2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--58aafac5-c984-43f3-a1b9-493e950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:29:17.000Z" ,
"modified" : "2017-02-20T14:29:17.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--58aafac5-c984-43f3-a1b9-493e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:29:17.000Z" ,
"modified" : "2017-02-20T14:29:17.000Z" ,
"name" : "OSINT - LAZARUS\u00e2\u20ac\u2122 FALSE FLAG MALWARE" ,
"published" : "2017-02-20T14:32:18Z" ,
"object_refs" : [
"observed-data--58aafaf8-405c-4b7d-8f4e-4357950d210f" ,
"url--58aafaf8-405c-4b7d-8f4e-4357950d210f" ,
"x-misp-attribute--58aafb3a-9b70-48a9-b715-4dab950d210f" ,
"indicator--58aafb6d-f0b0-4362-9eb4-4ced950d210f" ,
"indicator--58aafb6e-427c-4e7a-8919-4c2d950d210f" ,
"indicator--58aafb6f-8294-45f2-bacc-4de2950d210f" ,
"indicator--58aafb70-5898-4011-b1e4-48d8950d210f" ,
"indicator--58aafb70-b22c-4584-8088-456d950d210f" ,
"indicator--58aafb91-71a4-476f-981d-41e1950d210f" ,
"observed-data--58aafbc7-9d18-43b7-b027-4018950d210f" ,
"file--58aafbc7-9d18-43b7-b027-4018950d210f" ,
"artifact--58aafbc7-9d18-43b7-b027-4018950d210f" ,
"indicator--58aafc38-87f4-4f3e-b6b7-457c950d210f" ,
"indicator--58aafce1-a080-4233-ab2e-41c002de0b81" ,
"indicator--58aafce1-0978-4c1f-a438-485d02de0b81" ,
"observed-data--58aafce2-9380-439a-9174-4bcd02de0b81" ,
"url--58aafce2-9380-439a-9174-4bcd02de0b81" ,
"indicator--58aafce3-0740-4625-91da-452f02de0b81" ,
"indicator--58aafce4-cf48-49f6-86f7-45b902de0b81" ,
"observed-data--58aafce4-a3dc-4f76-b51e-4a8a02de0b81" ,
"url--58aafce4-a3dc-4f76-b51e-4a8a02de0b81" ,
"indicator--58aafce5-02c4-4787-aac4-499f02de0b81" ,
"indicator--58aafce6-bfe4-42e1-9581-498702de0b81" ,
"observed-data--58aafce7-bfa4-433b-a122-40b702de0b81" ,
"url--58aafce7-bfa4-433b-a122-40b702de0b81" ,
"indicator--58aafce7-0964-457a-bfd5-4fdc02de0b81" ,
"indicator--58aafce8-a700-4de1-9e84-475f02de0b81" ,
"observed-data--58aafce9-8adc-4463-8c5a-467a02de0b81" ,
"url--58aafce9-8adc-4463-8c5a-467a02de0b81" ,
"indicator--58aafcea-8700-4a01-99c5-4ed902de0b81" ,
"indicator--58aafcea-c968-4940-9c36-44d902de0b81" ,
"observed-data--58aafceb-7740-4c6c-97b2-4bce02de0b81" ,
"url--58aafceb-7740-4c6c-97b2-4bce02de0b81" ,
"indicator--58aafd1a-be48-4ca5-af2e-482f950d210f" ,
"indicator--58aafd1a-e8e8-4275-a0b3-4ceb950d210f" ,
"indicator--58aafd1b-7ca8-4258-a429-4787950d210f" ,
"indicator--58aafd1c-cc98-4a0c-9c3c-40b0950d210f" ,
"x-misp-attribute--58aafd3d-a418-4a76-9462-4dcb950d210f" ,
"x-misp-attribute--58aafd3e-eb98-4596-96f1-4b43950d210f"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58aafaf8-405c-4b7d-8f4e-4357950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:38.000Z" ,
"modified" : "2017-02-20T14:27:38.000Z" ,
"first_observed" : "2017-02-20T14:27:38Z" ,
"last_observed" : "2017-02-20T14:27:38Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58aafaf8-405c-4b7d-8f4e-4357950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"admiralty-scale:source-reliability=\"b\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58aafaf8-405c-4b7d-8f4e-4357950d210f" ,
