adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/58806a6c-14a4-49a9-8d6c-49e6950d210f.json

1664 lines
780 KiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
chg: [feed] feed updated
2023-06-14 17:31:25 +00:00
"type": "bundle",
"id": "bundle--58806a6c-14a4-49a9-8d6c-49e6950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:47.000Z",
"modified": "2017-01-19T07:53:47.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58806a6c-14a4-49a9-8d6c-49e6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:47.000Z",
"modified": "2017-01-19T07:53:47.000Z",
"name": "OSINT - Uncovering the Inner Workings of EyePyramid",
"published": "2017-01-19T08:07:15Z",
"object_refs": [
"x-misp-attribute--58806a7b-5040-4706-8eaf-4e44950d210f",
"observed-data--58806a8c-4008-48f2-8de3-4842950d210f",
"url--58806a8c-4008-48f2-8de3-4842950d210f",
"x-misp-attribute--58806c1b-a244-41a1-9bbf-4532950d210f",
"x-misp-attribute--58806c1c-bb6c-40f4-92d0-433b950d210f",
"x-misp-attribute--58806c1d-49cc-4664-8c7d-428d950d210f",
"x-misp-attribute--58806c1e-0a40-4830-bdb0-424b950d210f",
"x-misp-attribute--58806c1f-b1a8-4261-b7a8-4a08950d210f",
"x-misp-attribute--58806c1f-95b8-4c6d-b981-4e0a950d210f",
"x-misp-attribute--58806c20-91b0-45df-b625-412c950d210f",
"x-misp-attribute--58806c21-2540-48fd-b445-40b4950d210f",
"x-misp-attribute--58806c22-0390-488d-bfb9-415e950d210f",
"x-misp-attribute--58806c23-9c98-4b91-9120-454d950d210f",
"x-misp-attribute--58806c24-4134-4bc3-9c5a-4fe7950d210f",
"x-misp-attribute--58806c57-ddb0-4a50-851d-454c950d210f",
"indicator--58806cb6-2af8-4192-90f9-4f10950d210f",
"observed-data--58806cf9-7a5c-467f-bea2-41ab950d210f",
"file--58806cf9-7a5c-467f-bea2-41ab950d210f",
"artifact--58806cf9-7a5c-467f-bea2-41ab950d210f",
"indicator--58806da6-5f00-4e00-871d-4cdd950d210f",
"observed-data--58806df2-9f50-44e7-85e2-42a5950d210f",
"file--58806df2-9f50-44e7-85e2-42a5950d210f",
"artifact--58806df2-9f50-44e7-85e2-42a5950d210f",
"indicator--58806e4a-0990-4e82-b7d2-4b14950d210f",
"indicator--58806e4b-0acc-4f4c-8073-43d1950d210f",
"indicator--58806e4b-25ac-4bd6-a0b9-46c8950d210f",
"indicator--58806e4c-3f68-409f-aa6a-4b33950d210f",
"indicator--58806e4d-148c-4308-b2e1-4d98950d210f",
"indicator--58806e4e-b3e4-4f18-9a79-4931950d210f",
"indicator--58806e4f-db9c-42ca-9ff4-4ff5950d210f",
"indicator--58806e50-a450-4989-8cc0-4f48950d210f",
"indicator--58806e51-89e4-463c-b283-4703950d210f",
"indicator--58806e51-886c-4da1-87d3-4032950d210f",
"indicator--58806e52-d2d0-4a2b-9cb9-428f950d210f",
"indicator--58806e53-07f8-4bdc-b554-46c6950d210f",
"indicator--58806e54-beb0-45c1-81af-4638950d210f",
"indicator--58806e55-0568-4c64-b4cd-4782950d210f",
"indicator--58806e56-72e0-4602-81cb-4356950d210f",
"indicator--58806e56-400c-4f3c-b727-4b4e950d210f",
"indicator--58806e7f-11e0-411a-adf0-497a950d210f",
"indicator--58806e80-ee2c-48e1-b25c-494d950d210f",
"indicator--58806e81-ba68-4cfb-a12c-4edc950d210f",
"indicator--58806e81-4664-4964-9817-4847950d210f",
"indicator--58806fd4-f158-41a6-bad8-46c3950d210f",
"indicator--58806fd5-ae40-4b64-a154-4c7b950d210f",
"indicator--58806fd6-af4c-4467-86bf-429d950d210f",
"indicator--58806fd7-424c-45a5-b1c3-4e88950d210f",
"indicator--58806fd7-18c0-4ca5-b2e2-4e88950d210f",
"indicator--58806fd8-85c4-4455-903a-47b7950d210f",
"indicator--58806fd9-a310-4e87-b4fb-4eaa950d210f",
"indicator--58806fda-01c4-473b-aaf6-4d45950d210f",
"indicator--58806fdb-168c-4c83-8e3c-4c92950d210f",
"indicator--58806fdc-a3f4-4be0-8fb3-4a8f950d210f",
"indicator--58806fdd-3744-4672-bd97-40df950d210f",
"indicator--58806fde-249c-4132-ad29-4cfe950d210f",
"indicator--58806fde-85e0-4f67-b8dd-4355950d210f",
"indicator--58806fdf-1b18-4b72-8947-4979950d210f",
"indicator--58806ff5-5330-4f91-8468-42f602de0b81",
"indicator--58806ff6-1afc-4b7c-b9c9-47de02de0b81",
"observed-data--58806ff6-889c-407f-b3b2-401902de0b81",
"url--58806ff6-889c-407f-b3b2-401902de0b81",
"indicator--58806ff7-2504-4521-bbb3-4a3d02de0b81",
"indicator--58806ff8-0868-4e2b-959a-42e402de0b81",
"observed-data--58806ff8-af9c-47f3-882f-4ace02de0b81",
"url--58806ff8-af9c-47f3-882f-4ace02de0b81",
"indicator--58807084-6eec-49b2-b5bb-4715950d210f",
"indicator--58807084-8600-417b-9bf2-47fb950d210f",
"indicator--58807085-f248-4cf5-9a5f-4666950d210f",
"indicator--58807086-775c-4aeb-a65a-4898950d210f",
"indicator--58807086-53a0-4a37-bf8f-4b83950d210f",
"indicator--58807087-4370-4e79-b2ee-4bce950d210f",
"indicator--58807088-8d4c-4489-9df2-4d14950d210f",
"indicator--58807089-4074-41eb-ad4b-4e1e950d210f",
"indicator--58807089-8f08-4b3b-9ac0-403c950d210f",
