2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--5a329d19-03e0-4eaa-8b4d-4310950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-13T03:00:52.000Z" ,
"modified" : "2018-01-13T03:00:52.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5a329d19-03e0-4eaa-8b4d-4310950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-13T03:00:52.000Z" ,
"modified" : "2018-01-13T03:00:52.000Z" ,
"name" : "OSINT - Attackers Deploy New ICS Attack Framework \u00e2\u20ac\u0153TRITON\u00e2\u20ac\u009d and Cause Operational Disruption to Critical Infrastructure" ,
"published" : "2018-02-16T08:45:42Z" ,
"object_refs" : [
"x-misp-attribute--5a329d36-5584-4ad4-9110-9267950d210f" ,
"observed-data--5a329d83-6bcc-4736-b576-2965950d210f" ,
"url--5a329d83-6bcc-4736-b576-2965950d210f" ,
"indicator--5a329e18-c1bc-42ab-a0ce-4ec9950d210f" ,
"observed-data--5a32a070-b0a4-474f-9bfc-ff9b950d210f" ,
"file--5a32a070-b0a4-474f-9bfc-ff9b950d210f" ,
"artifact--5a32a070-b0a4-474f-9bfc-ff9b950d210f" ,
"indicator--5a329e5c-3c30-4479-8f9f-2a67950d210f" ,
"indicator--5a329e91-1290-4a62-b508-4925950d210f" ,
"indicator--5a329eba-7948-4b75-91de-2b04950d210f" ,
"indicator--5a329eeb-e7ac-4084-9454-4bec950d210f" ,
"indicator--5a329f19-9c64-4780-b20c-9267950d210f" ,
"indicator--5a329f4f-cdac-4595-a728-2b04950d210f" ,
"indicator--5a329f96-7da4-43bc-9c4d-2b05950d210f" ,
"indicator--5a32a014-88ac-4798-8647-2b04950d210f" ,
"indicator--5a32a032-9bc0-4803-8608-2d89950d210f" ,
"indicator--5ecdb8e9-1d4c-4890-91cf-4afba4c0dfc5" ,
"x-misp-object--d48d9e02-0841-488c-bdb3-76402d3e6543" ,
2023-12-14 13:47:04 +00:00
"relationship--d50d3d4e-765f-4b80-ac76-7e6b9b783f81" ,
"relationship--eb43584f-cb1a-4623-bcfc-cc3b0d07361f"
2023-06-14 17:31:25 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"circl:topic=\"industry\"" ,
"veris:asset:variety=\"S - SCADA\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5a329d36-5584-4ad4-9110-9267950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-14T16:10:04.000Z" ,
"modified" : "2017-12-14T16:10:04.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\"" ,
"osint:certainty=\"93\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.\r\n\r\nTRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a329d83-6bcc-4736-b576-2965950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-14T16:10:04.000Z" ,
"modified" : "2017-12-14T16:10:04.000Z" ,
"first_observed" : "2017-12-14T16:10:04Z" ,
"last_observed" : "2017-12-14T16:10:04Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5a329d83-6bcc-4736-b576-2965950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\"" ,
"osint:certainty=\"93\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5a329d83-6bcc-4736-b576-2965950d210f" ,
"value" : "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a329e18-c1bc-42ab-a0ce-4ec9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-14T16:10:04.000Z" ,
"modified" : "2017-12-14T16:10:04.000Z" ,
