2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--571de51c-4f04-491f-b34a-4567950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-17T16:17:00.000Z" ,
"modified" : "2016-05-17T16:17:00.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--571de51c-4f04-491f-b34a-4567950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-17T16:17:00.000Z" ,
"modified" : "2016-05-17T16:17:00.000Z" ,
"name" : "OSINT - TWO BYTES TO $951M (SWIFT payment system abuse)" ,
"published" : "2016-05-17T16:17:14Z" ,
"object_refs" : [
"observed-data--571de55b-62c4-4164-a6b8-4912950d210f" ,
"url--571de55b-62c4-4164-a6b8-4912950d210f" ,
"x-misp-attribute--571de56d-9d20-4984-9f77-475b950d210f" ,
"indicator--571de5a5-b484-480f-bf60-4d4b950d210f" ,
"indicator--571de5a5-c824-4d41-a44b-43da950d210f" ,
"indicator--571de5a5-d18c-4a5a-b7d8-4b30950d210f" ,
"indicator--571de5a5-e3f8-46bb-a301-43ff950d210f" ,
"indicator--571de5be-0198-4c01-a9c7-4bd002de0b81" ,
"indicator--571de5be-2994-4d3e-ae5b-4aef02de0b81" ,
"observed-data--571de5be-97cc-48d7-b0df-432102de0b81" ,
"url--571de5be-97cc-48d7-b0df-432102de0b81" ,
"indicator--571de5be-8280-488c-a1bf-437502de0b81" ,
"indicator--571de5be-f358-4523-b8ee-41a202de0b81" ,
"observed-data--571de5be-941c-4514-b651-4a9202de0b81" ,
"url--571de5be-941c-4514-b651-4a9202de0b81" ,
"indicator--571de5bf-ad68-4e97-8c1b-412702de0b81" ,
"indicator--571de5bf-064c-4a4c-a302-4bdf02de0b81" ,
"observed-data--571de5bf-0df4-421c-bb52-4f7c02de0b81" ,
"url--571de5bf-0df4-421c-bb52-4f7c02de0b81" ,
"indicator--571de5bf-f638-4ae5-820f-473002de0b81" ,
"indicator--571de5bf-0b34-45ba-b14c-44fd02de0b81" ,
"observed-data--571de5bf-b9bc-48f8-9821-478602de0b81" ,
"url--571de5bf-b9bc-48f8-9821-478602de0b81" ,
"indicator--571de5ef-8fa8-4d8e-a3e1-4c79950d210f" ,
"indicator--571de60d-6454-4aa4-b4e7-4352950d210f" ,
"observed-data--571de6a3-4548-4238-8b4d-4396950d210f" ,
"file--571de6a3-4548-4238-8b4d-4396950d210f" ,
"artifact--571de6a3-4548-4238-8b4d-4396950d210f"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"circl:topic=\"finance\"" ,
"type:OSINT"
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--571de55b-62c4-4164-a6b8-4912950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:37:31.000Z" ,
"modified" : "2016-04-25T09:37:31.000Z" ,
"first_observed" : "2016-04-25T09:37:31Z" ,
"last_observed" : "2016-04-25T09:37:31Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--571de55b-62c4-4164-a6b8-4912950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--571de55b-62c4-4164-a6b8-4912950d210f" ,
"value" : "http://baesystemsai.blogspot.lu/2016/04/two-bytes-to-951m.html"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--571de56d-9d20-4984-9f77-475b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:37:49.000Z" ,
"modified" : "2016-04-25T09:37:49.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "In February 2016 one of the largest cyber heists was committed and subsequently disclosed. An unknown attacker gained access to the Bangladesh Bank\u00e2\u20ac\u2122s (BB) SWIFT payment system and reportedly instructed an American bank to transfer money from BB\u00e2\u20ac\u2122s account to accounts in The Philippines. The attackers attempted to steal $951m, of which $81m is still unaccounted for. \r\n\r\nThe technical details of the attack have yet to be made public, however we\u00e2\u20ac\u2122ve recently identified tools uploaded to online malware repositories that we believe are linked to the heist. The custom malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure. \r\n\r\nThis malware appears to be just part of a wider attack toolkit, and would have been used to cover the attackers\u00e2\u20ac\u2122 tracks as they sent forged payment instructions to make the transfers. This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place. \r\n\r\nThe tools are highly configurable and given the correct access could feasibly be used for similar attacks in the future."