2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--5997e84c-58b8-4652-a5cc-7d9602de0b81" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5997e84c-58b8-4652-a5cc-7d9602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"name" : "OSINT - EngineBox Malware Supports 10+ Brazilian Banks" ,
"published" : "2017-08-19T10:13:53Z" ,
"object_refs" : [
"x-misp-attribute--5997e865-cb68-4ee4-8af9-7da502de0b81" ,
"observed-data--5997e872-99a8-420d-bd26-7da502de0b81" ,
"url--5997e872-99a8-420d-bd26-7da502de0b81" ,
"observed-data--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81" ,
"file--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81" ,
"artifact--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81" ,
"indicator--5997e93e-9454-4c92-8799-60ed02de0b81" ,
"indicator--5997e93e-fafc-4871-984d-60ed02de0b81" ,
"indicator--5997e93e-7adc-4b92-bcc6-60ed02de0b81" ,
"indicator--5997e93e-81f4-4d46-93c3-60ed02de0b81" ,
"indicator--5997e93e-8f28-4958-83b4-60ed02de0b81" ,
"indicator--5997e93e-4b80-46b5-bf97-60ed02de0b81" ,
"indicator--5997e93e-aa10-4c55-8f73-60ed02de0b81" ,
"indicator--5997e953-299c-4c2b-8de4-60f402de0b81" ,
"indicator--5997e954-3d74-4175-aa53-60f402de0b81" ,
"indicator--5997e96b-73c8-4618-8b98-7e3202de0b81" ,
"observed-data--5997e9a7-6f04-429d-8699-7d9c02de0b81" ,
"url--5997e9a7-6f04-429d-8699-7d9c02de0b81" ,
"observed-data--5997e9a7-9b24-4d19-9d85-7d9c02de0b81" ,
"url--5997e9a7-9b24-4d19-9d85-7d9c02de0b81" ,
"observed-data--5997e9a7-9d7c-412c-b2bc-7d9c02de0b81" ,
"url--5997e9a7-9d7c-412c-b2bc-7d9c02de0b81" ,
"indicator--5997e9c9-e970-4309-8d37-7da702de0b81" ,
"indicator--5997e9c9-368c-427d-89d1-7da702de0b81" ,
"observed-data--5997e9c9-d700-442a-a40d-7da702de0b81" ,
"url--5997e9c9-d700-442a-a40d-7da702de0b81" ,
"indicator--5997e9c9-29f8-472d-b78b-7da702de0b81" ,
"indicator--5997e9c9-a80c-4323-991f-7da702de0b81" ,
"observed-data--5997e9c9-0cbc-4b02-a06c-7da702de0b81" ,
"url--5997e9c9-0cbc-4b02-a06c-7da702de0b81" ,
"indicator--5997e9c9-8408-4f50-af82-7da702de0b81" ,
"indicator--5997e9c9-1cac-4f1f-a95b-7da702de0b81" ,
"observed-data--5997e9c9-9de0-4e62-b0f7-7da702de0b81" ,
"url--5997e9c9-9de0-4e62-b0f7-7da702de0b81" ,
"indicator--5997e9c9-caf4-4fc1-a13f-7da702de0b81" ,
"indicator--5997e9c9-c798-40df-b634-7da702de0b81" ,
"observed-data--5997e9c9-ee6c-46bd-907f-7da702de0b81" ,
"url--5997e9c9-ee6c-46bd-907f-7da702de0b81" ,
"indicator--5997e9c9-2990-4673-98ae-7da702de0b81" ,
"indicator--5997e9c9-0cd0-4d39-98e0-7da702de0b81" ,
"observed-data--5997e9c9-ca90-4196-b336-7da702de0b81" ,
"url--5997e9c9-ca90-4196-b336-7da702de0b81" ,
"indicator--5997e9c9-739c-4dba-9067-7da702de0b81" ,
"indicator--5997e9c9-12e4-411c-ba6f-7da702de0b81" ,
"observed-data--5997e9c9-d4f0-4951-b710-7da702de0b81" ,
"url--5997e9c9-d4f0-4951-b710-7da702de0b81"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"veris:actor:motive=\"Financial\"" ,
"circl:topic=\"finance\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5997e865-cb68-4ee4-8af9-7da502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\"" ,