"pattern" : "[rule TRITON_ICS_FRAMEWORK\r\n{\r\n meta:\r\n author = \"nicholas.carr @itsreallynick\"\r\n md5 = \"0face841f7b2953e7c29c064d6886523\"\r\n description = \"TRITON framework recovered during Mandiant ICS incident response\"\r\n strings:\r\n $python_compiled = \".pyc\" nocase ascii wide\r\n $python_module_01 = \"__module__\" nocase ascii wide\r\n $python_module_02 = \"<module>\" nocase ascii wide\r\n $python_script_01 = \"import Ts\" nocase ascii wide\r\n $python_script_02 = \"def ts_\" nocase ascii wide \r\n\r\n $py_cnames_01 = \"TS_cnames.py\" nocase ascii wide\r\n $py_cnames_02 = \"TRICON\" nocase ascii wide\r\n $py_cnames_03 = \"TriStation \" nocase ascii wide\r\n $py_cnames_04 = \" chassis \" nocase ascii wide \r\n\r\n $py_tslibs_01 = \"GetCpStatus\" nocase ascii wide\r\n $py_tslibs_02 = \"ts_\" ascii wide\r\n $py_tslibs_03 = \" sequence\" nocase ascii wide\r\n $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide\r\n $py_tslibs_05 = /module\\s?version/ nocase ascii wide\r\n $py_tslibs_06 = \"bad \" nocase ascii wide\r\n $py_tslibs_07 = \"prog_cnt\" nocase ascii wide \r\n\r\n $py_tsbase_01 = \"TsBase.py\" nocase ascii wide\r\n $py_tsbase_02 = \".TsBase(\" nocase ascii wide \r\n \r\n $py_tshi_01 = \"TsHi.py\" nocase ascii wide\r\n $py_tshi_02 = \"keystate\" nocase ascii wide\r\n $py_tshi_03 = \"GetProjectInfo\" nocase ascii wide\r\n $py_tshi_04 = \"GetProgramTable\" nocase ascii wide\r\n $py_tshi_05 = \"SafeAppendProgramMod\" nocase ascii wide\r\n $py_tshi_06 = \".TsHi(\" ascii nocase wide \r\n\r\n $py_tslow_01 = \"TsLow.py\" nocase ascii wide\r\n $py_tslow_02 = \"print_last_error\" ascii nocase wide\r\n $py_tslow_03 = \".TsLow(\" ascii nocase wide\r\n $py_tslow_04 = \"tcm_\" ascii wide\r\n $py_tslow_05 = \" TCM found\" nocase ascii wide \r\n\r\n $py_crc_01 = \"crc.pyc\" nocase ascii wide\r\n $py_crc_02 = \"CRC16_MODBUS\" ascii wide\r\n $py_crc_03 = \"Kotov Alaxander\" nocase ascii wide\r\n $py_crc_04 = \"CRC_CCITT_XMODEM\" ascii wide\r\n $py_crc_05 = \"crc16ret\" ascii wide\r\n $py_crc_06 = \"CRC16_CCITT_x1D0F\" ascii wide\r\n $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide \r\n\r\n $py_sh_01 = \"sh.pyc\" nocase ascii wide \r\n\r\n $py_keyword_01 = \" FAILURE\" ascii wide\r\n $py_keyword_02 = \"symbol table\" nocase ascii wide \r\n\r\n $py_TRIDENT_01 = \"inject.bin\" ascii nocase wide\r\n $py_TRIDENT_02 = \"imain.bin\" ascii nocase wide \r\n\r\n condition:\r\n 2 of ($python_*) and 7 of ($py_*) and filesize < 3MB\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-14T16:10:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a32a070-b0a4-474f-9bfc-ff9b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-14T16:10:04.000Z" ,
"modified" : "2017-12-14T16:10:04.000Z" ,
"first_observed" : "2017-12-14T16:10:04Z" ,
"last_observed" : "2017-12-14T16:10:04Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5a32a070-b0a4-474f-9bfc-ff9b950d210f" ,