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5a5-b484-480f-bf60-4d4b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:38:45.000Z" ,
"modified" : "2016-04-25T09:38:45.000Z" ,
"description" : "evtdiag.exe" ,
"pattern" : "[file:hashes.SHA1 = '525a8e3ae4e3df8c9c61f2a49e38541d196e9228']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:38:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5a5-c824-4d41-a44b-43da950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:38:45.000Z" ,
"modified" : "2016-04-25T09:38:45.000Z" ,
"description" : "evtsys.exe" ,
"pattern" : "[file:hashes.SHA1 = '76bab478dcc70f979ce62cd306e9ba50ee84e37e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:38:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5a5-d18c-4a5a-b7d8-4b30950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:38:45.000Z" ,
"modified" : "2016-04-25T09:38:45.000Z" ,
"description" : "nroff_b.exe" ,
"pattern" : "[file:hashes.SHA1 = '70bf16597e375ad691f2c1efa194dbe7f60e4eeb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:38:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5a5-e3f8-46bb-a301-43ff950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:38:45.000Z" ,
"modified" : "2016-04-25T09:38:45.000Z" ,
"description" : "gpca.dat" ,
"pattern" : "[file:hashes.SHA1 = '6207b92842b28a438330a2bf0ee8dcab7ef0a163']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:38:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5be-0198-4c01-a9c7-4bd002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:10.000Z" ,
"modified" : "2016-04-25T09:39:10.000Z" ,
"description" : "gpca.dat - Xchecked via VT: 6207b92842b28a438330a2bf0ee8dcab7ef0a163" ,
"pattern" : "[file:hashes.SHA256 = 'b07b37f0246bd436addbe5d702b12485d7bc8a9ef1475b54bff513a18e68fef7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:39:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5be-2994-4d3e-ae5b-4aef02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:10.000Z" ,
"modified" : "2016-04-25T09:39:10.000Z" ,
"description" : "gpca.dat - Xchecked via VT: 6207b92842b28a438330a2bf0ee8dcab7ef0a163" ,
"pattern" : "[file:hashes.MD5 = 'f7272bb1374bf3af193ea1d1845b27fd']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:39:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--571de5be-97cc-48d7-b0df-432102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:10.000Z" ,
"modified" : "2016-04-25T09:39:10.000Z" ,
"first_observed" : "2016-04-25T09:39:10Z" ,
"last_observed" : "2016-04-25T09:39:10Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--571de5be-97cc-48d7-b0df-432102de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--571de5be-97cc-48d7-b0df-432102de0b81" ,
"value" : "https://www.virustotal.com/file/b07b37f0246bd436addbe5d702b12485d7bc8a9ef1475b54bff513a18e68fef7/analysis/1461049792/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5be-8280-488c-a1bf-437502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:10.000Z" ,
