2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--57221ede-4084-4c2b-9463-4e1e950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-06-01T09:26:25.000Z" ,
"modified" : "2016-06-01T09:26:25.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--57221ede-4084-4c2b-9463-4e1e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-06-01T09:26:25.000Z" ,
"modified" : "2016-06-01T09:26:25.000Z" ,
"name" : "OSINT - PLATINUM Targeted attacks in South and Southeast Asia" ,
"published" : "2016-06-01T11:50:05Z" ,
"object_refs" : [
"observed-data--57221f02-6b1c-4b51-b40c-462d950d210f" ,
"file--57221f02-6b1c-4b51-b40c-462d950d210f" ,
"artifact--57221f02-6b1c-4b51-b40c-462d950d210f" ,
"vulnerability--57222bfe-4068-4151-aa6d-40a6950d210f" ,
"indicator--57222c60-7300-4608-a6da-407f950d210f" ,
"indicator--57222c76-7a74-4696-bfef-4a72950d210f" ,
"indicator--57222caf-8748-4ea3-9e48-4cd8950d210f" ,
"indicator--57222ccd-c09c-402a-af7b-42a5950d210f" ,
"indicator--57222ce1-6800-4ad5-81d7-461e950d210f" ,
"indicator--57222d07-9af0-482f-ad9a-446d950d210f" ,
"indicator--57222d55-3684-4ca9-8552-4ea1950d210f" ,
"indicator--57222d70-8a40-438e-8d32-411f950d210f" ,
"indicator--57222da1-3824-4b9f-aeaa-48ee950d210f" ,
"indicator--57222dc9-3924-415f-b9af-411e950d210f" ,
"indicator--57222ddc-86f4-4857-a0b7-4d30950d210f" ,
"indicator--57222dee-bc1c-45cd-990c-4384950d210f" ,
"indicator--57222e07-30ec-4c0a-b189-494a950d210f" ,
"indicator--57222e22-aa2c-415e-8a7b-462d950d210f" ,
"indicator--57222e6b-89f4-4baa-9984-4e7b950d210f" ,
"indicator--57222e81-ba14-49a1-adcf-4445950d210f" ,
"indicator--57222ea3-46a4-48aa-a848-4a89950d210f" ,
"indicator--57222ec6-0e78-4173-9f07-4cb8950d210f" ,
"indicator--57222edf-cb54-45e0-bbcc-4210950d210f" ,
"x-misp-attribute--57222f0f-ca58-4844-8763-4c13950d210f" ,
"indicator--57222f56-1be8-471b-a27f-4ce4950d210f" ,
"indicator--57222f57-87fc-44ef-8b30-41c2950d210f" ,
"indicator--57222f57-30c0-40e6-be3f-430e950d210f" ,
"indicator--57222f58-f4c0-423c-9e35-4356950d210f" ,
"indicator--57222f58-75c4-4151-bc5d-4728950d210f" ,
"indicator--57222fe7-e234-4ba0-8667-45b4950d210f" ,
"indicator--57222fe7-82c0-41a5-b39f-4790950d210f" ,
"indicator--57222fe8-e138-41ca-8e0f-48b1950d210f" ,
"indicator--57222fe8-5f0c-45fa-a8ed-4c3b950d210f" ,
"indicator--57222fe9-9958-4f02-9560-4f43950d210f" ,
"indicator--57222fe9-9edc-43b7-bc6a-43b7950d210f" ,
"indicator--57222fe9-515c-4e40-8b67-40cf950d210f" ,
"indicator--57222fea-00b4-4c25-86b6-47b8950d210f" ,
"indicator--57222fea-022c-4a86-8c6e-4760950d210f" ,
"indicator--57222feb-9550-414b-aa37-403b950d210f" ,
"indicator--57223015-2b48-4137-afae-4aaf950d210f" ,
"indicator--57223015-7138-4387-a596-4b3d950d210f" ,
"indicator--57223016-2264-4e5f-8211-4468950d210f" ,
"indicator--57223016-b9bc-4df8-934c-4076950d210f" ,
"indicator--57223016-cb40-4ea5-b383-4511950d210f" ,
"indicator--57223017-2e54-4205-9c7b-485e950d210f" ,
"indicator--57223017-99cc-41de-abc6-4f39950d210f" ,
"indicator--57223018-d2f0-4939-b72b-46e0950d210f" ,
"indicator--57223018-368c-428b-a315-4482950d210f" ,
"indicator--57223018-bde4-46d2-b4a1-4a67950d210f" ,
"indicator--57223019-3f84-4531-b4db-45ed950d210f" ,
"indicator--57223019-2de8-4914-b9a9-4b15950d210f" ,
"indicator--5722301a-b6d0-4690-b82c-447a950d210f" ,
"indicator--5722301a-6a0c-4bd3-973c-4cf3950d210f" ,
"indicator--5722301a-264c-4eb4-8e87-4f0f950d210f" ,
"x-misp-attribute--57223037-e7e0-4004-8cfe-424d950d210f" ,
"indicator--572230b7-32b8-4f91-8c2a-47cd02de0b81" ,
"indicator--572230b8-3e68-44d6-9b51-4f7502de0b81" ,
"observed-data--572230b8-2b30-4d0e-b33d-487802de0b81" ,
"url--572230b8-2b30-4d0e-b33d-487802de0b81" ,
"indicator--572230b8-dbac-426b-a9ac-4cbe02de0b81" ,
"indicator--572230b9-c428-47ce-a5f3-42ed02de0b81" ,
"observed-data--572230b9-3bd4-4ae8-9fb0-443602de0b81" ,
"url--572230b9-3bd4-4ae8-9fb0-443602de0b81" ,
"indicator--572230b9-7c5c-44a4-9840-435d02de0b81" ,
"indicator--572230ba-e524-4a2d-8640-4af602de0b81" ,
"observed-data--572230ba-8100-4cb3-851a-49b602de0b81" ,
"url--572230ba-8100-4cb3-851a-49b602de0b81" ,
"indicator--572230ba-0d08-41d7-9bc8-4b4e02de0b81" ,
"indicator--572230bb-c9d4-44d2-a86b-467002de0b81" ,
"observed-data--572230bb-817c-4de6-a794-42d302de0b81" ,
"url--572230bb-817c-4de6-a794-42d302de0b81" ,
"indicator--572230bc-4f94-48a2-9906-48ca02de0b81" ,
"indicator--572230bc-6474-420c-aad7-466502de0b81" ,
"observed-data--572230bc-23f4-44b5-82af-405902de0b81" ,
"url--572230bc-23f4-44b5-82af-405902de0b81" ,
"vulnerability--572301cb-39dc-48ab-8569-4bbc950d210f" ,
"vulnerability--57230233-264c-4424-9865-4b32950d210f" ,
"observed-data--57230362-94fc-4f8a-8e59-4696950d210f" ,
"windows-registry-key--57230362-94fc-4f8a-8e59-4696950d210f" ,
"observed-data--57230368-035c-4607-af86-4634950d210f" ,
"windows-registry-key--57230368-035c-4607-af86-4634950d210f" ,
"observed-data--57230368-52dc-4e88-92c0-48cf950d210f" ,
"windows-registry-key--57230368-52dc-4e88-92c0-48cf950d210f" ,
"observed-data--57230368-4350-45bb-a5ef-4a2f950d210f" ,
"windows-registry-key--57230368-4350-45bb-a5ef-4a2f950d210f" ,
"observed-data--57230369-2ca4-487e-81c1-4f49950d210f" ,
"windows-registry-key--57230369-2ca4-487e-81c1-4f49950d210f" ,
"observed-data--57230369-3458-43b5-b0b4-474c950d210f" ,
"windows-registry-key--57230369-3458-43b5-b0b4-474c950d210f" ,
"observed-data--57228030-4c14-48c9-899f-45a202de0b81" ,
"url--57228030-4c14-48c9-899f-45a202de0b81" ,
"observed-data--57228030-5328-4860-976e-42a802de0b81" ,
"url--57228030-5328-4860-976e-42a802de0b81"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT"
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57221f02-6b1c-4b51-b40c-462d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T14:32:34.000Z" ,
"modified" : "2016-04-28T14:32:34.000Z" ,
"first_observed" : "2016-04-28T14:32:34Z" ,
"last_observed" : "2016-04-28T14:32:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--57221f02-6b1c-4b51-b40c-462d950d210f" ,
"artifact--57221f02-6b1c-4b51-b40c-462d950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--57221f02-6b1c-4b51-b40c-462d950d210f" ,
"name" : "Platinum feature article - Targeted attacks in South and Southeast Asia April 2016.pdf" ,
"content_ref" : "artifact--57221f02-6b1c-4b51-b40c-462d950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--57221f02-6b1c-4b51-b40c-462d950d210f" ,
