2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--5bf7ba12-bec4-4d01-8330-4373950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T15:34:40.000Z" ,
"modified" : "2018-11-23T15:34:40.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5bf7ba12-bec4-4d01-8330-4373950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T15:34:40.000Z" ,
"modified" : "2018-11-23T15:34:40.000Z" ,
"name" : "OSINT - Turla PNG Dropper is back" ,
"published" : "2018-11-23T15:34:53Z" ,
"object_refs" : [
"observed-data--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f" ,
"url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f" ,
"x-misp-attribute--5bf7bb86-3374-4ece-8226-4383950d210f" ,
"observed-data--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f" ,
"url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f" ,
"indicator--5bf7d798-4a08-48f1-9e9c-4744950d210f" ,
"indicator--5bf7d7ce-2514-4e61-ac16-6b24950d210f" ,
"observed-data--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f" ,
"url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f" ,
"indicator--5bf7df1a-f8d4-46d6-837e-446b950d210f" ,
"indicator--5bf7dad4-098c-4666-9e4d-4958950d210f" ,
"indicator--5bf7db2a-2440-4ed3-ae21-6b24950d210f" ,
"indicator--5bf7e05b-4018-4130-afed-4d90950d210f" ,
"indicator--5bf7e069-2af4-442f-a0c4-4cd4950d210f" ,
"indicator--5bf7e0cb-7f0c-4eef-a610-f5d5950d210f" ,
"indicator--5bf7e0e2-94c8-47df-a0ae-4620950d210f" ,
"indicator--5bf7e123-cbfc-4f9c-a8c0-4064950d210f" ,
"indicator--5bf7e186-6c94-4a68-90a1-493a950d210f" ,
"indicator--5bf7e1c8-5f30-420c-b9e1-f5d5950d210f" ,
"indicator--5bf7e202-29a4-4f46-94cc-fb4f950d210f" ,
"indicator--5bf7e210-29f8-4e5c-964e-37a2950d210f" ,
"indicator--370ee35f-2e62-4fa1-87de-59a36b9ad817" ,
"x-misp-object--003ceafa-e652-4272-89f0-356846947659" ,
"indicator--672a1c55-bfa8-497f-8a1e-a9cbbbe31dd6" ,
"x-misp-object--ebf1d2c1-c387-463f-ac79-5573cec56447" ,
"indicator--07a6a6dc-9c22-4773-8432-cdd60d62f8bc" ,
"x-misp-object--dfee9eb0-06b6-4817-aa43-a2d63f0a49f2" ,
"indicator--b12e81db-47cb-482e-8deb-e6c98261d878" ,
"x-misp-object--cf0b0660-5bc6-4da8-816b-f6133511fbf0"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:threat-actor=\"Turla Group\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T08:37:10.000Z" ,
"modified" : "2018-11-23T08:37:10.000Z" ,
"first_observed" : "2018-11-23T08:37:10Z" ,
"last_observed" : "2018-11-23T08:37:10Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f" ,
"value" : "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5bf7bb86-3374-4ece-8226-4383950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T08:37:08.000Z" ,
"modified" : "2018-11-23T08:37:08.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "This is a short blog post on the PNG Dropper malware that has been developed and used by the Turla Group. The PNG Dropper was first discovered back in August 2017 by Carbon Black researchers. Back in 2017 it was being used to distribute Snake, but recently NCC Group researchers have uncovered samples with a new payload that we have internally named RegRunnerSvc.\r\n\r\nIt\u00e2\u20ac\u2122s worth noting at this point that there are other components to this infection that we have not managed to obtain. There will be a first stage dropper that will drop and install the PNG Dropper/RegRunnerSvc. Nevertheless, we think that this it is worth documenting this new use of the PNG Dropper."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T08:49:36.000Z" ,
"modified" : "2018-11-23T08:49:36.000Z" ,
"first_observed" : "2018-11-23T08:49:36Z" ,
"last_observed" : "2018-11-23T08:49:36Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f" ,