"value" : "http://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--58aafb3a-9b70-48a9-b715-4dab950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:38.000Z" ,
"modified" : "2017-02-20T14:27:38.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "We continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial regulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the involvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most notably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafb6d-f0b0-4362-9eb4-4ced950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:38.000Z" ,
"modified" : "2017-02-20T14:27:38.000Z" ,
"description" : "srservice.chm" ,
"pattern" : "[file:hashes.MD5 = '9216b29114fb6713ef228370cbfe4045']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafb6e-427c-4e7a-8919-4c2d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:38.000Z" ,
"modified" : "2017-02-20T14:27:38.000Z" ,
"description" : "srservice.hlp" ,
"pattern" : "[file:hashes.MD5 = '8e32fccd70cec634d13795bcb1da85ff']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafb6f-8294-45f2-bacc-4de2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:38.000Z" ,
"modified" : "2017-02-20T14:27:38.000Z" ,
"description" : "srservice.dll" ,
"pattern" : "[file:hashes.MD5 = 'e29fe3c181ac9ddbb242688b151f3310']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafb70-5898-4011-b1e4-48d8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:38.000Z" ,
"modified" : "2017-02-20T14:27:38.000Z" ,
"description" : "fdsvc.exe" ,
"pattern" : "[file:hashes.MD5 = '9914075cc687bdc352ee136ac6579707']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafb70-b22c-4584-8088-456d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:38.000Z" ,
"modified" : "2017-02-20T14:27:38.000Z" ,
"description" : "fdsvc.dll" ,
"pattern" : "[file:hashes.MD5 = '9cc6854bc5e217104734043c89dc4ff8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafb91-71a4-476f-981d-41e1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:38.000Z" ,
"modified" : "2017-02-20T14:27:38.000Z" ,
"description" : "cambio.swf" ,
"pattern" : "[file:hashes.MD5 = '6dffcfa68433f886b2e88fd984b4995a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58aafbc7-9d18-43b7-b027-4018950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:38.000Z" ,
"modified" : "2017-02-20T14:27:38.000Z" ,
"first_observed" : "2017-02-20T14:27:38Z" ,
"last_observed" : "2017-02-20T14:27:38Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--58aafbc7-9d18-43b7-b027-4018950d210f" ,
"artifact--58aafbc7-9d18-43b7-b027-4018950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--58aafbc7-9d18-43b7-b027-4018950d210f" ,
"name" : "schema.png" ,
"content_ref" : "artifact--58aafbc7-9d18-43b7-b027-4018950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--58aafbc7-9d18-43b7-b027-4018950d210f" ,