"payload_bin" : " J V B E R i 0 x L j Y N J e L j z 9 M N C j I 4 O T Q g M C B v Y m o N P D w v T G l u Z W F y a X p l Z C A x L 0 w g N T Q y M z U 4 N S 9 P I D I 4 O T Y v R S A 0 N D c 0 M T Q 5 L 0 4 g M z I v V C A 1 N D I y N j c x L 0 g g W y A 0 O D g g N j c 1 X T 4 + D W V u Z G 9 i a g 0 g I C A g I C A g D Q o y O T A 2 I D A g b 2 J q D T w 8 L 0 R l Y 29 k Z V B h c m 1 z P D w v Q 29 s d W 1 u c y A 0 L 1 B y Z W R p Y 3 R v c i A x M j 4 + L 0 Z p b H R l c i 9 G b G F 0 Z U R l Y 29 k Z S 9 J R F s 8 N 0 Q 3 N k E w R j V D M T J F R T c 0 N 0 J G M j E 5 Q T U 5 M D A 4 M k I 5 O U E + P E U w N j Y 4 Q z Y y R U Q 5 R D N D N E E 5 M T F D M U Y 1 N 0E3 Q z d G N T l E P l 0 v S W 5 k Z X h b M j g 5 N C A y N F 0 v S W 5 m b y A y O D k z I D A g U i 9 M Z W 5 n d G g g N z Q v U H J l d i A 1 N D I y N j c y L 1 J v b 3 Q g M j g 5 N S A w I F I v U 2 l 6 Z S A y O T E 4 L 1 R 5 c G U v W F J l Z i 9 X W z E g M i A x X T 4 + c 3 R y Z W F t D Q p o 3 m J i Z B B g Y G J g q Q Y S j P t B h B q Q 4 A g B E s w B Q I K p D 0 g Y m I E k 4 o C E x D S Q 2 F w g w f 8 T S E w W Y m B i 5 L 4 L Z D E w M B J N / P 82 / T t A g A E A U 9 Y L G w 0 K Z W 5 k c 3 R y Z W F t D W V u Z G 9 i a g 1 z d G F y d H h y Z W Y N C j A N C i U l R U 9 G D Q o g I C A g I C A g D Q o y O T E 3 I D A g b 2 J q D T w 8 L 0 M g N z I 5 L 0 Z p b H R l c i 9 G b G F 0 Z U R l Y 29 k Z S 9 J I D c 1 M y 9 M Z W 5 n d G g g N T c z L 0 8 g N j k x L 1 M g N T Y 3 L 1 Y g N z A 3 P j 5 z d H J l Y W 0 N C m j e t F L N a x N B F P / N Z v L R p D G 7 a p O Y E J O q l A o 9 x M Y 0 C R j Z u m l M C 8 U Y j L Z i 6 R 5 y q I d A x C q W G t 1 A k F U R 4 k E o g l h U U h A P i q C l V A l S D w p t F Q M G D x 6 q 4E0 s B U H o w Z m U 1 r / A Y W Z + H + / N g 5 l 5 A A Q 2 Z 0 A B 8 z h c + D d c z D O x Z S n 3 k u 47 O 0 V R k o 7 s 4 A G 9 s E R y d d I W x F y a + G v h J 3 L H d u G S 1 T D x g o 5 P 4 b R u c 6 n e s 9 N k r j a 0 C t s z u F 9 j l 4 q c j t W A 8 / e 0 66 F s f o N 4 C c b D E D / A O 4 v e A F R g D Y K N 1 Q 7 d u l u u X v u T f / d z c i k U C v U A / q 6 Z R d r 9 X q w p x X 3 L a a W S z Y 3 G Z S V m T B S D S v h C + Y C m F K u J f E 25 L D M y K L 1 s p Z F F n h x e G G a h d o l G v s S T m R j x Z h d G D 4 n 1 G G m j k c 8 S P 3 U s / Z 3 m 3 / J q p f O V E 0 m y z X z / T N J X L C g D h n r M R P v S S j H l G A l V p J N O G v U f V I h 97 R M 7 M s z 8 q I O T U 8 s 0 H B j 8 V p G y 90 o / 1 I n G 7 o v m L V K y f w Q p 6 e y 1 d J C e M V 3 X m h S U a 7 c O C 2 B k l O o Q o s x h E c m p b 2 b t Y d I 41 F S U 7 z T F D C T 0 Z o E + D k K n R i Q 310 I n 39 F 0 N c v m N I 1 p //Ob2DiHdIyjla32ppNlLUMewL8ORwN7K8b1AAS5NaCRFHz9jpFZTLJLB60eFeFmfgO+KG7Owy7DLcKjSS0QW0Ae42gS5gJsKvn1lK6o7ikQFnwO66PN1tSR6bjNkACG4wyvI7N/ZUMLX7ca+AYyXTWGHuBqP3ijm65wv4rMK9NGNhn4K8AA7MvAEQ0KZW5kc3RyZWFtDWVuZG9iag0yODk1IDAgb2JqDTw8L0Fjcm9Gb3JtIDI5MDcgMCBSL0xhbmco/v8ARQBOAC0AVQBTKS9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4vTWV0YWRhdGEgMTY0IDAgUi9PdXRsaW5lcyAzMzYgMCBSL1BhZ2VMYXlvdXQvT25lQ29sdW1uL1BhZ2VzIDI4ODYgMCBSL1N0cnVjdFRyZWVSb290IDM3MiAwIFIvVHlwZS9DYXRhbG9nPj4NZW5kb2JqDTI4OTYgMCBvYmoNPDwvQ29udGVudHMgMjg5OCAwIFIvQ3JvcEJveFswLjAgMC4wIDYxMi4wIDc5Mi4wXS9Hcm91cCAyOTE2IDAgUi9NZWRpYUJveFswLjAgMC4wIDYxMi4wIDc5Mi4wXS9QYXJlbnQgMjg4NyAwIFIvUmVzb3VyY2VzPDwvRXh0R1N0YXRlPDwvR1MwIDI5MDggMCBSPj4vRm9udDw8L0MyXzAgMjkxMyAwIFIvVFQwIDI5MTUgMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VDXS9YT2JqZWN0PDwvSW0wIDI5MDUgMCBSPj4+Pi9Sb3RhdGUgMC9TdHJ1Y3RQYXJlbnRzIDAvVHlwZS9QYWdlPj4NZW5kb2JqDTI4OTcgMCBvYmoNPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0ZpcnN0IDkzL0xlbmd0aCAyMDMzL04gMTAvVHlwZS9PYmpTdG0+PnN0cmVhbQ0KaN6UWNtu3EYS/ZV+tLHwsu8XIBAgaSJbgBUbGmW9WIIPtETLgx3NCDN0EP19zqkmR1bkOA4Eqsi+Vp2qOtU9tuiktLJFZ2WM4UtRFm22GDSHwhejgmOXscr5+ubw5uXNKxdi5ltQLhuZGZV3xauffmoWxy+aN8P6N+xx9Qn/btXLZnGJjp8319ub1eYWr+8XZ4vt9dygXDIYeHl01JxtNyP6Zb6Lha3N//rFRwzRdQgHrYb1zb7tjo4w9Ph8qT716/3QnFw0v2x3d/26OT1W5t+6efd+6nn3/kKZZnmsxt2XoVle9Pv/Y+hmaK4e7ofm59/H18uxH4fmupd52/s6T9Z/t7sZdlDyxfnNsBlX48PL5nK4Xe3H3cOL45vtx+Fls/xyf78e7tCtdNVpf80Po71uTs8Xy2EkymJjc9rfvxlWt59HlbRuFkMd+spm25yt+9u98gLCycn29/aViVq64KhoZL1Oes/6u9X64cVyuN0O6v1uq5bD3eotV31Z+1frwXJPK3uy6Zf+bmjOX/96ebH8l8zDtFeHaTJkOe6G8frzjCKbPlRVXdDN+divV9fHm9v1oHSzHIe7/6joK4QcSlN2q/txu2v+O1kYdMXjpN8PHPKd/QnTwx6Lnm8+bWtMClrni6vt6/PFRX/fzA5oFh8ABcB7umuNX05afvk4UitM5hBqaB/1bD60uo0+dohlDHetdU7ZjKCOToWSVLBJZXgrabRb2yEZDMGEF1zr8RUjQt4U5UqpMmWZ5FLoLFa18mVdG3zprMfitQEjdZ1gFPbkMs63yBtVfFHRRRWQfdFqFTOmYHufkop8ClTxHK4xBu3RqxyDSlgzBagcbJUYG5CfwWRZPkJxZmlIWNvjSVoMccmJ5BiPfhu4H5I+eeWxPiXXsUhpeQ+6wxJY3cKelFvPhfCawQjoxCDXZYdPGZ5D62CV1xGmYuVgoHFkwCsPCzzIw4csGlhnD5oQgeiSIEDrZ+vQ1xkdkARatARrtdASjmFiBNEUCYKniFLG6pYaG0vP0XoHiX6sR12M061LltzVGUe3OnGQoTc8dNNVX1Ag+sGSsCVn7O91m4gckKdt1DnDK9QRNNgZvBt6Eu0mQAesGZC3lBE6JgAVzRwr2AecmkJQ2VUdGQkMRMGCoNo04YK1QYYGoHvqkUwbGXvJd4a2AXJiZ1JoqUuBzgU4IP06k7Uy2ZCxIWFrZlADg+xbrh2wLv3B6DCMEIu9CuYUzIF+ptg2ANcAnxAzKxhP65lSnUZnQXYWfGPxzm+rfa0qAMWi1Fg4j8pZlhzjpiTyLR3GcHQEBWMcHZwJRJC1HB1LA1INexYoOpwOYDhLIMGJkjI+iCFiEFICsdhZx/7qFIvgsx6OZ8Z712aNfo81MS8RfB9bJrWkBAwVQGAox1c7zXNptaTMX0roFX2VkkrEx/y9ZNpz/F9KUAIzb5aCM8nmOzJgLHUijbANVNI5Jin8xIx2GplNjNH3RCJwqiySlNzvzzKUr9qEitwzSXoiMTyTsz+fyVwJhJLMPH1L4Abzw5IUSPI5xMYUN4f4gf9JPPQnE5oJedB50kUCnwmAxKXvrWHyaElqh/mZhACmz4wdtM90Ttzq2k72o78kD+gPiZNyoPIw5Qgrj8SvqRhQ70QiEQ6OQhoyH+0RxOhdrjGAfUk4bAskNSYucof9HnE/MXUdR98WzIN+AeTofSUhIahIv3MtzMuVxGLhmlnszcznaS/BCJJtwgOlxkw01a/UswCzgvbEMaHaRhw
} ,
{
"type" : "vulnerability" ,
"spec_version" : "2.1" ,
"id" : "vulnerability--57222bfe-4068-4151-aa6d-40a6950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:27:58.000Z" ,
"modified" : "2016-04-28T15:27:58.000Z" ,
"name" : "CVE-2015-2545" ,
"labels" : [
"misp:type=\"vulnerability\"" ,
"misp:category=\"Payload delivery\""
] ,
"external_references" : [
{
"source_name" : "cve" ,
"external_id" : "CVE-2015-2545"
}
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222c60-7300-4608-a6da-407f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T07:05:07.000Z" ,
"modified" : "2016-04-29T07:05:07.000Z" ,