"value" : "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7d798-4a08-48f1-9e9c-4744950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T10:34:00.000Z" ,
"modified" : "2018-11-23T10:34:00.000Z" ,
"pattern" : "[rule turla_png_dropper {\r\n meta:\r\n author = \"Ben Humphrey\"\r\n description = \"Detects the PNG Dropper used by the Turla group\"\r\n sha256 = \r\n\"6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27\"\r\n\r\n strings:\r\n $api0 = \"GdiplusStartup\"\r\n $api1 = \"GdipAlloc\"\r\n $api2 = \"GdipCreateBitmapFromStreamICM\"\r\n $api3 = \"GdipBitmapLockBits\"\r\n $api4 = \"GdipGetImageWidth\"\r\n $api5 = \"GdipGetImageHeight\"\r\n $api6 = \"GdiplusShutdown\"\r\n\r\n $code32 = {\r\n 8B 46 3C // mov eax, [esi+3Ch]\r\n B9 0B 01 00 00 // mov ecx, 10Bh\r\n 66 39 4C 30 18 // cmp [eax+esi+18h], cx\r\n 8B 44 30 28 // mov eax, [eax+esi+28h]\r\n 6A 00 // push 0\r\n B9 AF BE AD DE // mov ecx, 0DEADBEAFh\r\n 51 // push ecx\r\n 51 // push ecx\r\n 03 C6 // add eax, esi\r\n 56 // push esi\r\n FF D0 // call eax\r\n }\r\n\r\n $code64 = {\r\n 48 63 43 3C // movsxd rax, dword ptr [rbx+3Ch]\r\n B9 0B 01 00 00 // mov ecx, 10Bh\r\n BA AF BE AD DE // mov edx, 0DEADBEAFh\r\n 66 39 4C 18 18 // cmp [rax+rbx+18h], cx\r\n 8B 44 18 28 // mov eax, [rax+rbx+28h]\r\n 45 33 C9 // xor r9d, r9d\r\n 44 8B C2 // mov r8d, edx\r\n 48 8B CB // mov rcx, rbx\r\n 48 03 C3 // add rax, rbx\r\n FF D0 // call rax\r\n }\r\n\r\n condition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n all of ($api*) and \r\n 1 of ($code*)\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T10:34:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Payload delivery\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7d7ce-2514-4e61-ac16-6b24950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T10:34:54.000Z" ,
"modified" : "2018-11-23T10:34:54.000Z" ,
"pattern" : "[rule turla_png_reg_enum_payload {\r\n meta:\r\n author = \"Ben Humphrey\"\r\n description = \"Payload that has most recently been dropped by the\r\nTurla PNG Dropper\"\r\n shas256 =\r\n\"fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3\"\r\n\r\n strings:\r\n $crypt00 = \"Microsoft Software Key Storage Provider\" wide\r\n $crypt01 = \"ChainingModeCBC\" wide\r\n $crypt02 = \"AES\" wide\r\n\r\n condition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n pe.imports(\"advapi32.dll\", \"StartServiceCtrlDispatcherA\") and \r\n pe.imports(\"advapi32.dll\", \"RegEnumValueA\") and \r\n pe.imports(\"advapi32.dll\", \"RegEnumKeyExA\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptOpenStorageProvider\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptEnumKeys\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptOpenKey\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptDecrypt\") and\r\n pe.imports(\"ncrypt.dll\", \"BCryptGenerateSymmetricKey\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptGetProperty\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptDecrypt\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptEncrypt\") and \r\n all of them\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T10:34:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Payload delivery\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T10:50:21.000Z" ,
"modified" : "2018-11-23T10:50:21.000Z" ,
"first_observed" : "2018-11-23T10:50:21Z" ,
"last_observed" : "2018-11-23T10:50:21Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f" ,
"value" : "https://github.com/carbonblack/threat-research-tools/tree/master/png_extract"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7df1a-f8d4-46d6-837e-446b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T11:06:02.000Z" ,