"indicator--5880708a-3e68-48f3-8aba-4df5950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\" EyePyramid Malware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806a7b-5040-4706-8eaf-4e44950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:27:55.000Z",
"modified": "2017-01-19T07:27:55.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Two Italians referred to as the \u00e2\u20ac\u0153Occhionero brothers\u00e2\u20ac\u009d have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called \u00e2\u20ac\u0153EyePyramid\u00e2\u20ac\u009d, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)\r\n\r\nThe court order was published by AGI, an Italian news agency, around noon on January 11. It (surprisingly) contains multiple technical details which we used to bootstrap our initial analysis. This post builds on the details of the case to provide a more complete and in-depth view of the activities of this campaign.\r\n\r\nScope of this analysis\r\n\r\nWe have analyzed nearly 250 distinct samples, with new batches of EyePryramid-related samples seen and identified daily. Right after our initial analysis, about a dozen suspicious samples were uploaded to VirusTotal and tagged as \u00e2\u20ac\u0153#eyepyramid\u00e2\u20ac\u009d. We believe that these samples are \u00e2\u20ac\u0153false flags,\u00e2\u20ac\u009d because the samples do not resemble any of the samples that we were able to definitely relate to the EyePyramid case. Although we are not able to say with 100% certainty that there are no relationships between these \u00e2\u20ac\u0153false flags\u00e2\u20ac\u009d and the original EyePyramid samples, we purposely did not focus on these uploaded samples."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58806a8c-4008-48f2-8de3-4842950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:28:12.000Z",
"modified": "2017-01-19T07:28:12.000Z",
"first_observed": "2017-01-19T07:28:12Z",
"last_observed": "2017-01-19T07:28:12Z",
"number_observed": 1,
"object_refs": [
"url--58806a8c-4008-48f2-8de3-4842950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58806a8c-4008-48f2-8de3-4842950d210f",
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c1b-a244-41a1-9bbf-4532950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:34:51.000Z",
"modified": "2017-01-19T07:34:51.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "paths or library names indicating code reuse of specific components",
"x_misp_type": "pdb",
"x_misp_value": ":\\Projects\\VS2005\\ChromePass\\Release\\ChromePass.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c1c-bb6c-40f4-92d0-433b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:34:52.000Z",
"modified": "2017-01-19T07:34:52.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "paths or library names indicating code reuse of specific components",
"x_misp_type": "pdb",
"x_misp_value": ":\\Projects\\VS2005\\MyLastSearch\\release\\MyLastSearch.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c1d-49cc-4664-8c7d-428d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:34:53.000Z",
"modified": "2017-01-19T07:34:53.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "paths or library names indicating code reuse of specific components",
"x_misp_type": "pdb",
"x_misp_value": ":\\Projects\\VS2005\\NK2View\\Release\\NK2View.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c1e-0a40-4830-bdb0-424b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:34:54.000Z",
"modified": "2017-01-19T07:34:54.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "paths or library names indicating code reuse of specific components",
"x_misp_type": "pdb",
"x_misp_value": ":\\Projects\\VS2005\\ProduKey\\Release\\ProduKey.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c1f-b1a8-4261-b7a8-4a08950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:34:55.000Z",
"modified": "2017-01-19T07:34:55.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "paths or library names indicating code reuse of specific components",
"x_misp_type": "pdb",
"x_misp_value": ":\\Projects\\VS2005\\RecentFilesView\\Release\\RecentFilesView.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c1f-95b8-4c6d-b981-4e0a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:34:55.000Z",
"modified": "2017-01-19T07:34:55.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "paths or library names indicating code reuse of specific components",
"x_misp_type": "pdb",
"x_misp_value": ":\\Projects\\VS2005\\USBDeview\\Release\\USBDeview.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c20-91b0-45df-b625-412c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:34:56.000Z",