"estimative-language:likelihood-probability=\"very-likely\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "After receiving quite a big amount of malspam with similar messages in my honeypots this week, I decided to dedicate some time to analyze what it was about. To my surprise, after peeling multiple encoding layers protecting the malware\u00e2\u20ac\u2122s core (felt like peeling an onion), I could finally find a sophisticated and well structured banker malware capable of stealing victims' credentials of at least 10 of the biggest Brazilian public and private banks and other financial institutions. Additionally, it can also steal browser, SSH and FTP local stored credentials.\r\n\r\nThe main malware capabilities include a privilege escalation attempt using MS16\u00e2\u20ac\u201c032 exploitation; a HTTP Proxy to intercept banking transactions; a backdoor to make it possible for the attacker to issue arbitrary remote commands and a C&C through a IRC channel. As it's being identified as a \"Generic Trojan\" by most of VirusTotal (VT) engines, let's name it \"EngineBox\"\u00e2\u20ac\u201d the core malware class I saw after reverse engineering it.\r\n\r\nIn today's diary, I'm going to describe the main technical aspects of EngineBox. Let's start with the fluxogram in Figure 1, which illustrates the malware's behavior since the infection vector to the malicious actions. Follow the numbers in blue."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5997e872-99a8-420d-bd26-7da502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"first_observed" : "2017-08-19T07:33:29Z" ,
"last_observed" : "2017-08-19T07:33:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5997e872-99a8-420d-bd26-7da502de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\"" ,
"estimative-language:likelihood-probability=\"very-likely\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5997e872-99a8-420d-bd26-7da502de0b81" ,
"value" : "https://isc.sans.edu/diary/22736"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"first_observed" : "2017-08-19T07:33:29Z" ,
"last_observed" : "2017-08-19T07:33:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81" ,
"artifact--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\"" ,
"estimative-language:likelihood-probability=\"very-likely\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81" ,
"name" : "EB-Figure1.png" ,
"content_ref" : "artifact--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5997e8ad-1e84-4c16-8bcc-7d9b02de0b81" ,
"payload_bin" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A 3 Y A A A S w C A Y A A A C 3 u 9 i q A A A A C X B I W X M A A A 7 E A A A O x A G V K w 4 b A A A g A E l E Q V R 4 n M S 9 d 5 h V 1 f U + / p 5 b Z u 70 X m g z d E S a y C B q L M Q S J C p g V E A s o B F b R C T G l p A Q Y p J P v v Z u b L F g A Q s Y k 2 A D A Y c i I B 1 B 2 g A z w z C F 6e3 O b e f 3 x 3 h P z t 2 z 1 t 77 D O T 57 e f h 4 d 5 z 1 l 7 r X W u v t s 8594 x h m q Y J Y Z i m C c M w 2 G N O z 6 u + 68 g / l T K i K o v 0 0 W N 2 k 8 h 0 V g 2 V n X T m U V j / V 4 O z r 4 i B s o + M 18 n g U P F z 4 p f i M a d + q J K l o 4 f T 407 W 366 X 7 h w Z H i d D l 4 c T u u j g Y v J U y F H N V e U R u x 91 d 610 f P B k 8 s C p y l 0 q e m p w f h 49191 a Q t F 0 B 7 O M h w 5 f V X 5 x Y o P u + p 3 s m H 0 4 y U X U e c 4 e l L 5 c v J 5 s j u P k c e d l e L s j X 8 c G n H 4 y G a q Y 4 H B w n 1 U 2 E G k p 2 a o 65 d R u d l r d u J e t s Y 5 s 3 V 5 K Z U 8 d v U 5 F L u + u b 8 p w d K e f F L F S c 5 z 6 j w 5 P 2 T x d r E 57 O 6 d 9 n Y q f j i 6 q 2 u K k D p F 2 N Y X s 3 x 0 l n S Y i n e 8 n g 0 c H W 3 c a J d W c 7 i 6 u a r 5 K l h M n V v E E + A D t b g P V X V y 69 l T N P V m 8 q i L U X R 7 d p X f a A O r K A + T