2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--59a1a900-0714-4bcc-be9f-447c02de0b81" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--59a1a900-0714-4bcc-be9f-447c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"name" : "OSINT - Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures" ,
"published" : "2017-08-26T19:39:55Z" ,
"object_refs" : [
"observed-data--59a1a90c-8e04-4fc8-bf0e-447d02de0b81" ,
"url--59a1a90c-8e04-4fc8-bf0e-447d02de0b81" ,
"x-misp-attribute--59a1a91a-f438-4135-a500-ae1a02de0b81" ,
"indicator--59a1ce0d-af54-429a-9a56-408d02de0b81" ,
"indicator--59a1ce0d-c274-4745-8395-46ca02de0b81" ,
"indicator--59a1ce0d-f620-4573-be85-427202de0b81" ,
"indicator--59a1ce0d-c218-45cc-b7fe-415f02de0b81" ,
"indicator--59a1ce0d-d6b8-43fd-affa-428b02de0b81" ,
"indicator--59a1ce0d-0560-46d0-9d6a-4eb102de0b81" ,
"indicator--59a1ce0d-2dac-490c-a7d4-459102de0b81" ,
"indicator--59a1ce0d-30b8-4c6d-9066-4ae002de0b81" ,
"indicator--59a1ce0d-4ca8-4322-ad44-4f1a02de0b81" ,
"indicator--59a1ce0d-eef8-48eb-b77a-495702de0b81" ,
"indicator--59a1ce0d-f94c-4cb2-92b6-47c602de0b81" ,
"indicator--59a1ce0d-2624-4905-896e-43a702de0b81" ,
"indicator--59a1ce0d-7d98-42d8-b7bc-488f02de0b81" ,
"indicator--59a1ce0d-df10-451e-94bb-40d602de0b81" ,
"indicator--59a1ce0d-9e24-4465-939f-462f02de0b81" ,
"indicator--59a1ce0d-b9b0-4eb2-a26a-4b9102de0b81" ,
"indicator--59a1ce0d-c1d0-48d8-a50b-487b02de0b81" ,
"indicator--59a1ce0d-c3d4-44ca-9a77-4b1602de0b81" ,
"observed-data--59a1ce3e-2f44-4cd3-8e28-add202de0b81" ,
"url--59a1ce3e-2f44-4cd3-8e28-add202de0b81" ,
"observed-data--59a1ce3e-d3f0-4f4f-aa69-add202de0b81" ,
"url--59a1ce3e-d3f0-4f4f-aa69-add202de0b81" ,
"observed-data--59a1ce3e-8710-4479-8ad0-add202de0b81" ,
"url--59a1ce3e-8710-4479-8ad0-add202de0b81" ,
"observed-data--59a1ce3f-7ddc-43eb-aae7-add202de0b81" ,
"url--59a1ce3f-7ddc-43eb-aae7-add202de0b81" ,
"observed-data--59a1ce3f-e8d8-4ba8-82e2-add202de0b81" ,
"url--59a1ce3f-e8d8-4ba8-82e2-add202de0b81" ,
"observed-data--59a1ce3f-f950-4a5c-a1c6-add202de0b81" ,
"url--59a1ce3f-f950-4a5c-a1c6-add202de0b81" ,
"observed-data--59a1ce3f-8bb8-46d8-9e93-add202de0b81" ,
"url--59a1ce3f-8bb8-46d8-9e93-add202de0b81" ,
"indicator--59a1ce7c-bbdc-4f01-ad34-4af202de0b81" ,
"indicator--59a1ce7c-3e08-4941-8a7c-4fe102de0b81" ,
"observed-data--59a1ce7c-71fc-46a8-8deb-414302de0b81" ,
"url--59a1ce7c-71fc-46a8-8deb-414302de0b81" ,
"indicator--59a1ce7c-5b34-423e-98a4-48af02de0b81" ,
"indicator--59a1ce7c-2fb8-4784-9876-490002de0b81" ,
"observed-data--59a1ce7c-c558-42cf-989b-4b9f02de0b81" ,
"url--59a1ce7c-c558-42cf-989b-4b9f02de0b81" ,
"indicator--59a1ce7c-16f0-4356-a71d-477302de0b81" ,
"indicator--59a1ce7c-b4ac-4c0e-ab92-4bf302de0b81" ,
"observed-data--59a1ce7c-c8a8-4982-be1c-489702de0b81" ,
"url--59a1ce7c-c8a8-4982-be1c-489702de0b81" ,
"indicator--59a1ce7c-3518-4970-b6c7-4bc002de0b81" ,
"indicator--59a1ce7c-3570-4889-a5ba-427702de0b81" ,
"observed-data--59a1ce7c-1ed8-47df-a9b9-425402de0b81" ,
"url--59a1ce7c-1ed8-47df-a9b9-425402de0b81" ,
"indicator--59a1ce7c-f688-48e0-9763-4b1e02de0b81" ,
"indicator--59a1ce7c-68f8-44db-9bb5-409e02de0b81" ,
"observed-data--59a1ce7c-8e60-4246-a504-443802de0b81" ,
"url--59a1ce7c-8e60-4246-a504-443802de0b81" ,
"indicator--59a1ce7c-6334-4439-bc93-44f502de0b81" ,
"indicator--59a1ce7c-96b8-475f-be09-48c102de0b81" ,
"observed-data--59a1ce7c-d6fc-416b-9324-43f502de0b81" ,
"url--59a1ce7c-d6fc-416b-9324-43f502de0b81" ,
"indicator--59a1ce7c-1950-43f5-893e-4f6402de0b81" ,
"indicator--59a1ce7c-2eb8-4bc7-aeb6-455d02de0b81" ,
"observed-data--59a1ce7c-8008-4639-bce8-4b7a02de0b81" ,
"url--59a1ce7c-8008-4639-bce8-4b7a02de0b81" ,
"indicator--59a1ce7c-cbbc-4984-8e85-419b02de0b81" ,
"indicator--59a1ce7c-ade4-4b9c-b213-46a002de0b81" ,
"observed-data--59a1ce7c-d288-48a4-a173-4f6002de0b81" ,
"url--59a1ce7c-d288-48a4-a173-4f6002de0b81" ,
"indicator--59a1ce7c-b694-4d38-8305-4e0d02de0b81" ,
"indicator--59a1ce7c-48bc-4081-9523-41a602de0b81" ,
"observed-data--59a1ce7c-624c-408b-8fb8-42e902de0b81" ,
"url--59a1ce7c-624c-408b-8fb8-42e902de0b81" ,
"indicator--59a1ce7c-cc38-4ce4-a3c9-471702de0b81" ,
"indicator--59a1ce7c-d0b0-4f83-8433-4dfe02de0b81" ,
"observed-data--59a1ce7c-b7b8-474b-bd23-455c02de0b81" ,
"url--59a1ce7c-b7b8-474b-bd23-455c02de0b81"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"osint:source-type=\"blog-post\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1a90c-8e04-4fc8-bf0e-447d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"first_observed" : "2017-08-26T19:39:39Z" ,
"last_observed" : "2017-08-26T19:39:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1a90c-8e04-4fc8-bf0e-447d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1a90c-8e04-4fc8-bf0e-447d02de0b81" ,