"modified": "2017-01-19T07:34:56.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "paths or library names indicating code reuse of specific components",
"x_misp_type": "pdb",
"x_misp_value": ":\\Projects\\VS2005\\WirelessKeyView\\Release\\WirelessKeyView.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c21-2540-48fd-b445-40b4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:34:57.000Z",
"modified": "2017-01-19T07:34:57.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "paths or library names indicating code reuse of specific components",
"x_misp_type": "pdb",
"x_misp_value": ":\\Projects\\VS2005\\mspass\\Release\\mspass.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c22-0390-488d-bfb9-415e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:34:58.000Z",
"modified": "2017-01-19T07:34:58.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "paths or library names indicating code reuse of specific components",
"x_misp_type": "pdb",
"x_misp_value": ":\\Projects\\VS2005\\netpass\\Release\\netpass.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c23-9c98-4b91-9120-454d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:34:59.000Z",
"modified": "2017-01-19T07:34:59.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "paths or library names indicating code reuse of specific components",
"x_misp_type": "pdb",
"x_misp_value": ":\\projects\\VS2005\\iepv\\Release\\iepv.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c24-4134-4bc3-9c5a-4fe7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:35:00.000Z",
"modified": "2017-01-19T07:35:00.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "paths or library names indicating code reuse of specific components",
"x_misp_type": "pdb",
"x_misp_value": ":\\projects\\vs2005\\shortcutsman\\release\\shman.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58806c57-ddb0-4a50-851d-454c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:35:51.000Z",
"modified": "2017-01-19T07:35:51.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Attribution\""
],
"x_misp_category": "Attribution",
"x_misp_comment": "Both the 2010 and 2012 versions share the infamous MN600-D8102F401003102110C5114F1F18-0E8C MailBee license key, which was either purchased by Giulio Occhionero, or purchased using his name.",
"x_misp_type": "text",
"x_misp_value": "MN600-D8102F401003102110C5114F1F18-0E8C"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806cb6-2af8-4192-90f9-4f10950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:37:26.000Z",
"modified": "2017-01-19T07:37:26.000Z",
"description": "Although used for debugging only, we found that the malware author was playing around with email-based cross-site scripting, as can be seen from the following code snippet",
"pattern": "[file:hashes.SHA256 = '21b6f2584485b8bbfffdefd45c1c72dc2133290fd8cefb235eb39cf015550316']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:37:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58806cf9-7a5c-467f-bea2-41ab950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:38:33.000Z",
"modified": "2017-01-19T07:38:33.000Z",
"first_observed": "2017-01-19T07:38:33Z",
"last_observed": "2017-01-19T07:38:33Z",
"number_observed": 1,
"object_refs": [
"file--58806cf9-7a5c-467f-bea2-41ab950d210f",
"artifact--58806cf9-7a5c-467f-bea2-41ab950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--58806cf9-7a5c-467f-bea2-41ab950d210f",
"name": "EyePyramid_15-01.jpg",
"content_ref": "artifact--58806cf9-7a5c-467f-bea2-41ab950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--58806cf9-7a5c-467f-bea2-41ab950d210f",
"payload_bin": "/9j/4AAQSkZJRgABAgEAkACQAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAAkAAAAAEAAQCQAAAAAQAB/+Fmmmh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8APD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpkYz0iaHR0cDovL3B1cmwub3JnL2RjL2VsZW1lbnRzLzEuMS8iPgogICAgICAgICA8ZGM6Zm9ybWF0PmltYWdlL2pwZWc8L2RjOmZvcm1hdD4KICAgICAgICAgPGRjOnRpdGxlPgogICAgICAgICAgICA8cmRmOkFsdD4KICAgICAgICAgICAgICAgPHJkZjpsaSB4bWw6bGFuZz0ieC1kZWZhdWx0Ij5kZ20tYXBrLWZpbGU8L3JkZjpsaT4KICAgICAgICAgICAgPC9yZGY6QWx0PgogICAgICAgICA8L2RjOnRpdGxlPgogICAgICA8L3JkZjpEZXNjcmlwdGlvbj4KICAgICAgPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIKICAgICAgICAgICAgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIgogICAgICAgICAgICB4bWxuczp4bXBHSW1nPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvZy9pbWcvIj4KICAgICAgICAgPHhtcDpDcmVhdG9yVG9vbD5BZG9iZSBJbGx1c3RyYXRvciBDUzYgKFdpbmRvd3MpPC94bXA6Q3JlYXRvclRvb2w+CiAgICAgICAgIDx4bXA6Q3JlYXRlRGF0ZT4yMDE3LTAxLTE4VDIyOjIyOjM5KzA4OjAwPC94bXA6Q3JlYXRlRGF0ZT4KICAgICAgICAgPHhtcDpNb2RpZnlEYXRlPjIwMTctMDEtMThUMTQ6MjI6NDBaPC94bXA6TW