"pattern" : "[rule Trojan_Win32_PlaSrv : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Hotpatching Injector\"\r\noriginal_sample_sha1 = \"ff7f949da665ba8ce9fb01da357b51415634eaad\"\r\nunpacked_sample_sha1 = \"dff2fee984ba9f5a8f5d97582c83fca4fa1fe131\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$Section_name = \".hotp1\"\r\n$offset_x59 = { C7 80 64 01 00 00 00 00 01 00 }\r\ncondition:\r\n$Section_name and $offset_x59\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-29T07:05:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222c76-7a74-4696-bfef-4a72950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:29:58.000Z" ,
"modified" : "2016-04-28T15:29:58.000Z" ,
"pattern" : "[rule Trojan_Win32_Platual : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer component\"\r\noriginal_sample_sha1 = \"e0ac2ae221328313a7eee33e9be0924c46e2beb9\"\r\nunpacked_sample_sha1 = \"ccaf36c2d02c3c5ca24eeeb7b1eae7742a23a86a\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$class_name = \"AVCObfuscation\"\r\n$scrambled_dir = { A8 8B B8 E3 B1 D7 FE 85 51 32 3E C0 F1 B7 73 99 }\r\ncondition:\r\n$class_name and $scrambled_dir\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:29:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222caf-8748-4ea3-9e48-4cd8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:30:55.000Z" ,
"modified" : "2016-04-28T15:30:55.000Z" ,
"pattern" : "[rule Trojan_Win32_Plaplex : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Variant of the JPin backdoor\"\r\noriginal_sample_sha1 = \"ca3bda30a3cdc15afb78e54fa1bbb9300d268d66\"\r\nunpacked_sample_sha1 = \"2fe3c80e98bbb0cf5a0c4da286cd48ec78130a24\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$class_name1 = \"AVCObfuscation\"\r\n$class_name2 = \"AVCSetiriControl\"\r\ncondition:\r\n$class_name1 and $class_name2\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:30:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222ccd-c09c-402a-af7b-42a5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:31:25.000Z" ,
"modified" : "2016-04-28T15:31:25.000Z" ,
"pattern" : "[rule Trojan_Win32_Dipsind_B : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind Family\"\r\nsample_sha1 = \"09e0dfbb5543c708c0dd6a89fd22bbb96dc4ca1c\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$frg1 = {8D 90 04 01 00 00 33 C0 F2 AE F7 D1 2B F9 8B C1 8B F7 8B FA C1 E9 02 F3\r\nA5 8B C8 83 E1 03 F3 A4 8B 4D EC 8B 15 ?? ?? ?? ?? 89 91 ?? 07 00 00 }\r\n$frg2 = {68 A1 86 01 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA}\r\n$frg3 = {C0 E8 07 D0 E1 0A C1 8A C8 32 D0 C0 E9 07 D0 E0 0A C8 32 CA 80 F1 63}\r\ncondition:\r\n$frg1 and $frg2 and $frg3\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:31:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222ce1-6800-4ad5-81d7-461e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:31:45.000Z" ,
"modified" : "2016-04-28T15:31:45.000Z" ,
"pattern" : "[rule Trojan_Win32_PlaKeylog_B : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Keylogger component\"\r\noriginal_sample_sha1 = \"0096a3e0c97b85ca75164f48230ae530c94a2b77\"\r\nunpacked_sample_sha1 = \"6a1412daaa9bdc553689537df0a004d44f8a45fd\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$hook = {C6 06 FF 46 C6 06 25}\r\n$dasm_engine = {80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05}\r\ncondition:\r\n$hook and $dasm_engine\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:31:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222d07-9af0-482f-ad9a-446d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:32:23.000Z" ,
"modified" : "2016-04-28T15:32:23.000Z" ,
"pattern" : "[rule Trojan_Win32_Adupib : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Adupib SSL Backdoor\"\r\noriginal_sample_sha1 = \"d3ad0933e1b114b14c2b3a2c59d7f8a95ea0bcbd\"\r\nunpacked_sample_sha1 = \"a80051d5ae124fd9e5cc03e699dd91c2b373978b\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"POLL_RATE\"\r\n$str2 = \"OP_TIME(end hour)\"\r\n$str3 = \"%d:TCP:*:Enabled\"\r\n$str4 = \"%s[PwFF_cfg%d]\"\r\n$str5 = \"Fake_GetDlgItemTextW: ***value***=\"\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4 and $str5\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:32:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222d55-3684-4ca9-8552-4ea1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T07:05:16.000Z" ,
"modified" : "2016-04-29T07:05:16.000Z" ,
"pattern" : "[rule Trojan_Win32_Plagon : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind variant\"\r\noriginal_sample_sha1 = \"48b89f61d58b57dba6a0ca857bce97bab636af65\"\r\nunpacked_sample_sha1 = \"6dccf88d89ad7b8611b1bc2e9fb8baea41bdb65a\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 =\"VPLRXZHTU\"\r\n$str2 ={64 6F 67 32 6A 7E 6C}\r\n$str3 =\"Dqpqftk(Wou\\\"Isztk)\"\r\n$str4 =\"StartThreadAtWinLogon\"\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-29T07:05:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222d70-8a40-438e-8d32-411f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T07:05:20.000Z" ,
"modified" : "2016-04-29T07:05:20.000Z" ,
"pattern" : "[rule Trojan_Win32_Plakelog : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Raw-input based keylogger\"\r\noriginal_sample_sha1 = \"3907a9e41df805f912f821a47031164b6636bd04\"\r\nunpacked_sample_sha1 = \"960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 =\"<0x02>\" wide\r\n$str2 =\"[CTR-BRK]\" wide\r\n$str3 =\"[/WIN]\" wide\r\n$str4 ={8A 16 8A 18 32 DA 46 88 18 8B 15 08 E6 42 00 40 41 3B CA 72 EB 5E 5B}\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-29T07:05:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222da1-3824-4b9f-aeaa-48ee950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T07:05:23.000Z" ,
"modified" : "2016-04-29T07:05:23.000Z" ,
"pattern" : "[rule Trojan_Win32_Plainst : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer component\"\r\noriginal_sample_sha1 = \"99c08d31af211a0e17f92dd312ec7ca2b9469ecb\"\r\nunpacked_sample_sha1 = \"dcb6cf7cf7c8fdfc89656a042f81136bda354ba6\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {66 8B 14 4D 18 50 01 10 8B 45 08 66 33 14 70 46 66 89 54 77 FE 66 83 7C 77 FE 00 75 B7 8B 4D FC 89 41 08 8D 04 36 89 41 0C 89 79 04}\r\n$str2 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}\r\ncondition:\r\n$str1 and $str2\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-29T07:05:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222dc9-3924-415f-b9af-411e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:35:37.000Z" ,
"modified" : "2016-04-28T15:35:37.000Z" ,
