811 lines
34 KiB
JSON
811 lines
34 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--54cb3580-cde4-4b39-bf8c-443f950d210b",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:44:01.000Z",
|
||
|
"modified": "2015-01-30T07:44:01.000Z",
|
||
|
"name": "CthulhuSPRL.be",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--54cb3580-cde4-4b39-bf8c-443f950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:44:01.000Z",
|
||
|
"modified": "2015-01-30T07:44:01.000Z",
|
||
|
"name": "OSINT New 'f0xy' malware is intelligent - employs cunning stealth & trickery from Websense",
|
||
|
"published": "2016-02-22T14:40:25Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--54cb358c-2360-4acd-ab3c-de9b950d210b",
|
||
|
"observed-data--54cb3594-3d30-40d0-a49f-cf08950d210b",
|
||
|
"url--54cb3594-3d30-40d0-a49f-cf08950d210b",
|
||
|
"indicator--54cb35c2-dc18-4a6f-88c0-05f5950d210b",
|
||
|
"indicator--54cb35c2-5204-42c6-b115-05f5950d210b",
|
||
|
"indicator--54cb35c3-c3e4-44be-b112-05f5950d210b",
|
||
|
"indicator--54cb35c3-b894-4128-8f54-05f5950d210b",
|
||
|
"indicator--54cb35c3-7d8c-484c-af92-05f5950d210b",
|
||
|
"indicator--54cb35c3-b0bc-4486-9a2b-05f5950d210b",
|
||
|
"indicator--54cb35c3-7f58-4d2c-9f87-05f5950d210b",
|
||
|
"indicator--54cb35c3-db14-4dcc-805a-05f5950d210b",
|
||
|
"indicator--54cb35c3-10dc-4465-a0cd-05f5950d210b",
|
||
|
"indicator--54cb35c3-ad38-4403-9de4-05f5950d210b",
|
||
|
"indicator--54cb35c3-8268-473b-b22a-05f5950d210b",
|
||
|
"indicator--54cb35c3-2828-425d-a232-05f5950d210b",
|
||
|
"indicator--54cb35d5-6090-4c3e-8660-c32e950d210b",
|
||
|
"indicator--54cb35eb-a9f0-4877-8ad1-4b9d950d210b",
|
||
|
"indicator--54cb35eb-bcb8-4b6a-8d62-49d9950d210b",
|
||
|
"indicator--54cb360e-7f00-4311-aed4-4505950d210b",
|
||
|
"indicator--54cb361c-7c88-4d35-b0e0-cf08950d210b",
|
||
|
"x-misp-attribute--54cb3641-6244-4691-98b0-8154950d210b",
|
||
|
"indicator--56c64ee5-9114-4be4-b1e4-4ebc950d210f",
|
||
|
"indicator--56c64ee7-05e8-4d4d-814e-59a0950d210f",
|
||
|
"indicator--56c64ee9-1378-4314-852a-c654950d210f",
|
||
|
"indicator--56c64eeb-a314-4f12-b561-4c62950d210f",
|
||
|
"indicator--56c64eec-6798-4b97-a239-5f51950d210f",
|
||
|
"indicator--56c64ef0-65e4-42d1-bcd9-599c950d210f",
|
||
|
"indicator--56c64ee6-e9f0-4c93-81f4-599e950d210f",
|
||
|
"indicator--56c64ee7-9ad4-4c88-a202-4028950d210f",
|
||
|
"indicator--56c64ee9-fd34-418d-979b-5ca1950d210f",
|
||
|
"indicator--56c64eeb-e2fc-420e-afe8-59a0950d210f",
|
||
|
"indicator--56c64eee-d864-4b3c-8999-59a4950d210f",
|
||
|
"indicator--56c64ef1-a8d8-4d2a-a63f-47c0950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54cb358c-2360-4acd-ab3c-de9b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:00.000Z",
|
||
|
"modified": "2015-01-30T07:41:00.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "f0xy"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54cb3594-3d30-40d0-a49f-cf08950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:08.000Z",
|
||
|
"modified": "2015-01-30T07:41:08.000Z",
|
||
|
"first_observed": "2015-01-30T07:41:08Z",
|
||
|
"last_observed": "2015-01-30T07:41:08Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--54cb3594-3d30-40d0-a49f-cf08950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--54cb3594-3d30-40d0-a49f-cf08950d210b",
|
||
|
"value": "http://community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c2-dc18-4a6f-88c0-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:54.000Z",
|
||
|
"modified": "2015-01-30T07:41:54.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = '080c61c9172cd49f6e4e7ef27285ccaaf6d5f0ac']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c2-5204-42c6-b115-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:54.000Z",
|
||
|
"modified": "2015-01-30T07:41:54.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c25da337ec5ac041312b062e7fb697e4f01ca8d9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c3-c3e4-44be-b112-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:55.000Z",
|
||
|
"modified": "2015-01-30T07:41:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = 'cd4e297928502dece4545acbe0b94dd1270f955c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c3-b894-4128-8f54-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:55.000Z",
|
||
|
"modified": "2015-01-30T07:41:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = 'adbf0e4d37e381fe7599695561262d1a65205317']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c3-7d8c-484c-af92-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:55.000Z",