x 4 K T o O M 0 d 3 W 0 W Z H h O V V x Q 9 C e T G 3 W K X 3 e H 0 7 z W H f n d z T 3 d j U l Z 4 d Z p B k / W x k 6 K s V 3 u / 2 r o N G q i r U Q a 3 e a P m 2 s / 7 y R P y e K c i x V K l t N Y 5 / B Q 51 W + p V s X d W J D 1 E G 0 i W o 4 j T 8 d / t 3 t Q 0 Q Z u m t M 8 d T F a a c 7 m T 5 L F t u n s l d U 1 T k n P a R 9 v i 5 + z m e j N J y e T m q / 7 n D q j z q 1 R K W P r r 4 y + T p r J I u D z q 8 m T A A h M w J / O I T W U B B t o S A C k T A i M O G C g T i 3 B 4 l u D 5 I 8 X i S 4 P X A b L h g A D K O T h w y D E Y l E T F W C P h X D a X P c 3 c b w V O H U T Y i n O k m o 5 s o S l V M b 65 y X 6 W g f O n J P x Z p 2 t y n T m S u j 1 e X T H X / s j g + d b G P 5 v 4 p H p / S 6 D a Z 4 v r v 8 n e L r r l w n Q 1 W E V B i 4 Z u F k s e o W M N V n m T 5 R v N 3 F q i r 6 M l 24 x t p + T M X D C T b d Z o 5 q C j h M n C y R r x N d n T S X s n x h 50 / V C 1 V d F e l V w 0 m d l v m e b t O s s p P u O p 6 K n N Z d j D q D s p W s c V X h 5 n x R Z c u T 1 Y / j p V v 3 V c d U O n C 0 u n m C 4 u e 0 J n C 2 k O n G 6 c f p F R 1 O b K q S 5 z R X y N Z W h p P j I 8 O u 8 l F x X s Q 0 0 R E O o T H Y g d K 2 J u x u q M H R 1 k Z U d 7 S h N R x E O B K B 23 A h x R u P r L g E F C S l Y F R 6 H g q T U p H q j U O 8 y 6 P u E 8 z O c d K N o m r I n I B z Q C o Z O n U 86 p h u Y R V l 6 + i l w q j L S + Z Q T h q u 7 i Q J H V 46 f K N D p 2 j p y N b F S f F 1 U s h U + F T H V Q 2 P b g H U x Q X o P e K i E 88 q e 51 M 86E7 d H 3 f S R y I 57 q D 72 T X 7 l T q o S O / u z H j Z K h s H R 0 q m 4 g 5 V z a H k s X J 5 H K X y r 90 G j U O s 8 o H K B 25 u O U w y P h y u V q U J x 6 z 89 J p q E R 6 n W b s V D R G K l w 6 t C q Z l L / o 0 M i w 6 f q d j r 2 i Q 5 W r q S G z M U e j E 9 v d 8 X v 7 e R 3 f l P H V q V s y H C q / 0 11 X D q d T X 5 X l I p 265 k S m r k 46 P q H i 7 Q Q H x 1 e X j x M 9 n O Z b p 3 w B I A I T b a E g d j V U 418 V h 7 C n 8 Q Q a A x 3 o i I Q Q N j v v 4 k W H C w Z c B h D n c i M 9 z o c z M n J x S V 5 f j M z I Q 7 L b C 5 d N v r j 20 k c x n Q 5 d A z l x J F 16 J 8 l A h d / O z w m v 7 j j Y / 3 I 4 t b P 9 v G 7 h l D V M T u T q 0 q j o Z M 2 B E x y A / O q Q E / m q J k r G j 8 K t S o h O b K 27 Z j p F r 7 v F w g k u p 7 p 2 t + n s r o 2 d F s R T v a 5 O 6 J z i P h l + 4 r q q m i Q n j Q o 3 l 8 L S X T 27 k 9 u c 6 s z x t g 9 Z / n C C Q 8 S j 28 D a c e j m B B l v n V y r q 59 M V x l v u w y K p 0 y e D I O I h 5 M l 4 y P S 68 j m 6 H X W R q f P 0 s l d 3 D G V b C d 2 p L 6 r Z O u c d 5 J n 7 T i 6 k 6 t l 9 L q 9 g Y p e F R + i D r p x F h 2 y N Z T h c + o f M l t w f i F b G 51 a Q 8 W t D h b q n D 8 U x K G W e v z r 2 E F 8 U 1 O O 2 o A f k e h W 7 k e e H s O A x + W C A Q P B S A Q h s 5 P C M A y 4 D Q N p n j h c m F e A K T 0 H Y U B y B r w u l y X L r k O X j Z 0 O Q B n d q W g q T i Y o R Z q T K Z o q W d 1 d Y B k P X S f k Z O j S c V h 1 C 4 N M l k p H F Q a n Q 1 d X W f K 0 4 / t f r L l u w a I S m W 6 i d I L H C V 4 R 56 m g l 9 H o + p V K J y e F g d J B R 4 b u v O 74 q N P P O v J P R Y x x P i u b K 9 L J G k G u 2 a B 4 U H S q N e d y H F c P R D n i Z z u 9 T n P F 2 U j V b N i x y G z h Z M i a G k o m p x u F R 8 V X h V u H L / W / H a f K f 1 T Y Z G u g 8 k s R g 0 w 3 z v c 5 G i d 5 T c b / Z G u 7 z j i Z 3 K t T b 53 w V u U M G W + Z j a K D W x e d + u / U N + 0 y V b 4 h x