9kaWZ5RGF0ZT4KICAgICAgICAgPHhtcDpNZXRhZGF0YURhdGU+MjAxNy0wMS0xOFQyMjoyMjozOSswODowMDwveG1wOk1ldGFkYXRhRGF0ZT4KICAgICAgICAgPHhtcDpUaHVtYm5haWxzPgogICAgICAgICAgICA8cmRmOkFsdD4KICAgICAgICAgICAgICAgPHJkZjpsaSByZGY6cGFyc2VUeXBlPSJSZXNvdXJjZSI+CiAgICAgICAgICAgICAgICAgIDx4bXBHSW1nOndpZHRoPjI1NjwveG1wR0ltZzp3aWR0aD4KICAgICAgICAgICAgICAgICAgPHhtcEdJbWc6aGVpZ2h0PjE5MjwveG1wR0ltZzpoZWlnaHQ+CiAgICAgICAgICAgICAgICAgIDx4bXBHSW1nOmZvcm1hdD5KUEVHPC94bXBHSW1nOmZvcm1hdD4KICAgICAgICAgICAgICAgICAgPHhtcEdJbWc6aW1hZ2U+LzlqLzRBQVFTa1pKUmdBQkFnRUFrQUNRQUFELzdRQXNVR2h2ZEc5emFHOXdJRE11TUFBNFFrbE5BKzBBQUFBQUFCQUFrQUFBQUFFQSYjeEE7QVFDUUFBQUFBUUFCLytJTVdFbERRMTlRVWs5R1NVeEZBQUVCQUFBTVNFeHBibThDRUFBQWJXNTBjbEpIUWlCWVdWb2dCODRBQWdBSiYjeEE7QUFZQU1RQUFZV056Y0UxVFJsUUFBQUFBU1VWRElITlNSMElBQUFBQUFBQUFBQUFBQUFBQUFQYldBQUVBQUFBQTB5MUlVQ0FnQUFBQSYjeEE7QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFSWTNCeWRBQUFBVkFBQUFBeiYjeEE7WkdWell3QUFBWVFBQUFCc2QzUndkQUFBQWZBQUFBQVVZbXR3ZEFBQUFnUUFBQUFVY2xoWldnQUFBaGdBQUFBVVoxaFpXZ0FBQWl3QSYjeEE7QUFBVVlsaFpXZ0FBQWtBQUFBQVVaRzF1WkFBQUFsUUFBQUJ3Wkcxa1pBQUFBc1FBQUFDSWRuVmxaQUFBQTB3QUFBQ0dkbWxsZHdBQSYjeEE7QTlRQUFBQWtiSFZ0YVFBQUEvZ0FBQUFVYldWaGN3QUFCQXdBQUFBa2RHVmphQUFBQkRBQUFBQU1jbFJTUXdBQUJEd0FBQWdNWjFSUyYjeEE7UXdBQUJEd0FBQWdNWWxSU1F3QUFCRHdBQUFnTWRHVjRkQUFBQUFCRGIzQjVjbWxuYUhRZ0tHTXBJREU1T1RnZ1NHVjNiR1YwZEMxUSYjeEE7WVdOcllYSmtJRU52YlhCaGJua0FBR1JsYzJNQUFBQUFBQUFBRW5OU1IwSWdTVVZETmpFNU5qWXRNaTR4QUFBQUFBQUFBQUFBQUFBUyYjeEE7YzFKSFFpQkpSVU0yTVRrMk5pMHlMakVBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQSYjeEE7QUFBQUFBQUFBQUFBQUZoWldpQUFBQUFBQUFEelVRQUJBQUFBQVJiTVdGbGFJQUFBQUFBQUFBQUFBQUFBQUFBQUFBQllXVm9nQUFBQSYjeEE7QUFBQWI2SUFBRGoxQUFBRGtGaFpXaUFBQUFBQUFBQmltUUFBdDRVQUFCamFXRmxhSUFBQUFBQUFBQ1NnQUFBUGhBQUF0czlrWlhOaiYjeEE7QUFBQUFBQUFBQlpKUlVNZ2FIUjBjRG92TDNkM2R5NXBaV011WTJnQUFBQUFBQUFBQUFBQUFCWkpSVU1nYUhSMGNEb3ZMM2QzZHk1cCYjeEE7WldNdVkyZ0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFaR1Z6WXdBQSYjeEE7QUFBQUFBQXVTVVZESURZeE9UWTJMVEl1TVNCRVpXWmhkV3gwSUZKSFFpQmpiMnh2ZFhJZ2MzQmhZMlVnTFNCelVrZENBQUFBQUFBQSYjeEE7QUFBQUFBQXVTVVZESURZeE9UWTJMVEl1TVNCRVpXWmhkV3gwSUZKSFFpQmpiMnh2ZFhJZ2MzQmhZMlVnTFNCelVrZENBQUFBQUFBQSYjeEE7QUFBQUFBQUFBQUFBQUFBQUFBQUFBR1JsYzJNQUFBQUFBQUFBTEZKbFptVnlaVzVqWlNCV2FXVjNhVzVuSUVOdmJtUnBkR2x2YmlCcCYjeEE7YmlCSlJVTTJNVGsyTmkweUxqRUFBQUFBQUFBQUFBQUFBQ3hTWldabGNtVnVZMlVnVm1sbGQybHVaeUJEYjI1a2FYUnBiMjRnYVc0ZyYjeEE7U1VWRE5qRTVOall0TWk0eEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFCMmFXVjNBQUFBQUFBVHBQNEFGRjh1QUJEUCYjeEE7RkFBRDdjd0FCQk1MQUFOY25nQUFBQUZZV1ZvZ0FBQUFBQUJNQ1ZZQVVBQUFBRmNmNTIxbFlYTUFBQUFBQUFBQUFRQUFBQUFBQUFBQSYjeEE7QUFBQUFBQUFBQUFBQUFLUEFBQUFBbk5wWnlBQUFBQUFRMUpVSUdOMWNuWUFBQUFBQUFBRUFBQUFBQVV
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806da6-5f00-4e00-871d-4cdd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:41:26.000Z",
"modified": "2017-01-19T07:41:26.000Z",
"pattern": "[file:hashes.SHA256 = 'd3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:41:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58806df2-9f50-44e7-85e2-42a5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:42:42.000Z",
"modified": "2017-01-19T07:42:42.000Z",
"first_observed": "2017-01-19T07:42:42Z",
"last_observed": "2017-01-19T07:42:42Z",
"number_observed": 1,
"object_refs": [
"file--58806df2-9f50-44e7-85e2-42a5950d210f",
"artifact--58806df2-9f50-44e7-85e2-42a5950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--58806df2-9f50-44e7-85e2-42a5950d210f",
"name": "Appendix_uncovering-the-inner-workings-of-eyepyramid.pdf",
"content_ref": "artifact--58806df2-9f50-44e7-85e2-42a5950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--58806df2-9f50-44e7-85e2-42a5950d210f",
"payload_bin": "JVBERi0xLjUNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDQxIDAgUi9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4+Pg0KZW5kb2JqDQoyIDAgb2JqDQo8PC9UeXBlL1BhZ2VzL0NvdW50IDgvS2lkc1sgMyAwIFIgMTAgMCBSIDE5IDAgUiAyMyAwIFIgMjUgMCBSIDI3IDAgUiAyOSAwIFIgMzYgMCBSXSA+Pg0KZW5kb2JqDQozIDAgb2JqDQo8PC9UeXBlL1BhZ2UvUGFyZW50IDIgMCBSL1Jlc291cmNlczw8L1hPYmplY3Q8PC9JbWFnZTUgNSAwIFI+Pi9Gb250PDwvRjEgNiAwIFIvRjIgOCAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dC9JbWFnZUIvSW1hZ2VDL0ltYWdlSV0gPj4vTWVkaWFCb3hbIDAgMCA2MTIgNzkyXSAvQ29udGVudHMgNCAwIFIvR3JvdXA8PC9UeXBlL0dyb3VwL1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQj4+L1RhYnMvUy9TdHJ1Y3RQYXJlbnRzIDA+Pg0KZW5kb2JqDQo0IDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDczOT4+DQpzdHJlYW0NCniclZZLb9swDMfvAfIdeJQOUfS0LKAokL6GFh3QdR52SHvwXDcx2tiZ627Ltx/lJIOdxZ6HAIof4k9/UiRlmN7Bycn04/n1BfDTUzi7OIfv41EgNJMKOP6sM0wZ4DhwHsKEM6GdDSFZjUfT61W8SA1cFPBpPILLj+cwnZVV9hwnlcfOqipOlukTzKdRsX6cRpt1Or2LF1keV1mR79Y7i5B0JcAxF0D0PB6JemEBKgCrA2bxKS5WLwyL/cWH8WhOZlST9ZpOLElzvHyiE0cyasgv+gjRzXh0iWiP3xOtZTbUTeqcQGNu7QI0YiIONEp7KNJKxqWGwCkWyq3QWuRWYC9cNuCHOK8wHKJQtRRKULwtzzGJPGMwup1h/JLTiSRJ8SMtMYpZvoCKKrJM4Tqv36Ql4P3XonzBd2/QFdzdUtIwrXbSi2e43KR3mzJeZfUGHTeVoWWBa5v2eq0PvBbmr33ZqtEmYMLtkDMqDMF02Q2pT5z8ybvclTDC4H4EbUqvMHOQMEIwro8ljFacSft/CRN0J4zmhtlBCm03RIVioJthDwRjFQyCuB6Iwv9BEMF7KBzTSgyiiG6KDBXjwyg9FS1NyPQwiuqhKMXcoAoRuofCHVPDKKabIkK9b3n/ovQkrgiwDoZR7GHRy1ZhSSeZVRg+zfaZE5VY4wpr/Db+9uav4DOt616RxA/vZVbRSUg2VAYEruu5FfaDesbrqx+zBd5okifUbh/D2Wux6GgXhmsmWgr6PTpWRlLVmyMk1uIOclWUVAjyE3uxIDENSNndSIM6Bg3jSddUx32dNqfeFsVL5hs+ngDR0sdO4nLocwX36ds+cvWTMvFRWXpZ8ECuont8+0AhSmPfWVf98Wks2R+fYx1ix8DSHpTB8lh/0P4cd4BntvHduabc/PEtf49LOhES0+K4G9piFYZt865TUeM3h9LNufgtxTWe7cmcSC66zJxlpm1VW9jeyHYqqsPyG1pMCNsNCmVuZHN0cmVhbQ0KZW5kb2JqDQo1IDAgb2JqDQo8PC9UeXBlL1hPYmplY3QvU3VidHlwZS9JbWFnZS9XaWR0aCAxMjc1L0hlaWdodCAxNjUwL0NvbG9yU3BhY2UvRGV2aWNlUkdCL0JpdHNQZXJDb21wb25lbnQgOC9GaWx0ZXIvRENURGVjb2RlL0ludGVycG9sYXRlIHRydWUvTGVuZ3RoIDYxNTc5Pj4NCnN0cmVhbQ0K/9j/4AAQSkZJRgABAQEAlgCWAAD/4QBcRXhpZgAATU0AKgAAAAgABAMCAAIAAAAWAAAAPlEQAAEAAAABAQAAAFERAAQAAAABAAAXElESAAQAAAABAAAXEgAAAABQaG90b3Nob3AgSUNDIHByb2ZpbGUA/+IMWElDQ19QUk9GSUxFAAEBAAAMSExpbm8CEAAAbW50clJHQiBYWVogB84AAgAJAAYAMQAAYWNzcE1TRlQAAAAASUVDIHNSR0IAAAAAAAAAAAAAAAEAAPbWAAEAAAAA0y1IUCAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARY3BydAAAAVAAAAAzZGVzYwAAAYQAAABsd3RwdAAAAfAAAAAUYmtwdAAAAgQAAAAUclhZWgAAAhgAAAAUZ1hZWgAAAiwAAAAUYlhZWgAAAkAAAAAUZG1uZAAAAlQAAABwZG1kZAAAAsQAAACIdnVlZAAAA0wAAACGdmlldwAAA9QAAAAkbHVtaQAAA/gAAAAUbWVhcwAABAwAAAAkdGVjaAAABDAAAAAMclRSQwAABDwAAAgMZ1RSQwAABDwAAAgMYlRSQwAABDwAAAgMdGV4dAAAAABDb3B5cmlnaHQgKGMpIDE5OTggSGV3bGV0dC1QYWNrYXJkIENvbXBhbnkAAGRlc2MAAAAAAAAAEnNSR0IgSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFhZWiAAAAAAAADzUQABAAAAARbMWFlaIAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAAb6IAADj1AAADkFhZWiAAAAAAAABimQAAt4UAABjaWFlaIAAAAAAAACSgAAAPhAAAts9kZXNjAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5nIENvbmRpdGlvbiBpbiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAACxSZWZlcmVuY2UgVmlld2luZyBDb25kaXRpb24gaW4gSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2aWV3AAAAAAATpP4AFF8uABDPFAAD7cwABBMLAANcngAAAAFYWVogAAAAAABMCVYAUAAAAFcf521lYXMAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAKPAAAAAnNpZyAAAAAAQ1JUIGN1cnYAAAAAAAAEAAAAAAUACgAPABQAGQAeACMAKAAtADIANwA7AEAARQBKAE8AVABZAF4AYwBoAG0AcgB3AHwAgQCGAIsAkACVAJoAnwCkAKkArgCyALcAvADBAMYAywDQANUA2wDgAOUA6wDwAPYA+wEBAQcBDQETARkBHwElASsBMgE4AT4BRQFMAVIBWQFgAWcBbgF1AXwBgwGLAZIBmgGhAakBsQG5AcEByQHRAdkB4QHpAfIB+gIDAgwCFAIdAiYCLwI4AkECSwJUAl0CZwJxAnoChAKOApgCogKsArYCwQLLAtUC4ALrAvUDAAMLAxYDIQMtAzgDQwNPA1oDZgNyA34DigOWA6IDrgO6A8cD0wPgA+wD+QQGBBMEIAQtBDsESARVBGMEcQR+BIwEmgSoBLYExATTBOEE8AT+BQ0FHAUrBToFSQVYBWcFdwWGBZYFpgW1BcUF1QXlBfYGBgYWBicGNwZIBlkGagZ
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e4a-0990-4e82-b7d2-4b14950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:10.000Z",
"modified": "2017-01-19T07:44:10.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/jobs/44dc7eceb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e4b-0acc-4f4c-8073-43d1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:11.000Z",
"modified": "2017-01-19T07:44:11.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/jobs/3261cc389']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e4b-25ac-4bd6-a0b9-46c8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:11.000Z",
"modified": "2017-01-19T07:44:11.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/run']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e4c-3f68-409f-aa6a-4b33950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:12.000Z",
"modified": "2017-01-19T07:44:12.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/ghk']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e4d-148c-4308-b2e1-4d98950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:13.000Z",
"modified": "2017-01-19T07:44:13.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/co']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e4e-b3e4-4f18-9a79-4931950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:14.000Z",
"modified": "2017-01-19T07:44:14.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/bin/ghk']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e4f-db9c-42ca-9ff4-4ff5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:15.000Z",
"modified": "2017-01-19T07:44:15.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/obj/decepk']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e50-a450-4989-8cc0-4f48950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:16.000Z",