"modified" : "2016-04-25T09:39:10.000Z" ,
"description" : "nroff_b.exe - Xchecked via VT: 70bf16597e375ad691f2c1efa194dbe7f60e4eeb" ,
"pattern" : "[file:hashes.SHA256 = '5b7c970fee7ebe08d50665f278d47d0e34c04acc19a91838de6a3fc63a8e5630']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:39:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5be-f358-4523-b8ee-41a202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:10.000Z" ,
"modified" : "2016-04-25T09:39:10.000Z" ,
"description" : "nroff_b.exe - Xchecked via VT: 70bf16597e375ad691f2c1efa194dbe7f60e4eeb" ,
"pattern" : "[file:hashes.MD5 = '1d0e79feb6d7ed23eb1bf7f257ce4fee']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:39:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--571de5be-941c-4514-b651-4a9202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:10.000Z" ,
"modified" : "2016-04-25T09:39:10.000Z" ,
"first_observed" : "2016-04-25T09:39:10Z" ,
"last_observed" : "2016-04-25T09:39:10Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--571de5be-941c-4514-b651-4a9202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--571de5be-941c-4514-b651-4a9202de0b81" ,
"value" : "https://www.virustotal.com/file/5b7c970fee7ebe08d50665f278d47d0e34c04acc19a91838de6a3fc63a8e5630/analysis/1460698377/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5bf-ad68-4e97-8c1b-412702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:11.000Z" ,
"modified" : "2016-04-25T09:39:11.000Z" ,
"description" : "evtsys.exe - Xchecked via VT: 76bab478dcc70f979ce62cd306e9ba50ee84e37e" ,
"pattern" : "[file:hashes.SHA256 = 'ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:39:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5bf-064c-4a4c-a302-4bdf02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:11.000Z" ,
"modified" : "2016-04-25T09:39:11.000Z" ,
"description" : "evtsys.exe - Xchecked via VT: 76bab478dcc70f979ce62cd306e9ba50ee84e37e" ,
"pattern" : "[file:hashes.MD5 = '5d0ffbc8389f27b0649696f0ef5b3cfe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:39:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--571de5bf-0df4-421c-bb52-4f7c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:11.000Z" ,
"modified" : "2016-04-25T09:39:11.000Z" ,
"first_observed" : "2016-04-25T09:39:11Z" ,
"last_observed" : "2016-04-25T09:39:11Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--571de5bf-0df4-421c-bb52-4f7c02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--571de5bf-0df4-421c-bb52-4f7c02de0b81" ,
"value" : "https://www.virustotal.com/file/ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283/analysis/1461067332/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5bf-f638-4ae5-820f-473002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:11.000Z" ,
"modified" : "2016-04-25T09:39:11.000Z" ,
"description" : "evtdiag.exe - Xchecked via VT: 525a8e3ae4e3df8c9c61f2a49e38541d196e9228" ,
"pattern" : "[file:hashes.SHA256 = '4659dadbf5b07c8c3c36ae941f71b631737631bc3fded2fe2af250ceba98959a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:39:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5bf-0b34-45ba-b14c-44fd02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:11.000Z" ,
"modified" : "2016-04-25T09:39:11.000Z" ,
"description" : "evtdiag.exe - Xchecked via VT: 525a8e3ae4e3df8c9c61f2a49e38541d196e9228" ,