r B 4 X J W v d H y a G r K 44 u g p P E 7 m 69 R G V X 6 S x b x M X p Q m 1 t 4 G A p E Q t t Z X 4 q P S f d h a X 4 m w a S I 9 z o d k T x w A o D 0 c R K L b g 96 J q c i N T 4 T L M F D p b 8 G R 1 k Z U t L f C H w k B J m A Y Q I L b g 7 G Z P X F t w W k Y m Z Y D n 9 v T B Z u 1 s e t O A O s a W G Y I p 82 O D p 7 u 8 J H N 1 U 1 y p y I J 6 v B 2 o p 9 O 4 Y y O k 8 H e n U D X s a c M l 0 7 S 0 L W V L E m f 6 q F j q + 7E1 s n K 1 m 0 i V b y 602 R 2 V 6 d T 1 Y C c q h x z M j K c 8 O 5 O b J w s x p P 125 O d 54 S 3 U 35 O P 8 t k O W 0 u d H h z D b m M v j v 1 Q o W Z o o 3 i s n + P D r H p t N P q y N X t I 0 S + T v O c L k 6 u Z p 6 K Z l P k r 9 t 4 d 6 d m U Y 0 + N 19 H Z 1 k j r I N P V x 8 V n a o m i Z i 6 m y N k t L q x J 8 O t 4 q E 6 p o q P 7 g y n / Z b M J 3 R k U U P W m 4 t 0 X F 7 Q 5 c P l N K c 6 h C I R 7 G k 6 g d d L d m B r X R X i X C 6 M z e y B C / M K k B e f B B N A Y 9 C P J E 8 c c u M T 4 T H c C J s R t E d C K G 1 r x F e V h 3 G w p Q H + U A j t 4 S D 8 k Q g S 3 B 6 M y c j H d Y V D M S o j D 17 D F W t 3 U 0 C t E 1 R O m x v V A n e 3 m Z A t E q U D l W y 4 z + J 8 W a B Q z q y y k S w J O E n m O o l G d c z J e V 0 a n f n d b S z + l + e d Y p P R O 20 Q Z f N k C V S X h w 4 d o H + 3 g Y s V 3 d H d u K d o d O n t Q 8 e e J 9 v 8 d s e m 3 c m p 1 P H u 2 s d p 42 M f q t g R h 24 j T e V K + x x V H t X J 8 T K Z q t x M D Z 340 G l o d Z p D n Z q s Y y O d J k 3 W / K h y k j h U 9 U 6 X V s T o F C f X 2 O n m R / E 4 d 0 z H n r I e j N K Z o t X x G R 1 a H X u q e H G 2 V d F 3 B 7 O O T N l w g j F K o + o J Z P 4 h y u F 4 / i 91 V O U M E a N O P 8 L F u g 6 t z H + c 9 A Q y P W R z V P Z 0 k m c i M H G 4 t R G v H 9 y B t T X l 8 L p c + F l + X 1 x b c B p 6 J a Q g b J p o D 4 c Q j E T g N g w 0 B P 3 Y 3 V i L 2 o 42 Z M c n Y E h K J h I 9 X j Q F O 1 D p b 8 W 2 + i p s r D u O 4 + 0 t 8 B o u n J v d C 7 c O O A P 9 k 9 I s 2 Y Y h P I q p 21 R Q 9 D J j y A L T a e O q K i A 653 X P O X E o J z i 6 k 7 h U A S a z Y 3 S e T i O g G + Q 6 S Y g r i k 6 T A 1 d g K X u o z q u S o S q J O x 3 d 8 Z 1 T y U v l H y q 67 u L v T h L W L e A U N i c N h g r L y e C y 0 z n x c 90 G o T u F 3 I 5 N R w + V j r I 8 E + W v s 0 a c P K d 0 O v T 2 c S o w O B 3 d s e W p 8 E G O 7 l T p 4 S Q 3 q n y w O 3 E i q 0 N O c p 4 d k y p 3 O K l 9 O n 3 A q f J 7 V Q w 68 T c n w 6 l t n P D s b h 1 x 4 k 9 O + e h g j w 6 q V 4 p + t t P q 5 H U d f 6 b m 6 + J 32 q + p + K h w q s 45 y d u c H i I e k c / J + j 4 n E w A i k Q h O d L T j / d K 9 + P z 4 I e T 5 k l C U m Y 9 L 8 / u h f 1 I 6 a j r a s K u h B h X + F v j D Y b g N A / 5 I E A O T M 9 A 3 M Q 1 H 25 p Q 0 t K A M Z n 5 G J m W C 6 / L h a A Z w c 6 G a v y j Z A d 2 N Z y A x 3 D h m o I h u L F w O D L i f Z a e H j s Q n U a I M 5 r M M N S 56 D G q Y V E Z 2 a k s O 2 Y n C 8 g V T R 0 c T j G I R U W k 4 b 6 L A a T i o 8 K i o r f T q Z K 4 / b t O w d K d z 9 l P 1 M s 0 z S 64 K D t R M l X J Q H f t q Y S t 4 + c q e 4 p 0 H C Z R X 0 6 m z B + c N O c y r L L 5 M v y q N a T 4 y G y h w k v F k O h L O v x 1 b a q K R e r / 7 j R N K s w y n q I t d P K T k 0 Z A h V M W M z q + x s U 7 R 6 f C 2 x 2 M X E 6 h s H E + Y p c v 8 u T W k q t j s l z E N X l c b O j Y y E n u 0 c k T M j t S v q q b R 6 j a J s r X r Q s 6 e V M 3 V p y c p 2 o h t 8 a c j t x Q + Y y Y K 0 + m l s p s 46 T / s H / n 8 H M
