c o C 8 t W J I p f L U k Y x c J U 8 d 5 b v 4 U 9 W Y h R K H Q 5 x F G I Z t q h K //1XO6mIJyx5/6YmUkViMbH2ZOOnBUZ4jkcrECSKTO2sKOJtVnOyI4fe2yw6jpxAAAAAAAADA/wveWjEYRjXrKv9nN/re86E8dZgsId2zLwbN5ody/XtkkYmu1ob21bKcRKVhwuLESQ+cwyZ+c6MfdffOV5ncyyyZRyMIAAAAAAAAAPRa3sfFoMhfFpnIaPnX2DAqTeenkJhuftVj8gHjFUNncRaTxGHj7FaOdaqmXiaLSBBne/LSKiFn5N10r5DKujZvMFL0xQAAAAAAAAD4/6AH7RHCGJ8eGJlC/PZXMSqNz40vaC9+WJE+RTVirs8NL2rO6tkLjTiOkStpBeJkJ1JZ1xYWpgfvZwUAAAAAAACA09/JWzG6tAJwp2SkCcY3UL3wVp873/W5/Q3V5PO7X2eXBguFqrsnShgvK2H45QEAAAAAAACg9+tBXwy+70NHp26kCf6tqF3X344fFMPZdVwMhm2t5z+N1WxzDWf1eAuLXBgXo+MDMAq1+AUAAAAAAAAAerMetGJ0HVeCEVsxOLvVUXDQsvZj8zfPmT5+yLzySev6T+1Ht0scdmGBE2Pry227frbtX8cZ28QkD46CA8ZXb+bf6urZw0Imd1bltC2Z2rZkStvS6W33zzCsuMpZWSDO5Z8o6dhNg5Ew6IsBAAAAAAAA8P9CD54o8XzRqUChlNgstp0/65+60PDClabPHjH/8ppl42fmP94xfvyg4ZXr9Suush/ZKi7cDfuRbfpnLjW+fafx9ZsNL9/ANtWIM1w4Y6tp5XL7gdWc1di5YYLj+A4aTruEddIXe/Z2y+r3+UQxq50eNmH43HaP07dyNos4cTKcSc+ZjeIEAAAAAAAAAPy7etAXo9PzI4yMa6o2vHG78b27nCWHOZuZUWkYlZZRqvkvaq2EdTpydhpeucHyy9viT7rgTAbLz685G0olCrlEKrXn7LSs+1icJ7Db+A4aXftWiChRSGckjJSzGIVWDNfyrmQBJcoU3gbL4LHNtcb3l+ifu9Tw3OW2XT+Lqd3gLCbz9y8anqWFLzP//IbE4RBnAAAAAAAAAMC/pQetGB0aBugXUmd1vv3QBr51Q6bo+k4Qvt1BrpSwTvOPL5h/9d6QwbU1OmuKGbnK1QzBMHIl/+SIByYwXDXnWmlofOetE74vhl382G3S4GjVlAspV/ws/t8Oy/MvNPH6XliHzfTpI9bNK53lxxz5e02fPmTP2SPO6orjLD+9bF71iqP0iKM40/Ldc5Y1H4qzAAAAAAAAAODf0oNWDGmXdgS+nULRsb2Ac3088A0KnOXXNxwFB8QUD5zDytlMHfpZ2DwG6XRRz7zC77GfVDOulDg9Oj44nbLEwX5LvuA/937u9+A3/o+tUgyeIs6ljXbILMfns+sTMRKJoyTLkbNLHFtUoWYNLfa9v4nzumCbamz71zAyGb8wfaQy2+6fOJNenA0AAAAAAAAA/4oetGJ07Q3hyWF3jeVJy0j5L54tDlKZxGww//QqZzWJKW4cy49q4blib28SkQZFSAPDxadFBBwrCwiXp0/kP4MmyfuPlYbGiLNIp3ExOI6RKcRuGh2xDVUcn9X2hRkpq2/qsCEPnK5RfLxFIJVyJgOraxYnAQAAAAAAAOBf0YNWjO4aMfgnOxyy+AGaMxf5XLvC58aX1AtulYbG8c0TbgqlI3unszBTnGzH6ZslDluHVXf3PlSWFb+4dTPOBa/rwyP8u1e97SPXZbWUGe9jcJAurRu0YHfL9lIOG9dSx7XUe3zq2LZGvvxZJ9dazx+yjjh9C6VTSXJmQ5ff8j/nDK38Ysa2rmvmhzKhWWa9x6w6Wo9rxSJahmvuZi5lqa2h/bd1HOXTswWKZVma27GZiSad5blsfbnnC3Q4o84jA+0bMunE2f8cp4PPYTf552zmjllyLUO7416GdbJ15c7yPDoEYkontEB9hbOyoFOREv5gNddydqs4LbBb+UShexFfeo3H89ZKdcDjjPZAq6JNOKuKPMfH5ezdVyRxCY7PW3ku19YkpvyLxN038jXzOI6jQ+CRbaq6Xt6aJGCbapwVeULd9sRZzfyaOxW408Gv0LUwf750LhnXtixdGnkBAAAA4P8xuqunG2y6PfYMYQiFqJ1SiLiw09vCXUJaWsZLnNue7mXlHoniMu2friHw6YShG3jxazccBQd0y87p/L5S+hXDqOdcp55/E+MXJCbSTXtlvuGVG9iGiuNjgjrsqjnXay97WJx0sW752vTRUtdjKS5Ou2LAJN/7PxcnPVh+fcf83bPHl3TYlGPP8bn1FXGyI7alVvfIGXyIIrRcsA5ZWJLfI98x/iGu+cfZdv5s/Og+vja4Wi4oblSNp9W+LsztxFl8VP/85ZzV4F6tNCTOb+mX0rBY1/z/D5yFmYZ37uIrq7t1iXUywVF+iz+hwjG8cLVEKvO59jlZ8mDX4vxc49t3OqoK/B/+zrrpK+ua98WHd+hfp4P/OOzy9Ck+N79o/uxx26EN4lnhQkGv5szbVPOut/zylnXrV3y6EOIqNfL4AeqFt8ni+9OUddNKyy9v8Ovko2h
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ce7b861-bc80-4e19-9006-4056950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-05-24T09:52:46.000Z" ,
"modified" : "2019-05-24T09:52:46.000Z" ,
"description" : "Distribution URL" ,
"pattern" : "[url:value = 'http://45.124.132.127/DOVIDNIL - (2018).zip']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-05-24T09:52:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ce7b861-0228-4ce2-b25a-4385950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-05-24T09:24:49.000Z" ,
"modified" : "2019-05-24T09:24:49.000Z" ,
"pattern" : "[url:value = 'bitly.com/2vZyzgL']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-05-24T09:24:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ce7beff-ef98-4836-9ab1-44c3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-05-24T09:53:03.000Z" ,
"modified" : "2019-05-24T09:53:03.000Z" ,
"description" : "C&C server" ,