"pattern" : "[rule Trojan_Win32_Plagicom : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer component\"\r\noriginal_sample_sha1 = \"99dcb148b053f4cef6df5fa1ec5d33971a58bd1e\"\r\nunpacked_sample_sha1 = \"c1c950bc6a2ad67488e675da4dfc8916831239a7\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {C6 44 24 ?? 68 C6 44 24 ?? 4D C6 44 24 ?? 53 C6 44 24 ?? 56 C6 44 24 ??\r\n00}\r\n$str2 = \"OUEMM/EMM\"\r\n$str3 = {85 C9 7E 08 FE 0C 10 40 3B C1 7C F8 C3}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:35:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222ddc-86f4-4857-a0b7-4d30950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:35:56.000Z" ,
"modified" : "2016-04-28T15:35:56.000Z" ,
"pattern" : "[rule Trojan_Win32_Plaklog : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Hook-based keylogger\"\r\noriginal_sample_sha1 = \"831a5a29d47ab85ee3216d4e75f18d93641a9819\"\r\nunpacked_sample_sha1 = \"e18750207ddbd939975466a0e01bd84e75327dda\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"++[%s^^unknown^^%s]++\"\r\n$str2 = \"vtfs43/emm\"\r\n$str3 = {33 C9 39 4C 24 08 7E 10 8B 44 24 04 03 C1 80 00 08 41 3B 4C 24 08 7C F0\r\nC3}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:35:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222dee-bc1c-45cd-990c-4384950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:36:14.000Z" ,
"modified" : "2016-04-28T15:36:14.000Z" ,
"pattern" : "[rule Trojan_Win32_Plapiio : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"JPin backdoor\"\r\noriginal_sample_sha1 = \"3119de80088c52bd8097394092847cd984606c88\"\r\nunpacked_sample_sha1 = \"3acb8fe2a5eb3478b4553907a571b6614eb5455c\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"ServiceMain\"\r\n$str2 = \"Startup\"\r\n$str3 = {C6 45 ?? 68 C6 45 ?? 4D C6 45 ?? 53 C6 45 ?? 56 C6 45 ?? 6D C6 45 ?? 6D}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:36:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222e07-30ec-4c0a-b189-494a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-06-01T09:26:25.000Z" ,
"modified" : "2016-06-01T09:26:25.000Z" ,
"pattern" : "[rule Trojan_Win32_Plabit : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft Installer component\"\r\nsample_sha1 = \"6d1169775a552230302131f9385135d385efd166\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}\r\n$str2 = \"GetInstanceW\"\r\n$str3 = {8B D0 83 E2 1F 8A 14 0A 30 14 30 40 3B 44 24 04 72 EE}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-06-01T09:26:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222e22-aa2c-415e-8a7b-462d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:37:06.000Z" ,
"modified" : "2016-04-28T15:37:06.000Z" ,
"pattern" : "[rule Trojan_Win32_Placisc2 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind variant\"\r\noriginal_sample_sha1 = \"bf944eb70a382bd77ee5b47548ea9a4969de0527\"\r\nunpacked_sample_sha1 = \"d807648ddecc4572c7b04405f496d25700e0be6e\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {76 16 8B D0 83 E2 07 8A 4C 14 24 8A 14 18 32 D1 88 14 18 40 3B C7 72 EA\r\n}\r\n$str2 = \"VPLRXZHTU\"\r\n$str3 = \"%d) Command:%s\"\r\n$str4 = {0D 0A 2D 2D 2D 2D 2D 09 2D 2D 2D 2D 2D 2D 0D 0A}\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:37:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222e6b-89f4-4baa-9984-4e7b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:38:19.000Z" ,
"modified" : "2016-04-28T15:38:19.000Z" ,
"pattern" : "[rule Trojan_Win32_Placisc3 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind variant\"\r\noriginal_sample_sha1 = \"1b542dd0dacfcd4200879221709f5fa9683cdcda\"\r\nunpacked_sample_sha1 = \"bbd4992ee3f3a3267732151636359cf94fb4575d\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {BA 6E 00 00 00 66 89 95 ?? ?? FF FF B8 73 00 00 00 66 89 85 ?? ?? FF FF\r\nB9 64 00 00 00 66 89 8D ?? ?? FF FF BA 65 00 00 00 66 89 95 ?? ?? FF FF B8 6C 00 00\r\n00}\r\n$str2 = \"VPLRXZHTU\"\r\n$str3 = {8B 44 24 ?? 8A 04 01 41 32 C2 3B CF 7C F2 88 03}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:38:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222e81-ba14-49a1-adcf-4445950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:38:41.000Z" ,
"modified" : "2016-04-28T15:38:41.000Z" ,
"pattern" : "[rule Trojan_Win32_Placisc4 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer for Dipsind variant\"\r\noriginal_sample_sha1 = \"3d17828632e8ff1560f6094703ece5433bc69586\"\r\nunpacked_sample_sha1 = \"2abb8e1e9cac24be474e4955c63108ff86d1a034\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {8D 71 01 8B C6 99 BB 0A 00 00 00 F7 FB 0F BE D2 0F BE 04 39 2B C2 88 04\r\n39 84 C0 74 0A}\r\n$str2 = {6A 04 68 00 20 00 00 68 00 00 40 00 6A 00 FF D5}\r\n$str3 = {C6 44 24 ?? 64 C6 44 24 ?? 6F C6 44 24 ?? 67 C6 44 24 ?? 32 C6 44 24 ??\r\n6A}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:38:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222ea3-46a4-48aa-a848-4a89950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:39:15.000Z" ,
"modified" : "2016-04-28T15:39:15.000Z" ,
"pattern" : "[rule Trojan_Win32_Plakpers : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Injector / loader component\"\r\noriginal_sample_sha1 = \"fa083d744d278c6f4865f095cfd2feabee558056\"\r\nunpacked_sample_sha1 = \"3a678b5c9c46b5b87bfcb18306ed50fadfc6372e\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"MyFileMappingObject\"\r\n$str2 = \"[%.3u] %s %s %s [%s:\" wide\r\n$str3 = \"%s\\\\{%s}\\\\%s\" wide\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:39:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222ec6-0e78-4173-9f07-4cb8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:39:50.000Z" ,
"modified" : "2016-04-28T15:39:50.000Z" ,
"pattern" : "[rule Trojan_Win32_Plainst2 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Zc tool\"\r\noriginal_sample_sha1 = \"3f2ce812c38ff5ac3d813394291a5867e2cddcf2\"\r\nunpacked_sample_sha1 = \"88ff852b1b8077ad5a19cc438afb2402462fbd1a\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"Connected [%s:%d]...\"\r\n$str2 = \"reuse possible: %c\"\r\n$str3 = \"] => %d%%\\x0a\"\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:39:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222edf-cb54-45e0-bbcc-4210950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:40:15.000Z" ,
"modified" : "2016-04-28T15:40:15.000Z" ,