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e93e-9454-4c92-8799-60ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "W7.zip" ,
"pattern" : "[file:hashes.MD5 = 'f9f6bc998dcb8a3f04dffcc6b81dcfc3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e93e-fafc-4871-984d-60ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "W7.dll" ,
"pattern" : "[file:hashes.MD5 = 'e99d3c9d3ee9c8a8448aa3d427c04f0e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e93e-7adc-4b92-bcc6-60ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "1508201700016067882247230289631.vbs" ,
"pattern" : "[file:hashes.MD5 = '78b86206541debb3819e51b7e9c48434']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e93e-81f4-4d46-93c3-60ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "aw7.tiff" ,
"pattern" : "[file:hashes.MD5 = 'bb6756c97ab58fdfeecfe8c75b4bb81e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e93e-8f28-4958-83b4-60ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "aw7.dll" ,
"pattern" : "[file:hashes.MD5 = '90ce84d389eabf96b4ad2f3bb083dada']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e93e-4b80-46b5-bf97-60ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "malware-binary.exe" ,
"pattern" : "[file:hashes.MD5 = 'eb32c070e658937aa9fa9f3ae629b2b8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e93e-aa10-4c55-8f73-60ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "westeros-x.ps" ,
"pattern" : "[file:hashes.MD5 = 'f476db89c2f6621cc36c4a7a11e1e7a3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e953-299c-4c2b-8de4-60f402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"pattern" : "[url:value = 'http://vimfvl6s.bslah3d1ajofjeatqu1qlkiurm0iyzwd.xyz/vzcD8L.php?vzcD8L=vIMfVL6sSUPORTE']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e954-3d74-4175-aa53-60f402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"pattern" : "[url:value = 'http://170.254.236.10/westeros/x']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e96b-73c8-4618-8b98-7e3202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "On port 443 but (the connection is not over SSL)" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '54.232.207.222' AND network-traffic:dst_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5997e9a7-6f04-429d-8699-7d9c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"first_observed" : "2017-08-19T07:33:29Z" ,
"last_observed" : "2017-08-19T07:33:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5997e9a7-6f04-429d-8699-7d9c02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5997e9a7-6f04-429d-8699-7d9c02de0b81" ,
"value" : "https://technet.microsoft.com/en-us/library/security/ms16-032.aspx"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5997e9a7-9b24-4d19-9d85-7d9c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"first_observed" : "2017-08-19T07:33:29Z" ,
"last_observed" : "2017-08-19T07:33:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5997e9a7-9b24-4d19-9d85-7d9c02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5997e9a7-9b24-4d19-9d85-7d9c02de0b81" ,
"value" : "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5997e9a7-9d7c-412c-b2bc-7d9c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"first_observed" : "2017-08-19T07:33:29Z" ,
"last_observed" : "2017-08-19T07:33:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5997e9a7-9d7c-412c-b2bc-7d9c02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5997e9a7-9d7c-412c-b2bc-7d9c02de0b81" ,