"payload_bin" : " i V B O R w 0 K G g o A A A A N S U h E U g A A B k A A A A T 2 C A I A A A D 1 Y v i x A A A A A 3 N C S V Q I C A j b 4 U / g A A A A l n p U W H R S Y X c g c H J v Z m l s Z S B 0 e X B l I E F Q U D E A A H i c V Y 5 B D s M g D A T v v I I n j G 0 w 8 B x U k S p S 1 V b 5 / 6 E H S N v s Z a V Z a 9 f h P p 7 j 2 G / x f b y 2 / T F C j D F G k R p S S 0 0 7 U J l S M E F Q o C z k 0 73 V Q g J k 8 c F F G W 9 u L s V 8 X h h A m z 2 J h U x N D a T P f H V 9 P X f + N / L 51 y l d m f 46 s 1 q z u t h 1 S 2 w + A U D 4 A O d V N X T v L P 3 V A A A g A E l E Q V R 4 n O z d d 1 x T V x s H 8 C c J Y e + w k S G g 7 A 1 u A R e 4 J 25 b t 3 X W U W u X d V u t b V / r r K 27 r a t a t 3 W P i n s v B L f s P R J C y L 7 v H 9 e m a Q K I b R G s v + 9 f + Z x z 7 r 3 P T S I m T 55 z D o d h G A I A A A A A A A A A A K i v u H U d A A A A A A A A A A A A Q H W Q w A I A A A A A A A A A g H o N C S w A A A A A A A A A A K j X k M A C A A A A A A A A A I B 6 D Q k s A A A A A A A A A A C o 15 D A A g A A A A A A A A C A e g 0 J L A A A A A A A A A A A q N e Q w A I A A A A A A A A A g H o N C S w A A A A A A A A A A K j X k M A C A A A A A A A A A I B 6 D Q k s A A A A A A A A A A C o 15 D A A g A A A A A A A A C A e s 2 g r g M A A I D X S q V S 5 e T k p K a m 8 n i 8 u o 4 F A A C g V q h U q o C A A C c n J y 4 X P 9 g D A P x H I I E F A P B 2 k U g k B w 4 c G D 9 + f F 0 H A g A A U I v W r l 0 7 c O B A M z O z u g 4 E A A D + H f h F A g D g 7 c L h c A w N D e s 6 C g A A g N p l a G j I 4 X D q O g o A A P j X I I E F A A A A A A A A A A D 1 G h J Y A A A A A A A A A A B Q r y G B B Q A A A A A A A A A A 9 R o W c Q c A e N t 1 i O 84 d e o 0 V 1 c X t V p d 17 E A A A C 8 M i 6 X m 5 G Z 9 d W S L 38 / c 6 q u Y w E A g N q C B B Y A w N v O y s o y w N / P w 8 O t r g M B A A D 4 m y w s z C 0 t z O s 6 C g A A q E W Y Q g g A 8 L Z j G L V K p a r r K A A A A P 4 + l U r F M E x d R w E A A L U I C S w A A A A A A A A A A K j X k M A C A A A A A A A A A I B 6 D Q k s A A A A A A A A A A C o 15 D A A g A A A A A A A A C A e g 0 J L A A A A A A A A A A A q N e Q w A I A A A A A A A A A g H o N C S w A A A A A A A A A A K j X k M A C A A A A A A A A A I B 6 D Q k s A A A A A A A A A A C o 15 D A A g A A A A A A A A C A e g 0 J L A A A A A A A A A A A q N e Q w A I A A A A A A A A A g H o N C S w A A A A A A A A A A K j X k M A C A A A A A A A A A I B 6 D Q k s A A A A A A A A A A C o 15 D A A g A A A A A A A A C A e g 0 J L A A A A A A A A A A A q N e Q w A I A A A A A A A A A g H o N C S w A A A A A A A A A A K j X k M A C A A A A A A A A A I B 6 D Q k s A A A A A A A A A A C o 15 D A A g A A A A A A A A C A e g 0 J L A A A A A A A A A A A q N e Q w A I A A A A A A A A A g H o N C S w A A A A A A A A A A K j X k M A C A A A A A A A A A I B 6 D Q k s A A A A A A A A A A C o 15 D A A g A A A A A A A A C A e g 0 J L A A A A A A A A A A A q N e Q w A I A A A A A A A A A g H o N C S w A A A A A A A A A A K j X k M A C A A A A A A A A A I B 6 D Q k s A A A A A A A A A A C o 15 D A A g A A A A A A A A C A e g 0 J L A A A A A A A A A A A q N e Q w A I A A A A A A A A A g H r N o K 4 D A A A A A I A X x O J y t V r F M I y V l V V d x 1 I J h m H K y 8 v V a j W X y