"pattern" : "[rule Trojan_Win32_Plakpeer : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Zc tool v2\"\r\noriginal_sample_sha1 = \"2155c20483528377b5e3fde004bb604198463d29\"\r\nunpacked_sample_sha1 = \"dc991ef598825daabd9e70bac92c79154363bab2\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"@@E0020(%d)\" wide\r\n$str2 = /exit.{0,3}@exit.{0,3}new.{0,3}query.{0,3}rcz.{0,3}scz/ wide\r\n$str3 = \"---###---\" wide\r\n$str4 = \"---@@@---\" wide\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:40:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--57222f0f-ca58-4844-8763-4c13950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:41:03.000Z" ,
"modified" : "2016-04-28T15:41:03.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "PLATINUM: Targeted attacks in South\r\nand Southeast Asia\r\nMicrosoft proactively monitors the threat landscape for emerging threats. Part of this job involves\r\nkeeping tabs on targeted activity groups, which are often the first ones to introduce new exploits and\r\ntechniques that are later used widely by other attackers. In the previous volume, \u00e2\u20ac\u0153STRONTIUM: A\r\nprofile of a persistent and motivated adversary,\u00e2\u20ac\u009d on page 3 of Microsoft Security Intelligence Report,\r\nVolume 19 (January\u00e2\u20ac\u201cJune 2015), chronicled the activities of one such group, which had attracted\r\ninterest because of its aggressive, persistent tactics and techniques as well as its repeated use of new\r\nzero-day exploits to attack its targets.\r\nThis section describes the history, behavior, and tactics of a newly discovered targeted activity group,\r\nwhich Microsoft has code-named PLATINUM. Microsoft is sharing some of the information it has\r\ngathered on this group in the hope that it will raise awareness of the group\u00e2\u20ac\u2122s activities and help\r\norganizations take immediate advantage of available mitigations that can significantly reduce the risks\r\nthey face from this and similar groups.\r\nAdversary profile\r\nPLATINUM has been targeting its victims since at least as early as 2009, and may have been active for\r\nseveral years prior. Its activities are distinctly different not only from those typically seen in untargeted\r\nattacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized\r\nas opportunistic: the activity group changes its target profiles and attack geographies based on\r\ngeopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM\r\nseeks to steal sensitive intellectual property related to government interests, but its range of preferred\r\ntargets is consistently limited to specific governmental organizations, defense institutes, intelligence\r\nagencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The\r\ngroup\u00e2\u20ac\u2122s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and\r\naccess to previously undiscovered zero-day exploits have made it a highly resilient threat."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222f56-1be8-471b-a27f-4ce4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:42:14.000Z" ,
"modified" : "2016-04-28T15:42:14.000Z" ,
"description" : "Gambar gambar Rumah Gay Didiet Prabowo di Sentul Bogor.doc" ,
"pattern" : "[file:hashes.SHA1 = 'e9f900b5d01320ccd4990fd322a459d709d43e4b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:42:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222f57-87fc-44ef-8b30-41c2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:42:15.000Z" ,
"modified" : "2016-04-28T15:42:15.000Z" ,
"description" : "The real reason Prabowo wants to be President.doc" ,
"pattern" : "[file:hashes.SHA1 = '9a4e82ba371cd2fedea0b889c879daee7a01e1b1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:42:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222f57-30c0-40e6-be3f-430e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:42:15.000Z" ,
"modified" : "2016-04-28T15:42:15.000Z" ,
"description" : "Malaysia a victim of American irregular warfare ops.doc" ,
"pattern" : "[file:hashes.SHA1 = '92a3ece981bb5e0a3ee4277f08236c1d38b54053']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:42:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222f58-f4c0-423c-9e35-4356950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:42:16.000Z" ,
"modified" : "2016-04-28T15:42:16.000Z" ,
"description" : "Tu Vi Nam Tan Mao 2011.doc" ,
"pattern" : "[file:hashes.SHA1 = '0bc08dca86bd95f43ccc78ef4b27d81f28b4b769']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:42:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222f58-75c4-4151-bc5d-4728950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:42:16.000Z" ,
"modified" : "2016-04-28T15:42:16.000Z" ,
"description" : "Indians having fun.doc" ,
"pattern" : "[file:hashes.SHA1 = 'f4af574124e9020ef3d0a7be9f1e42c2261e97e6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:42:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222fe7-e234-4ba0-8667-45b4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:44:39.000Z" ,
"modified" : "2016-04-28T15:44:39.000Z" ,
"description" : "Gerakan Anti SBY II.doc" ,
"pattern" : "[file:hashes.SHA1 = '1bdc1a0bc995c1beb363b11b71c14324be8577c9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:44:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222fe7-82c0-41a5-b39f-4790950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:44:39.000Z" ,
"modified" : "2016-04-28T15:44:39.000Z" ,
"description" : "URL for PNG Exploit" ,
"pattern" : "[url:value = 'mister.nofrillspace.com/users/web8_dice/4226/space.gif']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:44:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222fe8-e138-41ca-8e0f-48b1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:44:40.000Z" ,
"modified" : "2016-04-28T15:44:40.000Z" ,
"description" : "Tu_Vi_Nam_Tan_ Mao_2011.doc" ,
"pattern" : "[file:hashes.SHA1 = '2a33542038a85db4911d7b846573f6b251e16b2d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:44:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222fe8-5f0c-45fa-a8ed-4c3b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:44:40.000Z" ,
"modified" : "2016-04-28T15:44:40.000Z" ,
"description" : "URL for PNG Exploit" ,
"pattern" : "[url:value = 'intent.nofrillspace.com/users/web11_focus/3807/space.gif']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:44:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222fe9-9958-4f02-9560-4f43950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:44:41.000Z" ,