"value" : "http://www.ilspy.net/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-e970-4309-8d37-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "westeros-x.ps - Xchecked via VT: f476db89c2f6621cc36c4a7a11e1e7a3" ,
"pattern" : "[file:hashes.SHA256 = 'e3fe4546a5930d584f9a1ccd0ab0cb8eac041821cc238010f18190cfc25f845a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-368c-427d-89d1-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "westeros-x.ps - Xchecked via VT: f476db89c2f6621cc36c4a7a11e1e7a3" ,
"pattern" : "[file:hashes.SHA1 = 'da18ecbf61875bab1e71fc13ce2c7ec7e3ebee6a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5997e9c9-d700-442a-a40d-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"first_observed" : "2017-08-19T07:33:29Z" ,
"last_observed" : "2017-08-19T07:33:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5997e9c9-d700-442a-a40d-7da702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5997e9c9-d700-442a-a40d-7da702de0b81" ,
"value" : "https://www.virustotal.com/file/e3fe4546a5930d584f9a1ccd0ab0cb8eac041821cc238010f18190cfc25f845a/analysis/1503114310/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-29f8-472d-b78b-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "malware-binary.exe - Xchecked via VT: eb32c070e658937aa9fa9f3ae629b2b8" ,
"pattern" : "[file:hashes.SHA256 = '70ba57fb0bf2f34b86426d21559f5f6d05c1268193904de8e959d7b06ce964ce']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-a80c-4323-991f-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "malware-binary.exe - Xchecked via VT: eb32c070e658937aa9fa9f3ae629b2b8" ,
"pattern" : "[file:hashes.SHA1 = 'f393d7b531cd44ce418647fe95715adc3e3c61d2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5997e9c9-0cbc-4b02-a06c-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"first_observed" : "2017-08-19T07:33:29Z" ,
"last_observed" : "2017-08-19T07:33:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5997e9c9-0cbc-4b02-a06c-7da702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5997e9c9-0cbc-4b02-a06c-7da702de0b81" ,
"value" : "https://www.virustotal.com/file/70ba57fb0bf2f34b86426d21559f5f6d05c1268193904de8e959d7b06ce964ce/analysis/1503098248/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-8408-4f50-af82-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "aw7.dll - Xchecked via VT: 90ce84d389eabf96b4ad2f3bb083dada" ,
"pattern" : "[file:hashes.SHA256 = '7e476e43a56a56420b5ca05db29979332b327b1c2ccd79f86943a10714afd730']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-1cac-4f1f-a95b-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "aw7.dll - Xchecked via VT: 90ce84d389eabf96b4ad2f3bb083dada" ,
"pattern" : "[file:hashes.SHA1 = '918a80d5c982ba2f3b51c92949b15b1fc8caf2e9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5997e9c9-9de0-4e62-b0f7-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"first_observed" : "2017-08-19T07:33:29Z" ,
"last_observed" : "2017-08-19T07:33:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5997e9c9-9de0-4e62-b0f7-7da702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5997e9c9-9de0-4e62-b0f7-7da702de0b81" ,
"value" : "https://www.virustotal.com/file/7e476e43a56a56420b5ca05db29979332b327b1c2ccd79f86943a10714afd730/analysis/1503123304/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-caf4-4fc1-a13f-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "aw7.tiff - Xchecked via VT: bb6756c97ab58fdfeecfe8c75b4bb81e" ,