"modified": "2017-01-19T07:44:16.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/tasks']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e51-89e4-463c-b283-4703950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:17.000Z",
"modified": "2017-01-19T07:44:17.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/decepk']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e51-886c-4da1-87d3-4032950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:17.000Z",
"modified": "2017-01-19T07:44:17.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/bin/run']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e52-d2d0-4a2b-9cb9-428f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:18.000Z",
"modified": "2017-01-19T07:44:18.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/jobs']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e53-07f8-4bdc-b554-46c6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:19.000Z",
"modified": "2017-01-19T07:44:19.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/replace']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e54-beb0-45c1-81af-4638950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:20.000Z",
"modified": "2017-01-19T07:44:20.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/fail']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e55-0568-4c64-b4cd-4782950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:21.000Z",
"modified": "2017-01-19T07:44:21.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/obj']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e56-72e0-4602-81cb-4356950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:22.000Z",
"modified": "2017-01-19T07:44:22.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/obj/tasks']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e56-400c-4f3c-b727-4b4e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:44:22.000Z",
"modified": "2017-01-19T07:44:22.000Z",
"description": "2010 sample C&C",
"pattern": "[url:value = 'http://guess515.fastmail.fm/files/bin']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:44:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e7f-11e0-411a-adf0-497a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:45:03.000Z",
"modified": "2017-01-19T07:45:03.000Z",
"description": "2012 sample C&C",
"pattern": "[url:value = 'ftp://ftp1.storegate.com/home/jiwoku375']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:45:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e80-ee2c-48e1-b25c-494d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:45:04.000Z",
"modified": "2017-01-19T07:45:04.000Z",
"description": "2012 sample C&C",
"pattern": "[url:value = 'https://webdav1.storegate.com/jiwoku375/home/jiwoku375']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:45:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e81-ba68-4cfb-a12c-4edc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:45:05.000Z",
"modified": "2017-01-19T07:45:05.000Z",
"description": "2012 sample C&C",
"pattern": "[url:value = 'http://webdav1.storegate.com/jiwoku375/home/jiwoku375']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:45:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806e81-4664-4964-9817-4847950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:45:05.000Z",
"modified": "2017-01-19T07:45:05.000Z",
"description": "2012 sample C&C",
"pattern": "[url:value = 'ftp1.storegate.com/home/jiwoku375']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:45:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fd4-f158-41a6-bad8-46c3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:44.000Z",
"modified": "2017-01-19T07:50:44.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'https://webdav.hidrive.strato.com/users/oncole3991']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fd5-ae40-4b64-a154-4c7b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:45.000Z",
"modified": "2017-01-19T07:50:45.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'http://webdav.cloudme.com/imin1399/xios']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fd6-af4c-4467-86bf-429d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:46.000Z",
"modified": "2017-01-19T07:50:46.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'http://webdav1.storegate.com/oldi4006/home/oldi4006']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fd7-424c-45a5-b1c3-4e88950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:47.000Z",