"modified" : "2016-04-28T15:44:41.000Z" ,
"description" : "Wikileaks Indonesia.doc" ,
"pattern" : "[file:hashes.SHA1 = 'd6a795e839f51c1a5aeabf5c10664936ebbef8ea']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:44:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222fe9-9edc-43b7-bc6a-43b7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:44:41.000Z" ,
"modified" : "2016-04-28T15:44:41.000Z" ,
"description" : "URL for PNG Exploit" ,
"pattern" : "[url:value = 'mister.nofrillspace.com/users/web8_dice/3791/space.gif']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:44:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222fe9-515c-4e40-8b67-40cf950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:44:41.000Z" ,
"modified" : "2016-04-28T15:44:41.000Z" ,
"description" : "Top 11 Aerial Surveillance Devices.doc" ,
"pattern" : "[file:hashes.SHA1 = 'f362feedc046899a78c4480c32dda4ea82a3e8c0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:44:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222fea-00b4-4c25-86b6-47b8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:44:42.000Z" ,
"modified" : "2016-04-28T15:44:42.000Z" ,
"description" : "URL for PNG Exploit" ,
"pattern" : "[url:value = 'intent.nofrillspace.com/users/web11_focus/4307/space.gif']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:44:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222fea-022c-4a86-8c6e-4760950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:44:42.000Z" ,
"modified" : "2016-04-28T15:44:42.000Z" ,
"description" : "SEMBOYAN_1.doc" ,
"pattern" : "[file:hashes.SHA1 = 'f751cdfaef99c6184f45a563f3d81ff1ada25565']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:44:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57222feb-9550-414b-aa37-403b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:44:43.000Z" ,
"modified" : "2016-04-28T15:44:43.000Z" ,
"description" : "URL for PNG Exploit" ,
"pattern" : "[url:value = 'www.police28122011.0fees.net/pages/013/space.gif']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:44:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223015-2b48-4137-afae-4aaf950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:25.000Z" ,
"modified" : "2016-04-28T15:45:25.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[domain-name:value = 'box62.a-inet.net']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223015-7138-4387-a596-4b3d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:25.000Z" ,
"modified" : "2016-04-28T15:45:25.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[domain-name:value = 'scienceweek.scieron.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223016-2264-4e5f-8211-4468950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:26.000Z" ,
"modified" : "2016-04-28T15:45:26.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '200.61.248.8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223016-b9bc-4df8-934c-4076950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:26.000Z" ,
"modified" : "2016-04-28T15:45:26.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[domain-name:value = 'eclipse.a-inet.net']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223016-cb40-4ea5-b383-4511950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:26.000Z" ,
"modified" : "2016-04-28T15:45:26.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[domain-name:value = 'mobileworld.darktech.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223017-2e54-4205-9c7b-485e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:27.000Z" ,
"modified" : "2016-04-28T15:45:27.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '209.45.65.163']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223017-99cc-41de-abc6-4f39950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:27.000Z" ,
"modified" : "2016-04-28T15:45:27.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[domain-name:value = 'joomlastats.a-inet.net']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223018-d2f0-4939-b72b-46e0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:28.000Z" ,
"modified" : "2016-04-28T15:45:28.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[domain-name:value = 'geocities.efnet.at']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223018-368c-428b-a315-4482950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:28.000Z" ,
"modified" : "2016-04-28T15:45:28.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '190.96.47.9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223018-bde4-46d2-b4a1-4a67950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:28.000Z" ,
"modified" : "2016-04-28T15:45:28.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[domain-name:value = 'updates.joomlastats.co.cc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223019-3f84-4531-b4db-45ed950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:29.000Z" ,
"modified" : "2016-04-28T15:45:29.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[domain-name:value = 'bpl.blogsite.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--57223019-2de8-4914-b9a9-4b15950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:29.000Z" ,
"modified" : "2016-04-28T15:45:29.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.192.114.1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5722301a-b6d0-4690-b82c-447a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:30.000Z" ,
"modified" : "2016-04-28T15:45:30.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[domain-name:value = 'server.joomlastats.co.cc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5722301a-6a0c-4bd3-973c-4cf3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:30.000Z" ,
"modified" : "2016-04-28T15:45:30.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[domain-name:value = 'wiki.servebbs.net']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5722301a-264c-4eb4-8e87-4f0f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:30.000Z" ,
"modified" : "2016-04-28T15:45:30.000Z" ,
"description" : "Imported via the freetext import." ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '61.31.203.98']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:45:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--57223037-e7e0-4004-8cfe-424d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:45:59.000Z" ,