z U 3 N 6 / r c A A A A O A t g g o s A A A A g P o i s V 9 / K y s r a 2 v r u g 6 k c i U l p Z 26 d L O y s o q P j 6 / r W A A A A O D t g g o s A A C A 102 p V C k U C r V a p V K p G I Y h I g 6 H w + V y e T w D P t / A w A D / O 78 + c r l C K q 2 o P / V E 1 l b 1 N H X F 4 n I 5 A l t b I h I I B P / 6 y R m G k c p k C r n c 0 N D Q 2 N j 4 X z 9 / z c n l 8 o q K C m N j Y y M j I y J S K p U S i c T A w M D U 1 L S q Q 1 Q q t U w m V S g U H A 7 H 2 N j Y 0 N D w N c Y L A A D w V k A F F g A A w O u j V K q K i o u P n z w 1 Z + 78 H j 17 s 7 U 21 t b W V l Z W 7 d r H f z 577 p n f k 8 r E 4 r o O 8 y 2 y Z d s O K y u r 7 j 16 Z W X n 1 H U s b 7 v i 4 p K 58 x Z a W V k t / n J J p f 8 K l E q l Q q m s 7 T B U K t X + / Q e s r a 137 v q V b b l 167 a H p 8 + c u X N U a r X + e L V a L R S J z l + 48 N 7 Y C d b W 1 u 6 e X g c O H K z t I A E A A N 5 C + I 0 X A A D g d W C I R E L h 70 n n V 65 Y e f z Y Y S I y N j Z p 4 O b + R 70 V 8 + j h g y u X L x Y V F n o 19 L S o H 9 V A b 4 P 5 c 2 c T 0 e l T J 3 b s / H X a 5 I l 1 H c 5 b r a S k + M t F C 4 h o //79zZq16JjQXtOlUqlyc/Pu3Es2NTWJbd2qVsMQCkXP0zMCg4I1EznLykSlJQVOjs48ru5Pv2Kx+PrNW+vWrf/5x01si5enJ8qvAAAAagMSWAAAAK/D8+dpmzZuWvbtt0JRqYenZ0R4RGRUtGfDhsbGxgxDXC43KzPjt0MH4+M7ODk51XWwb5E+fRJ/2fmLSCQMDgyo61jediYmpol9+505c6Zx48Zu7g20u1JTU4OCgrgGhiuXL6vtBJZCqRSLy5ydXezs7DUtZmaWLi4uOiMrpNJdv+4ePmwoEbVr38HI0PC33w7VamwAAABvMySwAAAAal1BYeHq1au//moJEQ0e8s6AAQPbtm1jaqK7ys+IEcP4BnxDQ35dxPiWWvzloqbNm9vZ2cXF1G5aBF7K1dVlxYrl5y9c8vfzC/D31e7icDhE1NDTg1f7K8RJpdKC/EIDAx6XyyWiouLi23fuOTjaGxoZ6Yw0NjISCGxdXRsMGjxk2LBh6WnPkMACAACoPUhgAQAA1LoD+w/8uPlHIho/YdJHMz50d3erdJhZ1UtEQy3hcbmJvXvWdRTwgpOjY59ePfTb2VwS549MVq1iGEahVDg6OTk6Or5oUavt7R2sLK10RnI4nODgkN179jaJjiSizIy02o4NAADgbYYEFgAAQO26eu36vgMH8/NzR48Z++GHH1SVvaqGWq2Wy+VKpVKpVKrVag6HY2BgwOcbGhkZ6n+fr6iokEqlfD7f1NSUy+XKZDL2WIZhDAwMjIyMjYz+XKBHKpXK5XJ2M0QDA76RsZGR3vI9EolEJpPxDAzMzcy4XK5CoZDJ5AqFnGEYDofD5/ONjIz5fN1PFOXl5TKZzNDIyNzMjGFIKq2QyWQqlcrGxob714WElCqV4o+7Y1v4fEM+38BIr+CFiMRisVwuNzI2NjM1ZRhGKpUqFAo2fj7f0MjYyJD/on6NYZiKigqlUvmi19DQ2MiIz9etbisrK1MoFAzD6G+rJ5PJFEqlXCZjn2Q+n29gYFDp7njsMPZaL54TY2N+tbVCUqlUqVTK5XIi4vF4BgZ8IyPDmm9AWVpayr4TbGxs9HuFQqFKpTIwMLC0tNTvLSoq4nK5BgYGFhYW2u1yuUIul6tUSpVKxeVy2bsw4PGqj6SiQqpQyJVKJYfD4XA4hkZGRoaGvKqPqqiQKpUKdrc+DofL5xvw+YZs1aFKpRKLxdqRq9VqiUSiUqlKSkqISKVWl4vFYrFYoVAQkZGxsamJic752Tcn+4bncrns687VW7uqGuKysju3b4eEBLMvh1hc/uz5c4FAYGmlm8AiIk8Pd08Pd/Yxu6MoAAAA1BLsQggAAFC77ty+ferECWtr2759+3h6eLzq4QqF4sbN2999v3bkyDE2NjYCgcDW1vbdd4d/v3bd4ydPVSqVzvgff/rZ1tZ22vSPsnNy0zMy1m/c3Cexv62trUAg6NU78ceft+Tk5hGRSqV68vTpipWru3XvyfYm9u3785Ztefn5OidcvXqNra3tiBGjCwoKFArF/oO/TXp/CnuIra3tmPfGHzx0uKSkVOeob/63VCAQLPziS6FQ9OTp06+/+dbXN8DOzi43N1d7mFwuP5t07pulywcMGGz7h0nvT9n805b8/AL9jMDns+YIBIIvl3wjlckePHz0zdLl7dsnsMGMGDlqz9794vJyIlIolPdTUmfPmR8X147tHTVqzN79ByWSCp0Tvj95qkAgsLOz07mWXC7fsOmnyZOnsbdpa2s7bvzEVd+t1X+BpFLp4SPHPvr4s+bNW7GDx42fePjIMZlMVtVrWlYmXvPDhvETJgkEAoFA0LpV7Ceffn70+Em1Ws3jvfyzmUql6ty5O3stUZnubn0SiSQ6uplAIOjbt7/
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafc38-87f4-4f3e-b6b7-457c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:38.000Z" ,
"modified" : "2017-02-20T14:27:38.000Z" ,
"description" : "The file fdsvc.dll is an encrypted file, successfully decrypted into a valid DLL (MD5: 889e320cf66520485e1a0475107d7419) by the aforementioned executable fdsvc.exe." ,
"pattern" : "[file:hashes.MD5 = '889e320cf66520485e1a0475107d7419']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafce1-a080-4233-ab2e-41c002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:45.000Z" ,
"modified" : "2017-02-20T14:27:45.000Z" ,
"description" : "srservice.dll - Xchecked via VT: e29fe3c181ac9ddbb242688b151f3310" ,
"pattern" : "[file:hashes.SHA256 = '6c1d8c4afbc7f85f05fb2e4d17e5553255b0195a0b56ba5309e362e2156debfc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafce1-0978-4c1f-a438-485d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:45.000Z" ,
"modified" : "2017-02-20T14:27:45.000Z" ,
"description" : "srservice.dll - Xchecked via VT: e29fe3c181ac9ddbb242688b151f3310" ,
"pattern" : "[file:hashes.SHA1 = '7260340b7d7b08b7a9c7e27d9226e17b7170a436']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58aafce2-9380-439a-9174-4bcd02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:46.000Z" ,
"modified" : "2017-02-20T14:27:46.000Z" ,
"first_observed" : "2017-02-20T14:27:46Z" ,
"last_observed" : "2017-02-20T14:27:46Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58aafce2-9380-439a-9174-4bcd02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58aafce2-9380-439a-9174-4bcd02de0b81" ,
"value" : "https://www.virustotal.com/file/6c1d8c4afbc7f85f05fb2e4d17e5553255b0195a0b56ba5309e362e2156debfc/analysis/1487239802/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafce3-0740-4625-91da-452f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:47.000Z" ,
"modified" : "2017-02-20T14:27:47.000Z" ,
"description" : "fdsvc.exe - Xchecked via VT: 9914075cc687bdc352ee136ac6579707" ,
"pattern" : "[file:hashes.SHA256 = 'cd10ffb7a88f0d2ec69326e7a13f00b9ed211a3a719f89a755a29494ff1142e6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafce4-cf48-49f6-86f7-45b902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:48.000Z" ,
"modified" : "2017-02-20T14:27:48.000Z" ,
"description" : "fdsvc.exe - Xchecked via VT: 9914075cc687bdc352ee136ac6579707" ,
"pattern" : "[file:hashes.SHA1 = 'fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58aafce4-a3dc-4f76-b51e-4a8a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:48.000Z" ,
"modified" : "2017-02-20T14:27:48.000Z" ,
"first_observed" : "2017-02-20T14:27:48Z" ,
"last_observed" : "2017-02-20T14:27:48Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58aafce4-a3dc-4f76-b51e-4a8a02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58aafce4-a3dc-4f76-b51e-4a8a02de0b81" ,
"value" : "https://www.virustotal.com/file/cd10ffb7a88f0d2ec69326e7a13f00b9ed211a3a719f89a755a29494ff1142e6/analysis/1487564884/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafce5-02c4-4787-aac4-499f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:49.000Z" ,