|
||
|
"modified": "2015-01-30T07:41:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = '54d2810aaae67da9fa24f4e11f4c2d5fe4d2b6d4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c3-b0bc-4486-9a2b-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:55.000Z",
|
||
|
"modified": "2015-01-30T07:41:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = '7de3ed8f751a528fde1688d35c6eb5533b09ae11']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c3-7f58-4d2c-9f87-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:55.000Z",
|
||
|
"modified": "2015-01-30T07:41:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = '812e453c22e1a9f70b605cd27d3f642c3778d96d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c3-db14-4dcc-805a-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:55.000Z",
|
||
|
"modified": "2015-01-30T07:41:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = '55c9d015b1f8d68e6b5ce150f2dbab2b621dac1c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c3-10dc-4465-a0cd-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:55.000Z",
|
||
|
"modified": "2015-01-30T07:41:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = 'e80d7f27405ece2697a05d6c2612c63335851490']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c3-ad38-4403-9de4-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:55.000Z",
|
||
|
"modified": "2015-01-30T07:41:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f4f1d8bceb62c72f2fe6713c5395555917fc40ad']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c3-8268-473b-b22a-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:55.000Z",
|
||
|
"modified": "2015-01-30T07:41:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = '2a4837fdb331f823ca474f521248b2cdb766528f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35c3-2828-425d-a232-05f5950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:41:55.000Z",
|
||
|
"modified": "2015-01-30T07:41:55.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f522e0893ec97438c6184e13adc48219f08b67d8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:41:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35d5-6090-4c3e-8660-c32e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:42:13.000Z",
|
||
|
"modified": "2015-01-30T07:42:13.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.53.169.79']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:42:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35eb-a9f0-4877-8ad1-4b9d950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:42:35.000Z",
|
||
|
"modified": "2015-01-30T07:42:35.000Z",
|
||
|
"pattern": "[file:name = '\\\\%appdata\\\\%\\\\Microsoft\\\\svchost.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:42:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb35eb-bcb8-4b6a-8d62-49d9950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:42:35.000Z",
|
||
|
"modified": "2015-01-30T07:42:35.000Z",
|
||
|
"pattern": "[file:name = '\\\\%appdata\\\\%\\\\Microsoft\\\\f0xyupdate.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:42:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb360e-7f00-4311-aed4-4505950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:43:10.000Z",
|
||
|
"modified": "2015-01-30T07:43:10.000Z",
|
||
|
"pattern": "[windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\f0xy']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-30T07:43:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"regkey\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54cb361c-7c88-4d35-b0e0-cf08950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:43:24.000Z",
|
||
|
"modified": "2015-01-30T07:43:24.000Z",
|
||
|
"pattern": "[rule ws_f0xy_downloader {\r\n\r\n meta:\r\n\r\n description = \"f0xy malware downloader\"\r\n author = \"Nick Griffin (Websense)\"\r\n\r\n strings:\r\n\r\n $mz=\"MZ\"\r\n $string1=\"bitsadmin /transfer\"\r\n $string2=\"del rm.bat\"\r\n $string3=\"av_list=\"\r\n\r\n condition:\r\n\r\n ($mz at 0) and (all of ($string*))\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2015-01-30T07:43:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54cb3641-6244-4691-98b0-8154950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-30T07:44:01.000Z",
|
||
|
"modified": "2015-01-30T07:44:01.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Data entered by David Andr\u00c3\u00a9"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64ee5-9114-4be4-b1e4-4ebc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:21.000Z",
|
||
|
