3315 lines
141 KiB
JSON
3315 lines
141 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--589d81ee-0348-49fe-9b88-4c48950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--589d81ee-0348-49fe-9b88-4c48950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"name": "OSINT - Shell Crew Variants Continue to Fly Under Big AV\u00e2\u20ac\u2122s Radar",
|
||
|
"published": "2017-02-10T10:16:37Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--589d8270-df64-437d-a96b-4a0f950d210f",
|
||
|
"url--589d8270-df64-437d-a96b-4a0f950d210f",
|
||
|
"x-misp-attribute--589d86ac-67f0-4796-aba9-4374950d210f",
|
||
|
"indicator--589d86bd-00f4-40c6-8b96-4915950d210f",
|
||
|
"x-misp-attribute--589d86d7-b4fc-449e-8674-4d5b950d210f",
|
||
|
"indicator--589d8703-4ea8-433e-8b1d-49fb950d210f",
|
||
|
"indicator--589d8704-3678-4703-92ac-4e8b950d210f",
|
||
|
"indicator--589d8705-2278-44a2-b75e-47de950d210f",
|
||
|
"indicator--589d8706-92cc-497b-8fe8-4246950d210f",
|
||
|
"indicator--589d8707-3718-4a8b-bbb4-4533950d210f",
|
||
|
"indicator--589d8707-c7c8-4d54-9a66-49dd950d210f",
|
||
|
"indicator--589d8708-9e60-47d3-8bab-4755950d210f",
|
||
|
"indicator--589d8709-899c-4e25-bb54-4054950d210f",
|
||
|
"indicator--589d870a-a47c-45df-8fdf-44eb950d210f",
|
||
|
"indicator--589d870a-b2d4-404a-a4f7-4c87950d210f",
|
||
|
"indicator--589d870b-f57c-4f02-89f3-4285950d210f",
|
||
|
"indicator--589d870c-448c-4285-9b90-44de950d210f",
|
||
|
"indicator--589d870d-edd4-4448-9713-469a950d210f",
|
||
|
"indicator--589d870e-7348-487b-9ec7-4804950d210f",
|
||
|
"indicator--589d870e-537c-4ef8-a62f-4b49950d210f",
|
||
|
"indicator--589d870f-33e8-4aee-83da-4dc5950d210f",
|
||
|
"indicator--589d8710-09f0-4852-915e-49a6950d210f",
|
||
|
"indicator--589d8711-4104-4dc5-ace6-439a950d210f",
|
||
|
"indicator--589d8711-af10-4cd4-98e0-4802950d210f",
|
||
|
"indicator--589d8712-f348-47da-908c-4bda950d210f",
|
||
|
"indicator--589d8713-b7b0-4ebd-9b02-4b75950d210f",
|
||
|
"indicator--589d8714-fbf8-410c-b62c-46ae950d210f",
|
||
|
"indicator--589d8714-d52c-4596-9e73-49c4950d210f",
|
||
|
"indicator--589d8715-f9c4-4e52-afc6-4df0950d210f",
|
||
|
"indicator--589d8964-a938-4ae4-ae7d-43fa950d210f",
|
||
|
"indicator--589d8965-7a60-40da-8273-4b6f950d210f",
|
||
|
"indicator--589d8966-7b64-47a9-a3ae-46d8950d210f",
|
||
|
"indicator--589d8967-754c-4e88-8795-4c42950d210f",
|
||
|
"indicator--589d89a8-9348-45fb-8317-4879950d210f",
|
||
|
"indicator--589d89a9-ccc0-498f-9c25-4de5950d210f",
|
||
|
"indicator--589d89aa-cb58-49e4-bf9b-49a2950d210f",
|
||
|
"indicator--589d89ab-bae0-46b0-a117-49a0950d210f",
|
||
|
"indicator--589d89ab-e468-4846-8f9a-45b7950d210f",
|
||
|
"indicator--589d89ac-77d8-4110-8bc1-4442950d210f",
|
||
|
"indicator--589d89ad-e734-4e07-8ef2-4fdb950d210f",
|
||
|
"indicator--589d89ae-d4d8-4cdd-836f-4229950d210f",
|
||
|
"indicator--589d89af-8a24-4dd7-8773-445d950d210f",
|
||
|
"indicator--589d89af-9534-4e81-b70f-47f1950d210f",
|
||
|
"indicator--589d89b0-7b60-49d8-b49a-4254950d210f",
|
||
|
"indicator--589d89b1-7f9c-4e5a-8713-4fc1950d210f",
|
||
|
"indicator--589d89b2-4c60-4592-a144-4be4950d210f",
|
||
|
"indicator--589d89b3-43bc-4638-9730-484b950d210f",
|
||
|
"indicator--589d89b4-91fc-48b1-953e-4ccf950d210f",