"modified" : "2018-11-23T11:06:02.000Z" ,
"pattern" : "[rule PNG_dropper:RU TR APT\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \u00e2\u20ac\u0153CarbonBlack Threat Research\u00e2\u20ac\u009d\r\n\r\n date = \u00e2\u20ac\u01532017-June-11\u00e2\u20ac\u009d\r\n\r\n description = \u00e2\u20ac\u0153Dropper tool that extracts payload from PNG resources\u00e2\u20ac\u009d\r\n\r\n yara_version = \u00e2\u20ac\u01533.5.0\u00e2\u20ac\u009d\r\n\r\n exemplar_hashes = \u00e2\u20ac\u01533a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3, 69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290, eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158 \u00e2\u20ac\u0153\r\n\r\n strings:\r\n\r\n$s1 = \u00e2\u20ac\u0153GdipGetImageWidth\u00e2\u20ac\u009d\r\n\r\n$s2 = \u00e2\u20ac\u0153GdipGetImageHeight\u00e2\u20ac\u009d\r\n\r\n$s3 = \u00e2\u20ac\u0153GdipCreateBitmapFromStream\u00e2\u20ac\u009d\r\n\r\n$s4 = \u00e2\u20ac\u0153GdipCreateBitmapFromStreamICM\u00e2\u20ac\u009d\r\n\r\n$s5 = \u00e2\u20ac\u0153GdipBitmapLockBits\u00e2\u20ac\u009d\r\n\r\n$s6 = \u00e2\u20ac\u0153GdipBitmapUnlockBits\u00e2\u20ac\u009d\r\n\r\n$s7 = \u00e2\u20ac\u0153LockResource\u00e2\u20ac\u009d\r\n\r\n$s8 = \u00e2\u20ac\u0153LoadResource\u00e2\u20ac\u009d\r\n\r\n$s9 = \u00e2\u20ac\u0153ExpandEnvironmentStringsW\u00e2\u20ac\u009d\r\n\r\n$s10 = \u00e2\u20ac\u0153SetFileTime\u00e2\u20ac\u009d\r\n\r\n$s11 = \u00e2\u20ac\u0153memcmp\u00e2\u20ac\u009d\r\n\r\n$s12 = \u00e2\u20ac\u0153strlen\u00e2\u20ac\u009d\r\n\r\n$s13 = \u00e2\u20ac\u0153memcpy\u00e2\u20ac\u009d\r\n\r\n$s14 = \u00e2\u20ac\u0153memchr\u00e2\u20ac\u009d\r\n\r\n$s15 = \u00e2\u20ac\u0153memmove\u00e2\u20ac\u009d\r\n\r\n$s16 = \u00e2\u20ac\u0153ZwQueryValueKey\u00e2\u20ac\u009d\r\n\r\n$s17 = \u00e2\u20ac\u0153ZwQueryInformationProcess\u00e2\u20ac\u009d\r\n\r\n$s18 = \u00e2\u20ac\u0153FindNextFile\u00e2\u20ac\u009d\r\n\r\n$s19 = \u00e2\u20ac\u0153GetModuleHandle\u00e2\u20ac\u009d\r\n\r\n$s20 = \u00e2\u20ac\u0153VirtualFree\u00e2\u20ac\u009d\r\n\r\n$PNG1 = {89 50 4E 47 [8] 49 48 44 52} //PNG Header\r\n\r\n$bin32_bit1 = {50 68 07 10 06 00 6A 07 8?} //BitmapLockBits_x86\r\n\r\n$bin64_bit1 = {41 B? 07 10 06 00} //BitmapLockBits_x64\r\n\r\n$bin64_bit2 = {41 B? 07 00 00 00}//BitmapLockBits_x64\r\n\r\n$bin32_virt1 = {6A 40 68 00 10 00 00 50 53} //VirtualAlloc_x86\r\n\r\n$bin64_virt1 = {40 41 B? 00 10 00 00}//VirtualAlloc_x64\r\n\r\n \r\n\r\n condition:\r\n\r\n uint16(0) == 0x5A4D and// MZ header check\r\n\r\n filesize < 6MB and\r\n\r\n 18 of ($s*) and\r\n\r\n (#PNG1 > 7) and\r\n\r\n//checks for multiple PNG headers\r\n\r\n ((#bin32_bit1 > 1 and $bin32_virt1) or\r\n\r\n//More than 1 of $bin32_bit and $bi32_virt1\r\n\r\n (for 1 of ($bin64_bit*) : (# > 2) and $bin64_virt1))\r\n\r\n//1 of $bin64_bit \u00e2\u20ac\u201c present more that 2 times and $bin64_Virt1\r\n\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T11:06:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Payload delivery\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7dad4-098c-4666-9e4d-4958950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T10:47:48.000Z" ,
"modified" : "2018-11-23T10:47:48.000Z" ,
"description" : "PNG Dropper" ,
"pattern" : "[file:hashes.SHA256 = '6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T10:47:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7db2a-2440-4ed3-ae21-6b24950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T10:49:14.000Z" ,
"modified" : "2018-11-23T10:49:14.000Z" ,