"modified" : "2016-04-28T15:45:59.000Z" ,
"labels" : [
"misp:type=\"pattern-in-memory\"" ,
"misp:category=\"Artifacts dropped\""
] ,
"x_misp_category" : "Artifacts dropped" ,
"x_misp_type" : "pattern-in-memory" ,
"x_misp_value" : "AOPSH03SK09POKSID7FF674PSLI91965"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--572230b7-32b8-4f91-8c2a-47cd02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:07.000Z" ,
"modified" : "2016-04-28T15:48:07.000Z" ,
"description" : "SEMBOYAN_1.doc - Xchecked via VT: f751cdfaef99c6184f45a563f3d81ff1ada25565" ,
"pattern" : "[file:hashes.SHA256 = '66a85a846c816821635337b61da6bff58cbb5d4a8dc5a87b05f08d4a9e934372']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:48:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--572230b8-3e68-44d6-9b51-4f7502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:08.000Z" ,
"modified" : "2016-04-28T15:48:08.000Z" ,
"description" : "SEMBOYAN_1.doc - Xchecked via VT: f751cdfaef99c6184f45a563f3d81ff1ada25565" ,
"pattern" : "[file:hashes.MD5 = '28e81ca00146165385c8916bf0a61046']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:48:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--572230b8-2b30-4d0e-b33d-487802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:08.000Z" ,
"modified" : "2016-04-28T15:48:08.000Z" ,
"first_observed" : "2016-04-28T15:48:08Z" ,
"last_observed" : "2016-04-28T15:48:08Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--572230b8-2b30-4d0e-b33d-487802de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--572230b8-2b30-4d0e-b33d-487802de0b81" ,
"value" : "https://www.virustotal.com/file/66a85a846c816821635337b61da6bff58cbb5d4a8dc5a87b05f08d4a9e934372/analysis/1461733388/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--572230b8-dbac-426b-a9ac-4cbe02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:08.000Z" ,
"modified" : "2016-04-28T15:48:08.000Z" ,
"description" : "Top 11 Aerial Surveillance Devices.doc - Xchecked via VT: f362feedc046899a78c4480c32dda4ea82a3e8c0" ,
"pattern" : "[file:hashes.SHA256 = '1cd003a5e089ce906e035efee222785bba679276356b8409c24b3fe5bb863d15']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:48:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--572230b9-c428-47ce-a5f3-42ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:09.000Z" ,
"modified" : "2016-04-28T15:48:09.000Z" ,
"description" : "Top 11 Aerial Surveillance Devices.doc - Xchecked via VT: f362feedc046899a78c4480c32dda4ea82a3e8c0" ,
"pattern" : "[file:hashes.MD5 = '70511e6e75aa38a4d92cd134caba16ef']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:48:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--572230b9-3bd4-4ae8-9fb0-443602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:09.000Z" ,
"modified" : "2016-04-28T15:48:09.000Z" ,
"first_observed" : "2016-04-28T15:48:09Z" ,
"last_observed" : "2016-04-28T15:48:09Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--572230b9-3bd4-4ae8-9fb0-443602de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--572230b9-3bd4-4ae8-9fb0-443602de0b81" ,
"value" : "https://www.virustotal.com/file/1cd003a5e089ce906e035efee222785bba679276356b8409c24b3fe5bb863d15/analysis/1461732971/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--572230b9-7c5c-44a4-9840-435d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:09.000Z" ,
"modified" : "2016-04-28T15:48:09.000Z" ,
"description" : "Wikileaks Indonesia.doc - Xchecked via VT: d6a795e839f51c1a5aeabf5c10664936ebbef8ea" ,
"pattern" : "[file:hashes.SHA256 = '527ff3a10bd6af99df29f8b2e58fa9fafaf2beae9219c7a82127e5d89d36617e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:48:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--572230ba-e524-4a2d-8640-4af602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:10.000Z" ,
"modified" : "2016-04-28T15:48:10.000Z" ,
"description" : "Wikileaks Indonesia.doc - Xchecked via VT: d6a795e839f51c1a5aeabf5c10664936ebbef8ea" ,
"pattern" : "[file:hashes.MD5 = '7eb17991ed13960d57ed75c01f6f7fd5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:48:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--572230ba-8100-4cb3-851a-49b602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:10.000Z" ,
"modified" : "2016-04-28T15:48:10.000Z" ,
"first_observed" : "2016-04-28T15:48:10Z" ,
"last_observed" : "2016-04-28T15:48:10Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--572230ba-8100-4cb3-851a-49b602de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--572230ba-8100-4cb3-851a-49b602de0b81" ,
"value" : "https://www.virustotal.com/file/527ff3a10bd6af99df29f8b2e58fa9fafaf2beae9219c7a82127e5d89d36617e/analysis/1461735840/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--572230ba-0d08-41d7-9bc8-4b4e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:10.000Z" ,
"modified" : "2016-04-28T15:48:10.000Z" ,
"description" : "Tu_Vi_Nam_Tan_ Mao_2011.doc - Xchecked via VT: 2a33542038a85db4911d7b846573f6b251e16b2d" ,
"pattern" : "[file:hashes.SHA256 = '5f7499ef0eb5cd67f04c4b4f7cd4ac5ce11abad6d7523d275a7f7f3cd70d4c4d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:48:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--572230bb-c9d4-44d2-a86b-467002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:11.000Z" ,
"modified" : "2016-04-28T15:48:11.000Z" ,
"description" : "Tu_Vi_Nam_Tan_ Mao_2011.doc - Xchecked via VT: 2a33542038a85db4911d7b846573f6b251e16b2d" ,
"pattern" : "[file:hashes.MD5 = '2f1ab543b38a7ad61d5dbd72eb0524c4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:48:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--572230bb-817c-4de6-a794-42d302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:11.000Z" ,
"modified" : "2016-04-28T15:48:11.000Z" ,
"first_observed" : "2016-04-28T15:48:11Z" ,
"last_observed" : "2016-04-28T15:48:11Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--572230bb-817c-4de6-a794-42d302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--572230bb-817c-4de6-a794-42d302de0b81" ,
"value" : "https://www.virustotal.com/file/5f7499ef0eb5cd67f04c4b4f7cd4ac5ce11abad6d7523d275a7f7f3cd70d4c4d/analysis/1461792783/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--572230bc-4f94-48a2-9906-48ca02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:12.000Z" ,
"modified" : "2016-04-28T15:48:12.000Z" ,