"pattern" : "[file:hashes.MD5 = '24d76abbc0a10e4c977a28b33c879248']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:39:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--571de5bf-b9bc-48f8-9821-478602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:11.000Z" ,
"modified" : "2016-04-25T09:39:11.000Z" ,
"first_observed" : "2016-04-25T09:39:11Z" ,
"last_observed" : "2016-04-25T09:39:11Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--571de5bf-b9bc-48f8-9821-478602de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--571de5bf-b9bc-48f8-9821-478602de0b81" ,
"value" : "https://www.virustotal.com/file/4659dadbf5b07c8c3c36ae941f71b631737631bc3fded2fe2af250ceba98959a/analysis/1461049613/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de5ef-8fa8-4d8e-a3e1-4c79950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:39:59.000Z" ,
"modified" : "2016-04-25T09:39:59.000Z" ,
"description" : "The configuration file contains a list of transaction IDs, some additional environment information, and the following IP address to be used for command-and-control (C&C):" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '196.202.103.174']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-25T09:39:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--571de60d-6454-4aa4-b4e7-4352950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-17T16:17:00.000Z" ,
"modified" : "2016-05-17T16:17:00.000Z" ,
"pattern" : "[file:name = '\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Allians\\\\gpca.dat']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-17T16:17:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--571de6a3-4548-4238-8b4d-4396950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-25T09:42:59.000Z" ,
"modified" : "2016-04-25T09:42:59.000Z" ,
"first_observed" : "2016-04-25T09:42:59Z" ,
"last_observed" : "2016-04-25T09:42:59Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--571de6a3-4548-4238-8b4d-4396950d210f" ,
"artifact--571de6a3-4548-4238-8b4d-4396950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--571de6a3-4548-4238-8b4d-4396950d210f" ,
"name" : "http://baesystemsai.blogspot.lu/2016/04/two-bytes-to-951m.html" ,
"content_ref" : "artifact--571de6a3-4548-4238-8b4d-4396950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--571de6a3-4548-4238-8b4d-4396950d210f" ,
"payload_bin" : " P C F E T 0 N U W V B F I G h 0 b W w + C j x o d G 1 s I H h t b G 5 z P S d o d H R w O i 8 v d 3 d 3 L n c z L m 9 y Z y 8 x O T k 5 L 3 h o d G 1 s J y B 4 b W x u c z p i P S d o d H R w O i 8 v d 3 d 3 L m d v b 2 d s Z S 5 j b 20 v M j A w N S 9 n b W w v Y i c g e G 1 s b n M 6 Z G F 0 Y T 0 n a H R 0 c D o v L 3 d 3 d y 5 n b 29 n b G U u Y 29 t L z I w M D U v Z 21 s L 2 R h d G E n I H h t b G 5 z O m V 4 c H I 9 J 2 h 0 d H A 6 L y 93 d 3 c u Z 29 v Z 2 x l L m N v b S 8 y M D A 1 L 2 d t b C 9 l e H B y J z 4 K P G h l Y W Q + C j x s a W 5 r I G h y Z W Y 9 J 2 h 0 d H A 6 L y 9 m b 250 c y 5 n b 29 n b G V h c G l z L m N v b S 9 j c 3 M / Z m F t a W x 5 P U 9 w Z W 4 r U 2 F u c z o 3 M D A s N D A w L D M w M H x W a W d h f F B U K 1 N l c m l m O j Q w M C w 3 M D A s N D A w a X R h b G l j L D c w M G l 0 Y W x p Y y c g c m V s P S d z d H l s Z X N o Z W V 0 J y 8 + C j x s a W 5 r I G h y Z W Y 9 J 2 h 0 d H A 6 L y 9 m b 250 c y 5 n b 29 n b G V h c G l z L m N v b S 9 j c 3 M / Z m F t a W x 5 P U 9 z d 2 F s Z D o 0 M D A s N z A w L D M w M C c g c m V s P S d z d H l s Z X N o Z W V 0 J y B 0 e X B l P S d 0 Z X h 0 L 2 N z c y c v P g o 8 b W V 0 Y S B j a G F y c 2 V 0 P