"artifact--5a32a070-b0a4-474f-9bfc-ff9b950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5a32a070-b0a4-474f-9bfc-ff9b950d210f" ,
"name" : "Fig4.png" ,
"content_ref" : "artifact--5a32a070-b0a4-474f-9bfc-ff9b950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5a32a070-b0a4-474f-9bfc-ff9b950d210f" ,
"payload_bin" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A 88 A A A E m C A Y A A A B c X 6 K g A A A A A X N S R 0 I A r s 4 c 6 Q A A A A l w S F l z A A A X E g A A F x I B Z 5 / S U g A A Q A B J R E F U e A H s v Q e 4 X d d 5 n v m f d j t 67 x 0 g S K I Q I A k W E e y k K J G S b F l y k + P E T i b O j B T H m o z t x H a c x 49 L P H E y s S 15 b E f W x H 4 S K 1 Y k W S R F s f c C s A B E I d F 77 x 23 n T b v 96 + z 770 A S Z G S S Q G g / n V x z t l 79 f V t P H u t b / 1 l 5 f b t P 1 i 3 C I F A I B A I B A K B Q C A Q C A Q C g U A g E A g E A o F A I P A W B H I 5 s 1 K p y f J v S Y m I Q C A Q C A Q C g U A g E A g E A o F A I B A I B A K B Q C A Q O A e B I M / n w B E 3 g U A g E A g E A o F A I B A I B A K B Q C A Q C A Q C g c B b E Q j y / F Z M I i Y Q C A Q C g U A g E A g E A o F A I B A I B A K B Q C A Q O A e B I M / n w B E 3 g U A g E A g E A o F A I B A I B A K B Q C A Q C A Q C g c B b E Q j y / F Z M I i Y Q C A Q C g U A g E A g E A o F A I B A I B A K B Q C A Q O A e B I M / n w B E 3 g U A g E A g E A o F A I B A I B A K B Q C A Q C A Q C g c B b E Q j y / F Z M I i Y Q C A Q C g U A g E A g E A o F A I B A I B A K B Q C A Q O A e B I M / n w B E 3 g U A g E A g E A o F A I B A I B A K B Q C A Q C A Q C g c B b E Q j y / F Z M I i Y Q C A Q C g U A g E A g E L m U E c u d 1 X v f n x 52 X J W 4 / Y A T i G X z A A E f 1 g U A g 8 M N A I M j z D w P l a C M Q C A Q C g U A g E A g E f i g I 5 J w l n 8 u U U 9 w P p f l L u p E 6 v a / X 9 d 3 / 6 z f / 0 C / q V L 3 x H P 6 h Q E b 5 Q C A Q u N A I B H m + 0E8 g 2 g 8 E A o F A I B A I B A K B 7 w u B c w h e g + x l F d T q t b c Q w G q 1 a j k 44 b m U O i s R v x k C u V z O 8 r m 845 f P s 0 T M A O P 3 H 0 J 8 v V 7 L W 63 W / 2 y y N u M 3 E A g E A o F L C Y H i p d T Z 6 G s g E A g E A o F A I B A I B A I i Y y L Q T v S s I d U k T k F p J B L b u O Y 3 n 88 Z t K 3 B B T N G q N w R B i I g T P W X 4 d q X B p g 1 / n 4 Q A u 118 k x 4 Y u n Z 9 F U a F 4 F A I B A I X H o I h O T 50 n t m 0 e N A I B A I B A K B Q O B H D w E R O z 4 K A 4 m z Z K I i e + c E k T U n b I l k J 7 m p S H P e C W B W z z l l 4 g Z s 0 o Z D H T F 9 v Q b W + t f A / Q c h z n 1 l B j y 7 g D k Q C A Q C g U s Z g f N m m 0 t 5 K N H 3 Q C A Q C A Q C g U A g E P i R Q C C E x x / M Y x a u 2 p / Q 54 P G + I O u / 4 N B K G o N B A K B H 3 E E g j z / i P 8 H i O E H A o F A I B A I B A K X B A I N a b L 6 m p f 9 L L b N S b J Z 92 v F Z 1 J S c T 8 F z 0 M 5 x S u v V I f 156 r d K U t 8 D 0 S g D k b g B V C O s e M 2 A P e B W d / L d Y a 1 a w G g O q 96 s 2 f x X s p H n k A g