"modified" : "2017-02-20T14:27:49.000Z" ,
"description" : "fdsvc.dll - Xchecked via VT: 9cc6854bc5e217104734043c89dc4ff8" ,
"pattern" : "[file:hashes.SHA256 = '752b8e93a8f6803b265dd3a7cd39df86997cf99900426635b1b97dd665bd7f9f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafce6-bfe4-42e1-9581-498702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:50.000Z" ,
"modified" : "2017-02-20T14:27:50.000Z" ,
"description" : "fdsvc.dll - Xchecked via VT: 9cc6854bc5e217104734043c89dc4ff8" ,
"pattern" : "[file:hashes.SHA1 = '11568dffd6325ade217fbe49ce56a3ee5001cbcc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58aafce7-bfa4-433b-a122-40b702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:51.000Z" ,
"modified" : "2017-02-20T14:27:51.000Z" ,
"first_observed" : "2017-02-20T14:27:51Z" ,
"last_observed" : "2017-02-20T14:27:51Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58aafce7-bfa4-433b-a122-40b702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58aafce7-bfa4-433b-a122-40b702de0b81" ,
"value" : "https://www.virustotal.com/file/752b8e93a8f6803b265dd3a7cd39df86997cf99900426635b1b97dd665bd7f9f/analysis/1487229167/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafce7-0964-457a-bfd5-4fdc02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:51.000Z" ,
"modified" : "2017-02-20T14:27:51.000Z" ,
"description" : "cambio.swf - Xchecked via VT: 6dffcfa68433f886b2e88fd984b4995a" ,
"pattern" : "[file:hashes.SHA256 = 'c1b29afcfddb79cfd57545b8600922150843ae2b170fff9aeacdeaa17adbf792']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafce8-a700-4de1-9e84-475f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:52.000Z" ,
"modified" : "2017-02-20T14:27:52.000Z" ,
"description" : "cambio.swf - Xchecked via VT: 6dffcfa68433f886b2e88fd984b4995a" ,
"pattern" : "[file:hashes.SHA1 = 'ba5a2230ff2068b7fb22de3b83031457d18c3298']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:52Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58aafce9-8adc-4463-8c5a-467a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:53.000Z" ,
"modified" : "2017-02-20T14:27:53.000Z" ,
"first_observed" : "2017-02-20T14:27:53Z" ,
"last_observed" : "2017-02-20T14:27:53Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58aafce9-8adc-4463-8c5a-467a02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58aafce9-8adc-4463-8c5a-467a02de0b81" ,
"value" : "https://www.virustotal.com/file/c1b29afcfddb79cfd57545b8600922150843ae2b170fff9aeacdeaa17adbf792/analysis/1487563770/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafcea-8700-4a01-99c5-4ed902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:54.000Z" ,
"modified" : "2017-02-20T14:27:54.000Z" ,
"description" : "The file fdsvc.dll is an encrypted file, successfully decrypted into a valid DLL (MD5: 889e320cf66520485e1a0475107d7419) by the aforementioned executable fdsvc.exe. - Xchecked via VT: 889e320cf66520485e1a0475107d7419" ,
"pattern" : "[file:hashes.SHA256 = '8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafcea-c968-4940-9c36-44d902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:54.000Z" ,