"value" : "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59a1a91a-f438-4135-a500-ae1a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Proofpoint recently observed a targeted email campaign attempting a spearphishing attack using a Game of Thrones lure. The malicious attachment, which offered salacious spoilers and video clips, attempted to install a \u00e2\u20ac\u01539002\u00e2\u20ac\u009d remote access Trojan (RAT) historically used by state-sponsored actors. Previous attacks involving the 9002 RAT include:\r\n\r\nOperation Aurora, an attack on companies such as Google, widely attributed to the Chinese government [1,2]\r\nOperation Ephemeral Hydra, a strategic website compromise utilizing an Internet Explorer zero-day [3], which FireEye attributed to an APT actor without a country attribution\r\nAttacks on Asian countries described by Palo Alto [4]\r\nOnce installed, the 9002 RAT provides attackers with extensive data exfiltration capabilities."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-af54-429a-9a56-408d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"pattern" : "[url:value = 'http://27.255.83.3/x/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-c274-4745-8395-46ca02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"pattern" : "[url:value = 'http://27.255.83.3/y/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-f620-4573-be85-427202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.255.83.3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-c218-45cc-b7fe-415f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"pattern" : "[file:hashes.SHA256 = '9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-d6b8-43fd-affa-428b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"description" : "%APPDATA%\\y.jpg" ,
"pattern" : "[file:hashes.SHA256 = '5a678529aea9195b787be8c788ef4bb03e38e425ad6d0c9fafd44ed03aa46b65']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-0560-46d0-9d6a-4eb102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'efdb6351ac3902b18535fcd30432e98ffa2d8bc4224bdb3aba7f8ca0f44cec79']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-2dac-490c-a7d4-459102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"description" : "Party_photos_201612.zip" ,
"pattern" : "[file:hashes.SHA256 = 'bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-30b8-4c6d-9066-4ae002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"description" : "need help.docx" ,
"pattern" : "[file:hashes.SHA256 = '192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-4ca8-4322-ad44-4f1a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"description" : "Party-001.jpg.lnk" ,
"pattern" : "[file:hashes.SHA256 = '774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-eef8-48eb-b77a-495702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"description" : "Photos20140214.zip" ,
"pattern" : "[file:hashes.SHA256 = '56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-f94c-4cb2-92b6-47c602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"description" : "Party-pics-201304.zip" ,
"pattern" : "[file:hashes.SHA256 = '83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-2624-4905-896e-43a702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"description" : "Party_Photos_Packed.zip" ,
"pattern" : "[file:hashes.SHA256 = 'b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-7d98-42d8-b7bc-488f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"description" : "Photos20140215.zip" ,
"pattern" : "[file:hashes.SHA256 = 'db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-df10-451e-94bb-40d602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"description" : "PartyPics.7z" ,
"pattern" : "[file:hashes.SHA256 = 'fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-9e24-4465-939f-462f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"description" : "PhotoShow.jar" ,
"pattern" : "[file:hashes.SHA256 = '559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-b9b0-4eb2-a26a-4b9102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"description" : "Upins_tmp.exe (dropped by PhotoShow.jar)" ,
"pattern" : "[file:hashes.SHA256 = '0b7613e0f739eb63fd5ed9e99934d54a38e56c558ab8d1a4f586a7c88d37a428']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-c1d0-48d8-a50b-487b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"pattern" : "[domain-name:value = 'mn1.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce0d-c3d4-44ca-9a77-4b1602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"pattern" : "[domain-name:value = 'mx.i26.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce3e-2f44-4cd3-8e28-add202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"first_observed" : "2017-08-26T19:39:39Z" ,