E A g E L j Y E g j x f b E 8 k + h M I B A K B Q C A Q C A Q C b 0 V g g O p v R s p E j m F j f W T Y S Z r I 3 n m l F a 8 y 5 H b y d l 5 y 3 D Y Q c I w a m x I Z x m n T I V N //wGhajy7tz6ZH7C+KBYIBAKBwAVCIByGXSDgo9lAIBAIBAKBQCAQ+D4QOI8UZ1LRt6vBybPnx1EYZFCeo50Mujry+dT67Wr40YxLyCSiLHxlSy5HYQpvcSL2A0KUbWTwQCIEAoFAIHDJIRDk+ZJ7ZNHhQCAQCAQCgUAgEBAJGxgGkmnnZZJ28tdH1sicxZ9fdmA9cZ0QyHDLnLEJ3x8kuLRZGxk8Ln8eDb0AXUcIBAKBQOBSQyDI86X2xKK/gUAgEAgEAoFAIPAWBCrlsj3y6KNW5nfC+PE2bdp0Gz1mlNxH+xnPBw4etO3bt9n+ffusWCzZR+/5qJVKpT4K10fFye8k7zxuJxIoL9R9Bd7Sg3MjsuJ99XpydpeoY3bXV5IIlVMzbwlin0o9P80zY4Xn8Vm9GkNmEz6gJs+rRrJKZL2na41OV/wpuVqzN99407p7emzuZZfZoMGDPEeqfUB973KZak5tnT512jZs3GhNxaJdfvnlVmpq9tLfb53v0mQkBwKBQCDwgSIQ5PkDhTcqDwQCgUAgEAgEAoEfBgKVSsUefOAB6+zstIULFloxX7QxY0Y7NxQx3LNrl734wgu2evVqa21usdvvuN3Jcx+RlEMrgvNjkUu/bZBKvxer9CwNoqksiR6m2L7kdJsRVCe9qTq5LevL1agztZoqVrrIZN4JfOqLKnOp+vmtUVBla9TjfU4VKTPxkOJ8o7Niw428byWqKqTyytDIzxFV1XLVVrz2qp06dcrGjxtngwYNUjdSUP2NMWVRb/ebjSj95uzEyZP2Evi3tLTa9Bkz+sjz25WNuEAgEAgELlYEwmHYxfpkol+BQCAQCAQCgUAg8H0jILImCecLL75gvb0V7urW3dtjr7y83DZv2mxVpKriiolkwhkhgq6i7KQzZxVZ+ZLuHy/Nl5PF5HDMnY4RpZDT+dLkVZv+oQ6FTIU8q9fjPGVgaS/qeeXbOn0gzl5TwapUrI9q9Hq4SqrT6nwWErnP7vQr4u2/lD03tb+csqRsyZ7Z8aB+5VBblWrF1q5ZY6++tsJOnz7t9Yl4q/00wlSXrkXe9dsfn/qsQnXqShjlvJ5XXn3NVr6+0np6e90W3R2+KWOEQCAQCAQuEQSCPF8iDyq6GQgEAoFAIBAIBALvjoDIY3d3l+1ARftJ1Lgr0LpHHvqubdy8ORFBHIiJ6OXkRAwOmAihSCvOsWo1K0KIC9SRJ1GLpIwIO7M8r3kRx6pXRn2qk3LK7wSWX1HKzGZYcRmxJVPftcil1MH1J2FxHj6rOgr6EJdoaopTXVTjQbVX1X99VIi8CuqTKtIoq9oI4LeONNnHqTT9a3y8AF952s/q1a/G4SH79Rv6B2ZpDFRAUK5sXBLc1+X9nBYz2q7x1MHUG1QBgkvJ6YDGkmGTUuI7EAgEAoGLH4FQ2774n1H0MBAIBAKBQCAQCATeIwLFglNeO3vmtL38ysu26OpF9tKyZdZ5+ow1u41zIqQiqwp79uy13bt32/PPP2eHDx1y4jhu1Fi7etFiu3L+PBshu2nybtu63R555GHbi81099kuGzlypF27ZIktvvoqGzp0mB07dgy15BdtxYqVdvzECWtpbbLhw4fbjOmz7Llnn7X2QW32r3/1/7KXl79iTzz+uA0dPMR+67d/G4Kb+rFlyxb78y9/2UYOHWJf/NVfs9bWVtuxY4etWvW6rVy50k5QZ0dHu8278kq7+uprbNbs2dbd1WV/9B//bzt69LjNmT3Hxo4dbStpf85lc23x4oWM/zXbuWMnmwZnrFwpW3tbi02aPNWWLLnGFi1axLhE9mt2/wP327o319Hvk1YoFGzOrNnW09PrpFfSYVHxMlL8NWvX2DNPP20HDx5Cql+25uYmGz16lN1yyy02H6yamlrt5MkT9jJS/teQWh8+fIS4Jps2bQp5WwS3B5HmJMfXbYOop6T4DgQCgUDgokYgyPNF/Xiic4FAIBAIBAKBQCDw/SBQgvyNHDkC29oW27Vnl/23r37VDh7eb3Omz7auzi47cOgg0lBqdKlo3Zog1FXspXdBVNvbO6wKady2dYt1nj1DuYP22Z/9KZfcPvTAg7Zh8wYvN2LkKDtw8IA7IJt7xVw7fny7rUAl+bnnn7fTZ07ZMMh0b08F52QHIed77Oixo5BR6q5U3Sb7yJEjOOWq0gmktBBJ8UfZbB85fBihcZLUrlq1GiL+qq1Zs9qdoA0bOtSOHztuL770EkT6pB09ctTmL1xox/nV9Rqk7Zs2NjvJHovDtJZSk+3buxdifcRaILAlNhVOHj9OX4+xsXAKLM5Cwq+15cuX29NPPmNnGW9zSzOkvxXi+4qdJV3EWhLlnu5u27Jls33rm9+0Q+DX0dHhpFjO2TZv3kQbx1wdvr291Q4c2G/f/e537TT20m3gKZq8ccMGnI/1JgE00mw//irtGQR3/n7+c0feQCAQuOAIBHm+4I8gOhAIBAKBQCAQCAQC7xcCUsceOWqUDRs2zLbv3Glbt2110jZp8mQ7Bsk7eORQIs80KK3k1tYWJMeDcYwF4YRw1yC127dtt0MQ2VYkvRnH27d/P4S604nj2NGjnaAPHzHCiqUiJPWIbdu+xUnyhAkTbPq06a7OfBbnZTt37WzIVrOa+kcq9Wkl9qlU9yfZLsqJeJ+lzal
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a329e5c-3c30-4479-8f9f-2a67950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-19T09:03:23.000Z" ,