"modified": "2017-01-19T07:50:47.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'https://webdav1.storegate.com/oldi4006/home/oldi4006']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fd7-18c0-4ca5-b2e2-4e88950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:47.000Z",
"modified": "2017-01-19T07:50:47.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'http://webdav1.storegate.com/uwiq175/home/uwiq175']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fd8-85c4-4455-903a-47b7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:48.000Z",
"modified": "2017-01-19T07:50:48.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'https://webdav1.storegate.com/enzevu888/home/enzevu888']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fd9-a310-4e87-b4fb-4eaa950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:49.000Z",
"modified": "2017-01-19T07:50:49.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'https://webdav1.storegate.com/ordu1337/home/ordu1337']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fda-01c4-473b-aaf6-4d45950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:50.000Z",
"modified": "2017-01-19T07:50:50.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'http://webdav1.storegate.com/oqokul68646/home/oqokul68646']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fdb-168c-4c83-8e3c-4c92950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:51.000Z",
"modified": "2017-01-19T07:50:51.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'http://webdav1.storegate.com/enzevu888/home/enzevu888']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fdc-a3f4-4be0-8fb3-4a8f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:52.000Z",
"modified": "2017-01-19T07:50:52.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'https://webdav.cloudme.com/imin1399/xios']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fdd-3744-4672-bd97-40df950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:53.000Z",
"modified": "2017-01-19T07:50:53.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'https://webdav1.storegate.com/uwiq175/home/uwiq175']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fde-249c-4132-ad29-4cfe950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:54.000Z",
"modified": "2017-01-19T07:50:54.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'http://webdav.hidrive.strato.com/users/oncole3991']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fde-85e0-4f67-b8dd-4355950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:54.000Z",
"modified": "2017-01-19T07:50:54.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'http://webdav1.storegate.com/ordu1337/home/ordu1337']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806fdf-1b18-4b72-8947-4979950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:50:55.000Z",
"modified": "2017-01-19T07:50:55.000Z",
"description": "2014 - sample C&C",
"pattern": "[url:value = 'https://webdav1.storegate.com/oqokul68646/home/oqokul68646']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:50:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806ff5-5330-4f91-8468-42f602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:51:17.000Z",
"modified": "2017-01-19T07:51:17.000Z",
"description": "Although used for debugging only, we found that the malware author was playing around with email-based cross-site scripting, as can be seen from the following code snippet - Xchecked via VT: 21b6f2584485b8bbfffdefd45c1c72dc2133290fd8cefb235eb39cf015550316",
"pattern": "[file:hashes.SHA1 = 'b5f08add2745bbed9ae4573fc9f16431cefa13f1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:51:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806ff6-1afc-4b7c-b9c9-47de02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:51:18.000Z",
"modified": "2017-01-19T07:51:18.000Z",
"description": "Although used for debugging only, we found that the malware author was playing around with email-based cross-site scripting, as can be seen from the following code snippet - Xchecked via VT: 21b6f2584485b8bbfffdefd45c1c72dc2133290fd8cefb235eb39cf015550316",
"pattern": "[file:hashes.MD5 = 'f3802442727c0b614482455d6ad9edc2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:51:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58806ff6-889c-407f-b3b2-401902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:51:18.000Z",
"modified": "2017-01-19T07:51:18.000Z",
"first_observed": "2017-01-19T07:51:18Z",
"last_observed": "2017-01-19T07:51:18Z",
"number_observed": 1,
"object_refs": [
"url--58806ff6-889c-407f-b3b2-401902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58806ff6-889c-407f-b3b2-401902de0b81",