S d 1 d G Y t O C c v P g o 8 b W V 0 Y S B j b 250 Z W 50 P S d 3 a W R 0 a D 1 k Z X Z p Y 2 U t d 2 l k d G g s I G l u a X R p Y W w t c 2 N h b G U 9 M S 4 w J y B u Y W 1 l P S d 2 a W V 3 c G 9 y d C c v P g o 8 b W V 0 Y S B j b 250 Z W 50 P S d J R T 1 l Z G d l L G N o c m 9 t Z T 0 x J y B o d H R w L W V x d W l 2 P S d Y L V V B L U N v b X B h d G l i b G U n L z 4 K P G 1 l d G E g Y 29 u d G V u d D 0 n d G V 4 d C 9 o d G 1 s O y B j a G F y c 2 V 0 P V V U R i 0 4 J y B o d H R w L W V x d W l 2 P S d D b 250 Z W 50 L V R 5 c G U n L z 4 K P H N j c m l w d C B 0 e X B l P S J 0 Z X h 0 L 2 p h d m F z Y 3 J p c H Q i P i h m d W 5 j d G l v b i g p I H s g K G Z 1 b m N 0 a W 9 u K C l 7 Z n V u Y 3 R p b 24 g Y y h h K X t 0 a G l z L n Q 9e307 d G h p c y 50 a W N r P W Z 1 b m N 0 a W 9 u K G E s Y y x i K X t 2 Y X I g Z D 12 b 2 l k I D A h P W I / Y j o o b m V 3 I E R h d G U p L m d l d F R p b W U o K T t 0 a G l z L n R b Y V 0 9 W 2 Q s Y 107 a W Y o d m 9 p Z C A w P T 1 i K X R y e X t 3 a W 5 k b 3 c u Y 29 u c 29 s Z S 50 a W 1 l U 3 R h b X A o I k N T S S 8 i K 2 E p f W N h d G N o K G U p e 319 O 3 R o a X M u d G l j a y g i c 3 R h c n Q i L G 51 b G w s Y S l 9 d m F y I G E 7 d 2 l u Z G 93 L n B l c m Z v c m 1 h b m N l J i Y o Y T 13 a W 5 k b 3 c u c G V y Z m 9 y b W F u Y 2 U u d G l t a W 5 n K T t 2 Y X I g a D 1 h P 25 l d y B j K G E u c m V z c G 9 u c 2 V T d G F y d C k 6 b m V 3 I G M 7 d 2 l u Z G 93 L m p z d G l t a W 5 n P X t U a W 1 l c j p j L G x v Y W Q 6 a H 0 7 a W Y o Y S l 7 d m F y I G I 9 Y S 5 u Y X Z p Z 2 F 0 a W 9 u U 3 R h c n Q s Z T 1 h L n J l c 3 B v b n N l U 3 R h c n Q 7 M D x i J i Z l P j 1 i J i Y o d 2 l u Z G 93 L m p z d G l t a W 5 n L n N y d D 1 l L W I p f W l m K G E p e 3 Z h c i B k P X d p b m R v d y 5 q c 3 R p b W l u Z y 5 s b 2 F k O z A 8 Y i Y m Z T 49 Y i Y m K G Q u d G l j a y g i X 3 d 0 c 3 J 0 I i x 2 b 2 l k I D A s Y i k s Z C 50 a W N r K C J 3 d H N y d F 8 i L A o i X 3 d 0 c 3 J 0 I i x l K S x k L n R p Y 2 s o I n R i c 2 R f I i w i d 3 R z c n R f I i k p f X R y e X t h P W 51 b G w s d 2 l u Z G 93 L m N o c m 9 t Z S Y m d 2 l u Z G 93 L m N o c m 9 t Z S 5 j c 2 k m J i h h P U 1 h d G g u Z m x v b 3 I o d 2 l u Z G 93 L m N o c m 9 t Z S 5 j c 2 k o K S 5 w Y W d l V C k s Z C Y m M D x i J i Y o Z C 50 a W N r K C J f d G J u Z C I s d m 9 p Z C A w L H d p b m R v d y 5 j a H J v b W U u Y 3 N p K C k u c 3 R h c n R F K S x k L n R p Y 2 s o I n R i b m R f I i w i X 3 R i b m Q i L G I p K S k s b n V s b D 0 9 Y S Y m d 2 l u Z G 93 L m d 0 Y k V 4 d G V y b m F s J i Y o Y T 13 a W 5 k b 3 c u Z 3 R i R X h 0 Z X J u Y W w u c G F n Z V Q o K S k s b n V s b D 0 9 Y S Y m d 2 l u Z G 93 L m V 4 d G V y b m F s J i Y o Y T 13 a W 5 k b 3 c u Z X h 0 Z X J u Y W w u c G F n Z V Q s Z C Y m M D x i J i Y o Z C 50 a W N r K C J f d G J u Z C I s d m 9 p Z C A w L H d p b m R v d y 5 l e H R l c m 5 h b C 5 z d G F y d E U p L G Q u d G l j a y g i d G J u Z F 8 i L C J f d G J u Z C I s Y i k p K S x h J i Y o d 2 l u Z G 93 L m p z d G l t a W 5 n L n B 0 P W E p f W N h d G N o K G s p e 319 K S g p O 3 d p b m R v d y 50 a W N r Q W J v d m V G b 2 x k P W Z 1 b m N 0 a W 9 u K G M p e 3 Z h c i B h P T A 7 a W Y o Y y 5 v Z m Z z Z X R Q Y X J l b n Q p e 2 R v I G E r P W M u b 2 Z m c 2 V 0 V G 9 w O 3 d o a W x l K G M 9 Y y 5 v Z m Z z Z X R Q Y X J