"modified" : "2017-12-19T09:03:23.000Z" ,
"pattern" : "[file:hashes.MD5 = '6c39c3f4a08d3d78f2eb973a94bd7718' AND file:hashes.SHA256 = 'e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230' AND file:name = 'trilog.exe' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-19T09:03:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a329e91-1290-4a62-b508-4925950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-19T09:03:45.000Z" ,
"modified" : "2017-12-19T09:03:45.000Z" ,
"pattern" : "[file:hashes.MD5 = '437f135ba179959a580412e564d3107f' AND file:hashes.SHA256 = '08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949' AND file:name = 'imain.bin' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-19T09:03:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a329eba-7948-4b75-91de-2b04950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-19T09:05:58.000Z" ,
"modified" : "2017-12-19T09:05:58.000Z" ,
"pattern" : "[file:hashes.MD5 = '0544d425c7555dc4e9d76b571f31f500' AND file:hashes.SHA256 = '5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14' AND file:name = 'inject.bin' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-19T09:05:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a329eeb-e7ac-4084-9454-4bec950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-19T09:06:36.000Z" ,
"modified" : "2017-12-19T09:06:36.000Z" ,
"pattern" : "[file:hashes.MD5 = '0face841f7b2953e7c29c064d6886523' AND file:hashes.SHA256 = 'bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59' AND file:name = 'library.zip' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-19T09:06:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a329f19-9c64-4780-b20c-9267950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-19T09:07:03.000Z" ,
"modified" : "2017-12-19T09:07:03.000Z" ,
"pattern" : "[file:hashes.MD5 = 'e98f4f3505f05bf90e17554fbc97bba9' AND file:hashes.SHA256 = '2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326' AND file:name = 'TS_cnames.pyc' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-19T09:07:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a329f4f-cdac-4595-a728-2b04950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-19T09:07:32.000Z" ,
"modified" : "2017-12-19T09:07:32.000Z" ,
"pattern" : "[file:hashes.MD5 = '288166952f934146be172f6353e9a1f5' AND file:hashes.SHA256 = '1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42' AND file:name = 'TsBase.pyc' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-19T09:07:32Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a329f96-7da4-43bc-9c4d-2b05950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-19T09:07:51.000Z" ,
"modified" : "2017-12-19T09:07:51.000Z" ,