"modified" : "2017-02-20T14:27:54.000Z" ,
"description" : "The file fdsvc.dll is an encrypted file, successfully decrypted into a valid DLL (MD5: 889e320cf66520485e1a0475107d7419) by the aforementioned executable fdsvc.exe. - Xchecked via VT: 889e320cf66520485e1a0475107d7419" ,
"pattern" : "[file:hashes.SHA1 = 'f5fc9d893ae99f97e43adcef49801782daced2d7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:27:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--58aafceb-7740-4c6c-97b2-4bce02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:27:55.000Z" ,
"modified" : "2017-02-20T14:27:55.000Z" ,
"first_observed" : "2017-02-20T14:27:55Z" ,
"last_observed" : "2017-02-20T14:27:55Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--58aafceb-7740-4c6c-97b2-4bce02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--58aafceb-7740-4c6c-97b2-4bce02de0b81" ,
"value" : "https://www.virustotal.com/file/8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1/analysis/1487179033/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafd1a-be48-4ca5-af2e-482f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:28:42.000Z" ,
"modified" : "2017-02-20T14:28:42.000Z" ,
"pattern" : "[file:name = 'cambio.xap']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:28:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafd1a-e8e8-4275-a0b3-4ceb950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:28:42.000Z" ,
"modified" : "2017-02-20T14:28:42.000Z" ,
"pattern" : "[file:name = 'mark180789172360.ico']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:28:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafd1b-7ca8-4258-a429-4787950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:28:43.000Z" ,
"modified" : "2017-02-20T14:28:43.000Z" ,
"pattern" : "[file:name = 'meml102783047891.dat']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:28:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--58aafd1c-cc98-4a0c-9c3c-40b0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:28:44.000Z" ,
"modified" : "2017-02-20T14:28:44.000Z" ,
"pattern" : "[file:name = 'back283671047171.dat']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-20T14:28:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--58aafd3d-a418-4a76-9462-4dcb950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:29:17.000Z" ,
"modified" : "2017-02-20T14:29:17.000Z" ,
"labels" : [
"misp:type=\"pattern-in-traffic\"" ,
"misp:category=\"Network activity\""
] ,
"x_misp_category" : "Network activity" ,
"x_misp_type" : "pattern-in-traffic" ,
"x_misp_value" : "view.jsp?pagenum=1"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--58aafd3e-eb98-4596-96f1-4b43950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-20T14:29:18.000Z" ,
"modified" : "2017-02-20T14:29:18.000Z" ,
"labels" : [
"misp:type=\"pattern-in-traffic\"" ,
"misp:category=\"Network activity\""
] ,
"x_misp_category" : "Network activity" ,
"x_misp_type" : "pattern-in-traffic" ,
"x_misp_value" : "view.jsp?uid="
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}