"pattern" : "[file:hashes.SHA256 = '9663e164be742893c6d1b4586796bff9b778d695823a09cfada18bec0106414a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-c798-40df-b634-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "aw7.tiff - Xchecked via VT: bb6756c97ab58fdfeecfe8c75b4bb81e" ,
"pattern" : "[file:hashes.SHA1 = 'edac27ccb0191bd0726af39b13226f073452cde7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5997e9c9-ee6c-46bd-907f-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"first_observed" : "2017-08-19T07:33:29Z" ,
"last_observed" : "2017-08-19T07:33:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5997e9c9-ee6c-46bd-907f-7da702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5997e9c9-ee6c-46bd-907f-7da702de0b81" ,
"value" : "https://www.virustotal.com/file/9663e164be742893c6d1b4586796bff9b778d695823a09cfada18bec0106414a/analysis/1502992532/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-2990-4673-98ae-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "1508201700016067882247230289631.vbs - Xchecked via VT: 78b86206541debb3819e51b7e9c48434" ,
"pattern" : "[file:hashes.SHA256 = 'c05836c76d0e462bb817742f1c4a9ea2db523161c5b9c8506cfb8c7335060e57']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-0cd0-4d39-98e0-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "1508201700016067882247230289631.vbs - Xchecked via VT: 78b86206541debb3819e51b7e9c48434" ,
"pattern" : "[file:hashes.SHA1 = 'f6c940072ce82b7f58a6a86e49d57e2c9a92c154']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5997e9c9-ca90-4196-b336-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"first_observed" : "2017-08-19T07:33:29Z" ,
"last_observed" : "2017-08-19T07:33:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5997e9c9-ca90-4196-b336-7da702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5997e9c9-ca90-4196-b336-7da702de0b81" ,
"value" : "https://www.virustotal.com/file/c05836c76d0e462bb817742f1c4a9ea2db523161c5b9c8506cfb8c7335060e57/analysis/1503123770/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-739c-4dba-9067-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "W7.zip - Xchecked via VT: f9f6bc998dcb8a3f04dffcc6b81dcfc3" ,
"pattern" : "[file:hashes.SHA256 = '66c3cae1464231a801b0388a5ea858883118b9ef529fa7071146fae0bdb93565']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5997e9c9-12e4-411c-ba6f-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"description" : "W7.zip - Xchecked via VT: f9f6bc998dcb8a3f04dffcc6b81dcfc3" ,
"pattern" : "[file:hashes.SHA1 = '1812647fafd4f086614c950cfc8c6b405cfc1fac']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-19T07:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5997e9c9-d4f0-4951-b710-7da702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-19T07:33:29.000Z" ,
"modified" : "2017-08-19T07:33:29.000Z" ,
"first_observed" : "2017-08-19T07:33:29Z" ,
"last_observed" : "2017-08-19T07:33:29Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5997e9c9-d4f0-4951-b710-7da702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5997e9c9-d4f0-4951-b710-7da702de0b81" ,
"value" : "https://www.virustotal.com/file/66c3cae1464231a801b0388a5ea858883118b9ef529fa7071146fae0bdb93565/analysis/1502994328/"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}