"pattern" : "[file:hashes.MD5 = '27c69aa39024d21ea109cc9c9d944a04' AND file:hashes.SHA256 = '758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272' AND file:name = 'TsHi.pyc' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-19T09:07:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a32a014-88ac-4798-8647-2b04950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-19T09:08:10.000Z" ,
"modified" : "2017-12-19T09:08:10.000Z" ,
"pattern" : "[file:hashes.MD5 = 'f6b3a73c8c87506acda430671360ce15' AND file:hashes.SHA256 = '5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32' AND file:name = 'TsLow.pyc' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-19T09:08:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a32a032-9bc0-4803-8608-2d89950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-19T09:08:29.000Z" ,
"modified" : "2017-12-19T09:08:29.000Z" ,
"pattern" : "[file:hashes.MD5 = '8b675db417cc8b23f4c43f3de5c83438' AND file:hashes.SHA256 = 'c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1' AND file:name = 'sh.pyc' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-19T09:08:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ecdb8e9-1d4c-4890-91cf-4afba4c0dfc5" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-14T16:10:07.000Z" ,
"modified" : "2017-12-14T16:10:07.000Z" ,
"pattern" : "[file:hashes.MD5 = '6c39c3f4a08d3d78f2eb973a94bd7718' AND file:hashes.SHA1 = 'dc81f383624955e0c0441734f9f1dabfe03f373c' AND file:hashes.SHA256 = 'e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-14T16:10:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--d48d9e02-0841-488c-bdb3-76402d3e6543" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-12-14T16:10:04.000Z" ,
"modified" : "2017-12-14T16:10:04.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230/analysis/1513264635/" ,
"category" : "External analysis" ,
"uuid" : "5a32a25c-3990-410f-b677-46fc02de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "1/66" ,
"category" : "Other" ,
"uuid" : "5a32a25d-0afc-4393-8b3e-477a02de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-12-14T15:17:15" ,
"category" : "Other" ,
"uuid" : "5a32a25d-eb14-43a2-a1a5-48b002de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 13:47:04 +00:00
"id" : "relationship--d50d3d4e-765f-4b80-ac76-7e6b9b783f81" ,
2023-06-14 17:31:25 +00:00
"created" : "2018-02-16T08:45:41.000Z" ,
"modified" : "2018-02-16T08:45:41.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "uses" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--5a329e5c-3c30-4479-8f9f-2a67950d210f" ,
"target_ref" : "indicator--5a329eeb-e7ac-4084-9454-4bec950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 13:47:04 +00:00
"id" : "relationship--eb43584f-cb1a-4623-bcfc-cc3b0d07361f" ,
2023-06-14 17:31:25 +00:00
"created" : "2018-02-16T08:45:42.000Z" ,
"modified" : "2018-02-16T08:45:42.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--5ecdb8e9-1d4c-4890-91cf-4afba4c0dfc5" ,
"target_ref" : "x-misp-object--d48d9e02-0841-488c-bdb3-76402d3e6543"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}