"value": "https://www.virustotal.com/file/21b6f2584485b8bbfffdefd45c1c72dc2133290fd8cefb235eb39cf015550316/analysis/1423753823/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806ff7-2504-4521-bbb3-4a3d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:51:19.000Z",
"modified": "2017-01-19T07:51:19.000Z",
"description": "- Xchecked via VT: d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c",
"pattern": "[file:hashes.SHA1 = 'b61633975206c58df648df144c78bb3e20051d93']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:51:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58806ff8-0868-4e2b-959a-42e402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:51:20.000Z",
"modified": "2017-01-19T07:51:20.000Z",
"description": "- Xchecked via VT: d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c",
"pattern": "[file:hashes.MD5 = 'b39a673a5d2ceaa1fb5571769097ca77']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:51:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58806ff8-af9c-47f3-882f-4ace02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:51:20.000Z",
"modified": "2017-01-19T07:51:20.000Z",
"first_observed": "2017-01-19T07:51:20Z",
"last_observed": "2017-01-19T07:51:20Z",
"number_observed": 1,
"object_refs": [
"url--58806ff8-af9c-47f3-882f-4ace02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58806ff8-af9c-47f3-882f-4ace02de0b81",
"value": "https://www.virustotal.com/file/d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c/analysis/1484353398/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58807084-6eec-49b2-b5bb-4715950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:40.000Z",
"modified": "2017-01-19T07:53:40.000Z",
"pattern": "[email-message:to_refs[*].value = 'tip848@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:53:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58807084-8600-417b-9bf2-47fb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:40.000Z",
"modified": "2017-01-19T07:53:40.000Z",
"pattern": "[email-message:to_refs[*].value = 'deliver@hostpenta.com.xml']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:53:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58807085-f248-4cf5-9a5f-4666950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:41.000Z",
"modified": "2017-01-19T07:53:41.000Z",
"pattern": "[email-message:to_refs[*].value = 'archive@hostpenta.com.xml']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:53:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58807086-775c-4aeb-a65a-4898950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:42.000Z",
"modified": "2017-01-19T07:53:42.000Z",
"pattern": "[email-message:to_refs[*].value = 'tim11235@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:53:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58807086-53a0-4a37-bf8f-4b83950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:42.000Z",
"modified": "2017-01-19T07:53:42.000Z",
"pattern": "[email-message:to_refs[*].value = 'guess515@fastmail.fm']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:53:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58807087-4370-4e79-b2ee-4bce950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:43.000Z",
"modified": "2017-01-19T07:53:43.000Z",
"pattern": "[email-message:to_refs[*].value = 'tim11235@googlemail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:53:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58807088-8d4c-4489-9df2-4d14950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:44.000Z",
"modified": "2017-01-19T07:53:44.000Z",
"pattern": "[email-message:to_refs[*].value = 'dude626@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:53:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58807089-4074-41eb-ad4b-4e1e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:45.000Z",
"modified": "2017-01-19T07:53:45.000Z",
"pattern": "[email-message:to_refs[*].value = 'octo424@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:53:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58807089-8f08-4b3b-9ac0-403c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:45.000Z",
"modified": "2017-01-19T07:53:45.000Z",
"pattern": "[email-message:to_refs[*].value = 'plars575@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:53:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5880708a-3e68-48f3-8aba-4df5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-19T07:53:46.000Z",
"modified": "2017-01-19T07:53:46.000Z",
"pattern": "[email-message:to_refs[*].value = 'purge626@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-19T07:53:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
]
}
Reference in a new issue Copy permalink