l b n Q p f W M 9 Y T s 3 N T A + P W M m J n d p b m R v d y 5 q c 3 R p b W l u Z y 5 s b 2 F k L n R p Y 2 s o I m F m d C I p f T t 2 Y X I g Z j 0 h M T t m d W 5 j d G l v b i B n K C l 7 Z n x 8 K G Y 9 I T A s d 2 l u Z G 93 L m p z d G l t a W 5 n L m x v Y W Q u d G l j a y g i Z m l y c 3 R T Y 3 J v b G x U a W 1 l I i k p f X d p b m R v d y 5 h Z G R F d m V u d E x p c 3 R l b m V y P 3 d p b m R v d y 5 h Z G R F d m V u d E x p c 3 R l b m V y K C J z Y 3 J v b G w i L G c s I T E p O n d p b m R v d y 5 h d H R h Y 2 h F d m V u d C g i b 25 z Y 3 J v b G w i L G c p O w o g f S k o K T s 8 L 3 N j c m l w d D 4 K P G 1 l d G E g Y 29 u d G V u d D 0 n Y m x v Z 2 d l c i c g b m F t Z T 0 n Z 2 V u Z X J h d G 9 y J y 8 + C j x s a W 5 r I G h y Z W Y 9 J 2 h 0 d H A 6 L y 9 i Y W V z e X N 0 Z W 1 z Y W k u Y m x v Z 3 N w b 3 Q u Y 29 t L m V z L 2 Z h d m l j b 24 u a W N v J y B y Z W w 9 J 2 l j b 24 n I H R 5 c G U 9 J 2 l t Y W d l L 3 g t a W N v b i c v P g o 8 b G l u a y B o c m V m P S d o d H R w O i 8 v Y m F l c 3 l z d G V t c 2 F p L m J s b 2 d z c G 90 L m N v b S 8 y M D E 2 L z A 0 L 3 R 3 b y 1 i e X R l c y 10 b y 0 5 N T F t L m h 0 b W w n I H J l b D 0 n Y 2 F u b 25 p Y 2 F s J y 8 + C j x s a W 5 r I H J l b D 0 i Y W x 0 Z X J u Y X R l I i B 0 e X B l P S J h c H B s a W N h d G l v b i 9 h d G 9 t K 3 h t b C I g d G l 0 b G U 9 I k J B R S B T e X N 0 Z W 1 z I F R o c m V h d C B S Z X N l Y X J j a C B C b G 9 n I C 0 g Q X R v b S I g a H J l Z j 0 i a H R 0 c D o v L 2 J h Z X N 5 c 3 R l b X N h a S 5 i b G 9 n c 3 B v d C 5 j b 20 v Z m V l Z H M v c G 9 z d H M v Z G V m Y X V s d C I g L z 4 K P G x p b m s g c m V s P S J h b H R l c m 5 h d G U i I H R 5 c G U 9 I m F w c G x p Y 2 F 0 a W 9 u L 3 J z c y t 4 b W w i I H R p d G x l P S J C Q U U g U 3 l z d G V t c y B U a H J l Y X Q g U m V z Z W F y Y 2 g g Q m x v Z y A t I F J T U y I g a H J l Z j 0 i a H R 0 c D o v L 2 J h Z X N 5 c 3 R l b X N h a S 5 i b G 9 n c 3 B v d C 5 j b 20 v Z m V l Z H M v c G 9 z d H M v Z G V m Y X V s d D 9 h b H Q 9 c n N z I i A v P g o 8 b G l u a y B y Z W w 9 I n N l c n Z p Y 2 U u c G 9 z d C I g d H l w Z T 0 i Y X B w b G l j Y X R p b 24 v Y X R v b S t 4 b W w i I H R p d G x l P S J C Q U U g U 3 l z d G V t c y B U a H J l Y X Q g U m V z Z W F y Y 2 g g Q m x v Z y A t I E F 0 b 20 i I G h y Z W Y 9 I m h 0 d H B z O i 8 v d 3 d 3 L m J s b 2 d n Z X I u Y 29 t L 2 Z l Z W R z L z c z N D U 1 M T U w O D U 4 M z g 0 M j I 3 O T k v c G 9 z d H M v Z G V m Y X V s d C I g L z 4 K C j x s a W 5 r I H J l b D 0 i Y W x 0 Z X J u Y X R l I i B 0 e X B l P S J h c H B s a W N h d G l v b i 9 h d G 9 t K 3 h t b C I g d G l 0 b G U 9 I k J B R S B T e X N 0 Z W 1 z I F R o c m V h d C B S Z X N l Y X J j a C B C b G 9 n I C 0 g Q X R v b S I g a H J l Z j 0 i a H R 0 c D o v L 2 J h Z X N 5 c 3 R l b X N h a S 5 i b G 9 n c 3 B v d C 5 j b 20 v Z m V l Z H M v M z U 1 N D Q 2 M D U 2 M z Y w M T Y 4 O D k 4 L 2 N v b W 1 l b n R z L 2 R l Z m F 1 b H Q i I C 8 + C j x s a W 5 r I G h y Z W Y 9 J 2 h 0 d H B z O i 8 v M i 5 i c C 5 i b G 9 n c 3 B v d C 5 j b 20 v L W t K Z z h v N 2 x Z S H p 3 L 1 Z 4 a E 1 s M X F C Q 3 J J L 0 F B Q U F B Q U F B Q W Z B L 24 t V X V y S U k 4 c T J F e X l h V W x Z T X d 2 Z 0 5 q V m R X Q T R p S z d P Z 0 N M Y 0 I v c z Y 0 M C 9
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}