"description" : "Payload contained in the PNG dropper" ,
"pattern" : "[file:hashes.SHA256 = 'fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T10:49:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7e05b-4018-4130-afed-4d90950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T11:11:23.000Z" ,
"modified" : "2018-11-23T11:11:23.000Z" ,
"pattern" : "[file:hashes.MD5 = 'f84aa30676d2c05ed290b43c4c1e2d4c' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T11:11:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7e069-2af4-442f-a0c4-4cd4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T11:11:37.000Z" ,
"modified" : "2018-11-23T11:11:37.000Z" ,
"pattern" : "[file:hashes.MD5 = 'ae2ec6d8e455c674d5486ce198d4d46e' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T11:11:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7e0cb-7f0c-4eef-a610-f5d5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T11:13:15.000Z" ,
"modified" : "2018-11-23T11:13:15.000Z" ,
"pattern" : "[file:hashes.MD5 = '7a1a174dd24d3f88454615102a074600' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T11:13:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7e0e2-94c8-47df-a0ae-4620950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T11:13:38.000Z" ,
"modified" : "2018-11-23T11:13:38.000Z" ,
"pattern" : "[file:hashes.SHA1 = '645985805780510670092469b7627a23803eefd1' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T11:13:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7e123-cbfc-4f9c-a8c0-4064950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T11:14:43.000Z" ,
"modified" : "2018-11-23T11:14:43.000Z" ,
"pattern" : "[file:hashes.SHA1 = '17941a20d86c9518c168c7f765785095a57246a3' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T11:14:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7e186-6c94-4a68-90a1-493a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T11:16:22.000Z" ,
"modified" : "2018-11-23T11:16:22.000Z" ,
"pattern" : "[file:hashes.SHA1 = 'ba221b85c1923866ce2ec3cd0824970216052c82' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T11:16:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7e1c8-5f30-420c-b9e1-f5d5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T11:17:28.000Z" ,
"modified" : "2018-11-23T11:17:28.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T11:17:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7e202-29a4-4f46-94cc-fb4f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T11:18:26.000Z" ,
"modified" : "2018-11-23T11:18:26.000Z" ,
"pattern" : "[file:hashes.SHA256 = '69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T11:18:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bf7e210-29f8-4e5c-964e-37a2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T11:18:40.000Z" ,
"modified" : "2018-11-23T11:18:40.000Z" ,
"pattern" : "[file:hashes.SHA256 = '3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T11:18:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--370ee35f-2e62-4fa1-87de-59a36b9ad817" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T15:34:07.000Z" ,
"modified" : "2018-11-23T15:34:07.000Z" ,
"pattern" : "[file:hashes.MD5 = '7a1a174dd24d3f88454615102a074600' AND file:hashes.SHA1 = '645985805780510670092469b7627a23803eefd1' AND file:hashes.SHA256 = 'eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T15:34:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--003ceafa-e652-4272-89f0-356846947659" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T15:34:09.000Z" ,
"modified" : "2018-11-23T15:34:09.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-10-17T23:41:05" ,