"last_observed" : "2017-08-26T19:39:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce3e-2f44-4cd3-8e28-add202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce3e-2f44-4cd3-8e28-add202de0b81" ,
"value" : "https://community.saas.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WaBdzB9ifW8"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce3e-d3f0-4f4f-aa69-add202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"first_observed" : "2017-08-26T19:39:39Z" ,
"last_observed" : "2017-08-26T19:39:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce3e-d3f0-4f4f-aa69-add202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce3e-d3f0-4f4f-aa69-add202de0b81" ,
"value" : "http://www.washingtontimes.com/news/2010/mar/24/cyber-attack-on-us-firms-google-traced-to-chinese/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce3e-8710-4479-8ad0-add202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"first_observed" : "2017-08-26T19:39:39Z" ,
"last_observed" : "2017-08-26T19:39:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce3e-8710-4479-8ad0-add202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce3e-8710-4479-8ad0-add202de0b81" ,
"value" : "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce3f-7ddc-43eb-aae7-add202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"first_observed" : "2017-08-26T19:39:39Z" ,
"last_observed" : "2017-08-26T19:39:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce3f-7ddc-43eb-aae7-add202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce3f-7ddc-43eb-aae7-add202de0b81" ,
"value" : "https://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce3f-e8d8-4ba8-82e2-add202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"first_observed" : "2017-08-26T19:39:39Z" ,
"last_observed" : "2017-08-26T19:39:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce3f-e8d8-4ba8-82e2-add202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce3f-e8d8-4ba8-82e2-add202de0b81" ,
"value" : "https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-Shellcode.ps1"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce3f-f950-4a5c-a1c6-add202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"first_observed" : "2017-08-26T19:39:39Z" ,
"last_observed" : "2017-08-26T19:39:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce3f-f950-4a5c-a1c6-add202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce3f-f950-4a5c-a1c6-add202de0b81" ,
"value" : "http://security-is-just-an-illusion.blogspot.nl/2013/02/45-x-antivirus-software-fail-again-java.html"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce3f-8bb8-46d8-9e93-add202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:39.000Z" ,
"modified" : "2017-08-26T19:39:39.000Z" ,
"first_observed" : "2017-08-26T19:39:39Z" ,
"last_observed" : "2017-08-26T19:39:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce3f-8bb8-46d8-9e93-add202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce3f-8bb8-46d8-9e93-add202de0b81" ,
"value" : "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-bbdc-4f01-ad34-4af202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "PhotoShow.jar - Xchecked via VT: 559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308" ,
"pattern" : "[file:hashes.SHA1 = 'fb262cae70ea79b831b6b4e049d03fb27ba93b10']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-3e08-4941-8a7c-4fe102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "PhotoShow.jar - Xchecked via VT: 559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308" ,
"pattern" : "[file:hashes.MD5 = '300eb3eb70e30332cc339487f19c1123']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce7c-71fc-46a8-8deb-414302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"first_observed" : "2017-08-26T19:39:40Z" ,
"last_observed" : "2017-08-26T19:39:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce7c-71fc-46a8-8deb-414302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce7c-71fc-46a8-8deb-414302de0b81" ,
"value" : "https://www.virustotal.com/file/559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308/analysis/1399034900/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-5b34-423e-98a4-48af02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "PartyPics.7z - Xchecked via VT: fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7" ,
"pattern" : "[file:hashes.SHA1 = '6b323d58163f0feb4b3c351f00fac34df048f618']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-2fb8-4784-9876-490002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "PartyPics.7z - Xchecked via VT: fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7" ,