"modified": "2016-02-18T23:08:21.000Z",
|
||
|
"description": "Automatically added (via 080c61c9172cd49f6e4e7ef27285ccaaf6d5f0ac)",
|
||
|
"pattern": "[file:hashes.MD5 = 'f2eccbc5d545221c0d0906a5808f90c6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64ee7-05e8-4d4d-814e-59a0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:23.000Z",
|
||
|
"modified": "2016-02-18T23:08:23.000Z",
|
||
|
"description": "Automatically added (via c25da337ec5ac041312b062e7fb697e4f01ca8d9)",
|
||
|
"pattern": "[file:hashes.MD5 = 'd46d7edd10bbb3c2d2158606e329ea6d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64ee9-1378-4314-852a-c654950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:25.000Z",
|
||
|
"modified": "2016-02-18T23:08:25.000Z",
|
||
|
"description": "Automatically added (via 7de3ed8f751a528fde1688d35c6eb5533b09ae11)",
|
||
|
"pattern": "[file:hashes.MD5 = 'f6ae08aba0a188963e8c299db6a14c0e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64eeb-a314-4f12-b561-4c62950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:27.000Z",
|
||
|
"modified": "2016-02-18T23:08:27.000Z",
|
||
|
"description": "Automatically added (via 812e453c22e1a9f70b605cd27d3f642c3778d96d)",
|
||
|
"pattern": "[file:hashes.MD5 = 'dc645cf749611aca49a4e3e6a7c0eb49']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64eec-6798-4b97-a239-5f51950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:28.000Z",
|
||
|
"modified": "2016-02-18T23:08:28.000Z",
|
||
|
"description": "Automatically added (via 55c9d015b1f8d68e6b5ce150f2dbab2b621dac1c)",
|
||
|
"pattern": "[file:hashes.MD5 = 'dc4345fe0a312b8b035daa9711b099a7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64ef0-65e4-42d1-bcd9-599c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:32.000Z",
|
||
|
"modified": "2016-02-18T23:08:32.000Z",
|
||
|
"description": "Automatically added (via f522e0893ec97438c6184e13adc48219f08b67d8)",
|
||
|
"pattern": "[file:hashes.MD5 = '160634d784c256d29563117554685c31']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64ee6-e9f0-4c93-81f4-599e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:22.000Z",
|
||
|
"modified": "2016-02-18T23:08:22.000Z",
|
||
|
"description": "Automatically added (via 080c61c9172cd49f6e4e7ef27285ccaaf6d5f0ac)",
|
||
|
"pattern": "[file:hashes.SHA256 = '0c4196bd5f2dea9ded5da5b23f081a713f6452e9a64f9e3898854a6c9d81e412']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64ee7-9ad4-4c88-a202-4028950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:23.000Z",
|
||
|
"modified": "2016-02-18T23:08:23.000Z",
|
||
|
"description": "Automatically added (via c25da337ec5ac041312b062e7fb697e4f01ca8d9)",
|
||
|
"pattern": "[file:hashes.SHA256 = '21ed2d1ed704979292ccab5512244423b522fda486ef52fd73b6f851321affb9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64ee9-fd34-418d-979b-5ca1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:25.000Z",
|
||
|
"modified": "2016-02-18T23:08:25.000Z",
|
||
|
"description": "Automatically added (via 7de3ed8f751a528fde1688d35c6eb5533b09ae11)",
|
||
|
"pattern": "[file:hashes.SHA256 = '2e832777a77f5cc7cfa05183253440484c614733547a4ea0f2f75cfafc165e39']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64eeb-e2fc-420e-afe8-59a0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:27.000Z",
|
||
|
"modified": "2016-02-18T23:08:27.000Z",
|
||
|
"description": "Automatically added (via 812e453c22e1a9f70b605cd27d3f642c3778d96d)",
|
||
|
"pattern": "[file:hashes.SHA256 = '4d235e31ee278255918157b999fb5987a0cac95cf3ca231950a7adfe49ffc4d7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64eee-d864-4b3c-8999-59a4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:30.000Z",
|
||
|
"modified": "2016-02-18T23:08:30.000Z",
|
||
|
"description": "Automatically added (via 55c9d015b1f8d68e6b5ce150f2dbab2b621dac1c)",
|
||
|
"pattern": "[file:hashes.SHA256 = '8b62000e09a00755eb9e08523e07b9aef292c96a423d28c863bd018ebba3636d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64ef1-a8d8-4d2a-a63f-47c0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T23:08:33.000Z",
|
||
|
"modified": "2016-02-18T23:08:33.000Z",
|
||
|
"description": "Automatically added (via f522e0893ec97438c6184e13adc48219f08b67d8)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c85940369a8028803460baf600203c435179611769a9850a2aef7fb45d2c86d7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T23:08:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:GREEN",
|
||
|
"definition": {
|
||
|
"tlp": "green"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|