"category" : "Other" ,
"uuid" : "ded701b7-f8e5-4a51-94eb-9509c5a5f6c7"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158/analysis/1539819665/" ,
"category" : "External analysis" ,
"uuid" : "2b06642b-d74e-4910-9a74-980fdb5cebb3"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "48/67" ,
"category" : "Other" ,
"uuid" : "2a5f6f23-8854-48fd-bb7c-dda116812263"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--672a1c55-bfa8-497f-8a1e-a9cbbbe31dd6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T15:34:10.000Z" ,
"modified" : "2018-11-23T15:34:10.000Z" ,
"pattern" : "[file:hashes.MD5 = 'f84aa30676d2c05ed290b43c4c1e2d4c' AND file:hashes.SHA1 = '17941a20d86c9518c168c7f765785095a57246a3' AND file:hashes.SHA256 = '69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T15:34:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--ebf1d2c1-c387-463f-ac79-5573cec56447" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T15:34:11.000Z" ,
"modified" : "2018-11-23T15:34:11.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-09-27T23:11:14" ,
"category" : "Other" ,
"uuid" : "6443cb5d-0517-4dda-b7b7-7eb5d39ae7fa"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290/analysis/1538089874/" ,
"category" : "External analysis" ,
"uuid" : "3e316cfb-ba54-4612-9ee6-20204adc750d"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "24/68" ,
"category" : "Other" ,
"uuid" : "e2c20e0f-18f6-4fbf-86ad-f0d025f17266"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--07a6a6dc-9c22-4773-8432-cdd60d62f8bc" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T15:34:12.000Z" ,
"modified" : "2018-11-23T15:34:12.000Z" ,
"pattern" : "[file:hashes.MD5 = 'ae2ec6d8e455c674d5486ce198d4d46e' AND file:hashes.SHA1 = 'ba221b85c1923866ce2ec3cd0824970216052c82' AND file:hashes.SHA256 = '3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T15:34:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--dfee9eb0-06b6-4817-aa43-a2d63f0a49f2" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T15:34:14.000Z" ,
"modified" : "2018-11-23T15:34:14.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-10-17T04:41:54" ,
"category" : "Other" ,
"uuid" : "a4daa13a-1374-4259-af44-d8c88ea2cc58"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3/analysis/1539751314/" ,
"category" : "External analysis" ,
"uuid" : "a305ca88-cd28-4233-af68-b4def8e76110"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "45/67" ,
"category" : "Other" ,
"uuid" : "ad12f987-16cf-453d-8e0f-bd6d3758823d"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b12e81db-47cb-482e-8deb-e6c98261d878" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T15:34:15.000Z" ,
"modified" : "2018-11-23T15:34:15.000Z" ,
"pattern" : "[file:hashes.MD5 = 'd2e8e75c30dccd98a95d25b218ba7d2e' AND file:hashes.SHA1 = '72997e699d6c7cd5a2409535bfdef58695ed46fa' AND file:hashes.SHA256 = '6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-23T15:34:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--cf0b0660-5bc6-4da8-816b-f6133511fbf0" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-23T15:34:16.000Z" ,
"modified" : "2018-11-23T15:34:16.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-11-23T13:40:06" ,
"category" : "Other" ,
"uuid" : "9797ab40-8d7c-4a60-ab23-f6f99e9492b0"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27/analysis/1542980406/" ,
"category" : "External analysis" ,
"uuid" : "2817750f-5b18-463e-baa8-19fba2fb0765"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "47/69" ,
"category" : "Other" ,
"uuid" : "164f9a1b-2a21-40de-be22-762bb37ab16e"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}