"pattern" : "[file:hashes.MD5 = '4fa9e1ee1943edbfc1f47abec1e166a6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce7c-c558-42cf-989b-4b9f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"first_observed" : "2017-08-26T19:39:40Z" ,
"last_observed" : "2017-08-26T19:39:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce7c-c558-42cf-989b-4b9f02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce7c-c558-42cf-989b-4b9f02de0b81" ,
"value" : "https://www.virustotal.com/file/fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7/analysis/1397745647/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-16f0-4356-a71d-477302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Photos20140215.zip - Xchecked via VT: db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6" ,
"pattern" : "[file:hashes.SHA1 = 'f6fdfc3bd51b6ddb317e6920d8bf43bb06b84e7d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-b4ac-4c0e-ab92-4bf302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Photos20140215.zip - Xchecked via VT: db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6" ,
"pattern" : "[file:hashes.MD5 = 'be0324f6b62794a0cc2d836ae3d3ca4d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce7c-c8a8-4982-be1c-489702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"first_observed" : "2017-08-26T19:39:40Z" ,
"last_observed" : "2017-08-26T19:39:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce7c-c8a8-4982-be1c-489702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce7c-c8a8-4982-be1c-489702de0b81" ,
"value" : "https://www.virustotal.com/file/db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6/analysis/1397835917/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-3518-4970-b6c7-4bc002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Party_Photos_Packed.zip - Xchecked via VT: b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43" ,
"pattern" : "[file:hashes.SHA1 = '0e532e856e5d8e9ed7497a04709a69375bce52c5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-3570-4889-a5ba-427702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Party_Photos_Packed.zip - Xchecked via VT: b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43" ,
"pattern" : "[file:hashes.MD5 = 'ae61b4f25bd0101d39eb925e36082802']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce7c-1ed8-47df-a9b9-425402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"first_observed" : "2017-08-26T19:39:40Z" ,
"last_observed" : "2017-08-26T19:39:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce7c-1ed8-47df-a9b9-425402de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce7c-1ed8-47df-a9b9-425402de0b81" ,
"value" : "https://www.virustotal.com/file/b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43/analysis/1421863355/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-f688-48e0-9763-4b1e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Party-pics-201304.zip - Xchecked via VT: 83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70" ,
"pattern" : "[file:hashes.SHA1 = '4d5c9a03af619caae4dbeb7dca0a739c2e4babb2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-68f8-44db-9bb5-409e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Party-pics-201304.zip - Xchecked via VT: 83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70" ,
"pattern" : "[file:hashes.MD5 = 'cbbadbb5eab890d10ee48853fe9e7781']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce7c-8e60-4246-a504-443802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"first_observed" : "2017-08-26T19:39:40Z" ,
"last_observed" : "2017-08-26T19:39:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce7c-8e60-4246-a504-443802de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce7c-8e60-4246-a504-443802de0b81" ,
"value" : "https://www.virustotal.com/file/83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70/analysis/1400689562/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-6334-4439-bc93-44f502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Photos20140214.zip - Xchecked via VT: 56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852" ,
"pattern" : "[file:hashes.SHA1 = '8c1e699ef25443cf8857b6eb4c8eb5618186377a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-96b8-475f-be09-48c102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Photos20140214.zip - Xchecked via VT: 56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852" ,
"pattern" : "[file:hashes.MD5 = '2c77abcc72475c7e0f446f807e14b22a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce7c-d6fc-416b-9324-43f502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"first_observed" : "2017-08-26T19:39:40Z" ,
"last_observed" : "2017-08-26T19:39:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce7c-d6fc-416b-9324-43f502de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce7c-d6fc-416b-9324-43f502de0b81" ,