"description" : "Gerakan Anti SBY II.doc - Xchecked via VT: 1bdc1a0bc995c1beb363b11b71c14324be8577c9" ,
"pattern" : "[file:hashes.SHA256 = '2e71ded564eb42881e93202bbcc00fd7f9decaaa3b82643c0fbe75f0fa118040']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:48:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--572230bc-6474-420c-aad7-466502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:12.000Z" ,
"modified" : "2016-04-28T15:48:12.000Z" ,
"description" : "Gerakan Anti SBY II.doc - Xchecked via VT: 1bdc1a0bc995c1beb363b11b71c14324be8577c9" ,
"pattern" : "[file:hashes.MD5 = 'fde37e60cc4be73dada0fb1ad3d5f273']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-04-28T15:48:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--572230bc-23f4-44b5-82af-405902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T15:48:12.000Z" ,
"modified" : "2016-04-28T15:48:12.000Z" ,
"first_observed" : "2016-04-28T15:48:12Z" ,
"last_observed" : "2016-04-28T15:48:12Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--572230bc-23f4-44b5-82af-405902de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--572230bc-23f4-44b5-82af-405902de0b81" ,
"value" : "https://www.virustotal.com/file/2e71ded564eb42881e93202bbcc00fd7f9decaaa3b82643c0fbe75f0fa118040/analysis/1461733063/"
} ,
{
"type" : "vulnerability" ,
"spec_version" : "2.1" ,
"id" : "vulnerability--572301cb-39dc-48ab-8569-4bbc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T06:40:11.000Z" ,
"modified" : "2016-04-29T06:40:11.000Z" ,
"name" : "CVE-2013-7331" ,
"labels" : [
"misp:type=\"vulnerability\"" ,
"misp:category=\"Payload delivery\""
] ,
"external_references" : [
{
"source_name" : "cve" ,
"external_id" : "CVE-2013-7331"
}
]
} ,
{
"type" : "vulnerability" ,
"spec_version" : "2.1" ,
"id" : "vulnerability--57230233-264c-4424-9865-4b32950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T06:41:55.000Z" ,
"modified" : "2016-04-29T06:41:55.000Z" ,
"name" : "CVE-2015-2546" ,
"labels" : [
"misp:type=\"vulnerability\"" ,
"misp:category=\"Payload delivery\""
] ,
"external_references" : [
{
"source_name" : "cve" ,
"external_id" : "CVE-2015-2546"
}
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57230362-94fc-4f8a-8e59-4696950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T06:46:58.000Z" ,
"modified" : "2016-04-29T06:46:58.000Z" ,
"first_observed" : "2016-04-29T06:46:58Z" ,
"last_observed" : "2016-04-29T06:46:58Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--57230362-94fc-4f8a-8e59-4696950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--57230362-94fc-4f8a-8e59-4696950d210f" ,
"key" : "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\Asynchronous"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57230368-035c-4607-af86-4634950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T06:47:04.000Z" ,
"modified" : "2016-04-29T06:47:04.000Z" ,
"first_observed" : "2016-04-29T06:47:04Z" ,
"last_observed" : "2016-04-29T06:47:04Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--57230368-035c-4607-af86-4634950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--57230368-035c-4607-af86-4634950d210f" ,
"key" : "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\DllName"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57230368-52dc-4e88-92c0-48cf950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T06:47:04.000Z" ,
"modified" : "2016-04-29T06:47:04.000Z" ,
"first_observed" : "2016-04-29T06:47:04Z" ,
"last_observed" : "2016-04-29T06:47:04Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--57230368-52dc-4e88-92c0-48cf950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--57230368-52dc-4e88-92c0-48cf950d210f" ,
"key" : "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\Impersonate"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57230368-4350-45bb-a5ef-4a2f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T06:47:04.000Z" ,
"modified" : "2016-04-29T06:47:04.000Z" ,
"first_observed" : "2016-04-29T06:47:04Z" ,
"last_observed" : "2016-04-29T06:47:04Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--57230368-4350-45bb-a5ef-4a2f950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--57230368-4350-45bb-a5ef-4a2f950d210f" ,
"key" : "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\Startup"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57230369-2ca4-487e-81c1-4f49950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T06:47:05.000Z" ,
"modified" : "2016-04-29T06:47:05.000Z" ,
"first_observed" : "2016-04-29T06:47:05Z" ,
"last_observed" : "2016-04-29T06:47:05Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--57230369-2ca4-487e-81c1-4f49950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--57230369-2ca4-487e-81c1-4f49950d210f" ,
"key" : "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\shutdown"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57230369-3458-43b5-b0b4-474c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-29T06:47:05.000Z" ,
"modified" : "2016-04-29T06:47:05.000Z" ,
"first_observed" : "2016-04-29T06:47:05Z" ,
"last_observed" : "2016-04-29T06:47:05Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--57230369-3458-43b5-b0b4-474c950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--57230369-3458-43b5-b0b4-474c950d210f" ,
"key" : "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\cscdll32"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57228030-4c14-48c9-899f-45a202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T21:27:12.000Z" ,
"modified" : "2016-04-28T21:27:12.000Z" ,
"first_observed" : "2016-04-28T21:27:12Z" ,
"last_observed" : "2016-04-28T21:27:12Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57228030-4c14-48c9-899f-45a202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57228030-4c14-48c9-899f-45a202de0b81" ,
"value" : "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--57228030-5328-4860-976e-42a802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-04-28T21:27:12.000Z" ,
"modified" : "2016-04-28T21:27:12.000Z" ,
"first_observed" : "2016-04-28T21:27:12Z" ,
"last_observed" : "2016-04-28T21:27:12Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--57228030-5328-4860-976e-42a802de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--57228030-5328-4860-976e-42a802de0b81" ,
"value" : "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}