"pattern" : "[url:value = 'http://45.124.132.127/action-center/centerforserviceandaction/service-and-action.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-05-24T09:53:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ce6ac5b-6d34-455b-b17d-765d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-05-24T07:01:12.000Z" ,
"modified" : "2019-05-24T07:01:12.000Z" ,
"description" : ".exe, displays .doc icon" ,
"pattern" : "[file:name = '\u00d0\u201d\u00d0\u017e\u00d0\u2019I\u00d0\u201d\u00d0\u009dI\u00d0\u0161 - (2018).exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-05-24T07:01:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ce7968d-a158-4d3a-aa56-4b70950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-05-24T07:00:29.000Z" ,
"modified" : "2019-05-24T07:00:29.000Z" ,
"pattern" : "[file:name = '\u00d0\u201d\u00d0\u00be\u00d1\u20ac\u00d1\u0192\u00d1\u2021\u00d0\u00b5\u00d0\u00bd\u00d0\u00bd\u00d1\u008f 97.pdf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-05-24T07:00:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ce7c0fb-4f58-487e-b5d6-4593950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-05-24T10:01:31.000Z" ,
"modified" : "2019-05-24T10:01:31.000Z" ,
"description" : "Win32/TrojanDownloader.Sednit.CMT" ,
"pattern" : "[file:hashes.SHA1 = '48f8b152b86bed027b9152725505fbf4a24a39fd']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-05-24T10:01:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ce7c11c-1cec-4498-b21f-4ae8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-05-24T10:02:04.000Z" ,
"modified" : "2019-05-24T10:02:04.000Z" ,
"description" : "Win32/HackTool.PSWDump.D" ,
"pattern" : "[file:hashes.SHA1 = '1e9f40ef81176190e1ed9a0659473b2226c53f57']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-05-24T10:02:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ce7c145-8fe8-4bc0-b828-463e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-05-24T10:02:45.000Z" ,
"modified" : "2019-05-24T10:02:45.000Z" ,
"description" : "Win32/PSW.Agent.OGE" ,
"pattern" : "[file:hashes.SHA1 = 'bfa26857575c49abb129aac87207f03f2b062e07']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-05-24T10:02:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--77e080d7-7231-44bb-a661-34fb1e1e2070" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-07-19T09:20:53.000Z" ,
"modified" : "2019-07-19T09:20:53.000Z" ,
"pattern" : "[file:hashes.MD5 = '5e4e8cab7fcb43ed39b2feac92ddc2e7' AND file:hashes.SHA1 = '48f8b152b86bed027b9152725505fbf4a24a39fd' AND file:hashes.SHA256 = 'b677cce4a844495a20eed2486ef71f4782c06630df34a6ce085880a045a07902']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-07-19T09:20:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--f315bc29-020c-41cd-8585-cf94f546aa63" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-07-19T09:20:54.000Z" ,
"modified" : "2019-07-19T09:20:54.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-06-14T09:31:17" ,
"category" : "Other" ,
"uuid" : "c8f06757-89ce-4b93-8508-e5441a5ea6ae"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/b677cce4a844495a20eed2486ef71f4782c06630df34a6ce085880a045a07902/analysis/1560504677/" ,
"category" : "Payload delivery" ,
"uuid" : "9cb47e12-6ce5-4243-ba79-952caa74b562"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "44/62" ,
"category" : "Payload delivery" ,
"uuid" : "0fb9588d-b59b-4604-b9a2-4c488151806a"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--09cfe96c-cf61-4377-8a2f-cf3465971b94" ,
2023-04-21 14:44:17 +00:00
"created" : "2019-07-19T09:20:54.000Z" ,
"modified" : "2019-07-19T09:20:54.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--77e080d7-7231-44bb-a661-34fb1e1e2070" ,
"target_ref" : "x-misp-object--f315bc29-020c-41cd-8585-cf94f546aa63"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