"value" : "https://www.virustotal.com/file/56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852/analysis/1397837529/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-1950-43f5-893e-4f6402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Party-001.jpg.lnk - Xchecked via VT: 774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0" ,
"pattern" : "[file:hashes.SHA1 = 'c7becef454d23d2e6b77add4925fed36d38f24c8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-2eb8-4bc7-aeb6-455d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Party-001.jpg.lnk - Xchecked via VT: 774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0" ,
"pattern" : "[file:hashes.MD5 = '1ec3ec4af040b71eda4eb1c30116b1a3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce7c-8008-4639-bce8-4b7a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"first_observed" : "2017-08-26T19:39:40Z" ,
"last_observed" : "2017-08-26T19:39:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce7c-8008-4639-bce8-4b7a02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce7c-8008-4639-bce8-4b7a02de0b81" ,
"value" : "https://www.virustotal.com/file/774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0/analysis/1426834440/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-cbbc-4984-8e85-419b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "need help.docx - Xchecked via VT: 192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a" ,
"pattern" : "[file:hashes.SHA1 = '34e2667c67c9ff2ca30c35b03c6acc7a6ad84471']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-ade4-4b9c-b213-46a002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "need help.docx - Xchecked via VT: 192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a" ,
"pattern" : "[file:hashes.MD5 = '325be1a107e0e20748c19bb243a26b13']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce7c-d288-48a4-a173-4f6002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"first_observed" : "2017-08-26T19:39:40Z" ,
"last_observed" : "2017-08-26T19:39:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce7c-d288-48a4-a173-4f6002de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce7c-d288-48a4-a173-4f6002de0b81" ,
"value" : "https://www.virustotal.com/file/192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a/analysis/1503662047/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-b694-4d38-8305-4e0d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Party_photos_201612.zip - Xchecked via VT: bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100" ,
"pattern" : "[file:hashes.SHA1 = 'cfef71b39afb7b73f33f514a20b5c5b32b5f1012']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-48bc-4081-9523-41a602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "Party_photos_201612.zip - Xchecked via VT: bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100" ,
"pattern" : "[file:hashes.MD5 = '5b3733bfa52e6af1520ad53f93789737']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce7c-624c-408b-8fb8-42e902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"first_observed" : "2017-08-26T19:39:40Z" ,
"last_observed" : "2017-08-26T19:39:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce7c-624c-408b-8fb8-42e902de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce7c-624c-408b-8fb8-42e902de0b81" ,
"value" : "https://www.virustotal.com/file/bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100/analysis/1499332325/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-cc38-4ce4-a3c9-471702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "- Xchecked via VT: 9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd" ,
"pattern" : "[file:hashes.SHA1 = '644a3b395f8d7baaa4aae65e80363bf955698a79']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59a1ce7c-d0b0-4f83-8433-4dfe02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"description" : "- Xchecked via VT: 9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd" ,
"pattern" : "[file:hashes.MD5 = '7e8bc04a964d33a375c2c970f0697908']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-08-26T19:39:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59a1ce7c-b7b8-474b-bd23-455c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-08-26T19:39:40.000Z" ,
"modified" : "2017-08-26T19:39:40.000Z" ,
"first_observed" : "2017-08-26T19:39:40Z" ,
"last_observed" : "2017-08-26T19:39:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59a1ce7c-b7b8-474b-bd23-455c02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59a1ce7c-b7b8-474b-bd23-455c02de0b81" ,
"value" : "https://www.virustotal.com/file/9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd/analysis/1499333974/"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}