|
||
|
"indicator--589d89b4-a2a0-4ece-b121-45bb950d210f",
|
||
|
"indicator--589d89b5-910c-447e-9339-48b9950d210f",
|
||
|
"indicator--589d89b6-3be0-472e-91cd-416e950d210f",
|
||
|
"indicator--589d89b7-7e60-49ff-8e47-460b950d210f",
|
||
|
"indicator--589d89b7-c2a4-48cb-bc62-4ca6950d210f",
|
||
|
"indicator--589d89b8-e5cc-42c4-bec9-4366950d210f",
|
||
|
"indicator--589d89b9-193c-46e5-b72b-47a5950d210f",
|
||
|
"indicator--589d89ba-2ccc-4775-9024-4da9950d210f",
|
||
|
"indicator--589d89bb-f894-4bc8-8f15-41a0950d210f",
|
||
|
"indicator--589d89bb-6a88-4d66-80fa-4deb950d210f",
|
||
|
"indicator--589d89bc-de04-474a-ae40-4700950d210f",
|
||
|
"indicator--589d89bd-6750-4fa5-8ded-442e950d210f",
|
||
|
"indicator--589d89e2-edb8-4599-a03c-4ddd950d210f",
|
||
|
"indicator--589d89f8-9c18-490e-b950-4977950d210f",
|
||
|
"indicator--589d89f9-c3e4-4bc4-91fc-40b0950d210f",
|
||
|
"indicator--589d89fa-35a4-4e9c-9dce-44c5950d210f",
|
||
|
"indicator--589d89fa-f570-44da-a363-47ad950d210f",
|
||
|
"indicator--589d8a10-aaa0-42bf-b16a-4009950d210f",
|
||
|
"indicator--589d8a10-bbcc-4873-8bb8-4634950d210f",
|
||
|
"indicator--589d8a11-85a8-454b-b8fa-46ae950d210f",
|
||
|
"indicator--589d8a12-7b88-45a4-b271-4b7c950d210f",
|
||
|
"indicator--589d8a20-96d0-4c91-9e81-46a7950d210f",
|
||
|
"indicator--589d8a20-8fc8-4890-bd57-429d950d210f",
|
||
|
"indicator--589d8a21-7f64-4a0c-bb61-4473950d210f",
|
||
|
"indicator--589d8a22-b05c-4677-b565-43c3950d210f",
|
||
|
"indicator--589d8a23-9b98-4fc3-98b6-4301950d210f",
|
||
|
"indicator--589d8a23-4a78-46e3-b28c-4048950d210f",
|
||
|
"indicator--589d8a24-2d74-4478-93fc-43ac950d210f",
|
||
|
"indicator--589d8a25-23d4-45ca-9763-48c1950d210f",
|
||
|
"indicator--589d8a26-a1ec-49a6-a80e-400c950d210f",
|
||
|
"indicator--589d8b3d-db10-4dac-a7f6-42a902de0b81",
|
||
|
"indicator--589d8b3e-1238-4f08-9dc0-41aa02de0b81",
|
||
|
"observed-data--589d8b3f-3914-4d79-9d9b-45de02de0b81",
|
||
|
"url--589d8b3f-3914-4d79-9d9b-45de02de0b81",
|
||
|
"indicator--589d8b40-3644-4bcf-b7b7-49ac02de0b81",
|
||
|
"indicator--589d8b41-6428-4bb7-804b-4a6502de0b81",
|
||
|
"observed-data--589d8b41-9a64-49fe-9f06-4efe02de0b81",
|
||
|
"url--589d8b41-9a64-49fe-9f06-4efe02de0b81",
|
||
|
"indicator--589d8b42-b504-49ac-bd74-4e8a02de0b81",
|
||
|
"indicator--589d8b43-ad84-401e-819d-4df202de0b81",
|
||
|
"observed-data--589d8b44-8020-41fb-820a-42d102de0b81",
|
||
|
"url--589d8b44-8020-41fb-820a-42d102de0b81",
|
||
|
"indicator--589d8b44-4448-421d-90ec-447602de0b81",
|
||
|
"indicator--589d8b45-bccc-4673-9880-4fd402de0b81",
|
||
|
"observed-data--589d8b46-3424-4971-ad66-4e5102de0b81",
|
||
|
"url--589d8b46-3424-4971-ad66-4e5102de0b81",
|
||
|
"indicator--589d8b47-c244-412d-9885-48d102de0b81",
|
||
|
"indicator--589d8b47-8e80-42c6-a364-417102de0b81",
|
||
|
"observed-data--589d8b48-53d4-4dc6-830a-4cd902de0b81",
|
||
|
"url--589d8b48-53d4-4dc6-830a-4cd902de0b81",
|
||
|
"indicator--589d8b49-5230-4a3b-83f5-44fb02de0b81",
|
||
|
"indicator--589d8b4a-a9d8-4b0d-9e6a-494d02de0b81",
|
||
|
"observed-data--589d8b4b-2d64-4d52-9c30-43ef02de0b81",
|
||
|
"url--589d8b4b-2d64-4d52-9c30-43ef02de0b81",
|
||
|
"indicator--589d8b4b-941c-4ed4-a8c9-400402de0b81",
|
||
|
"indicator--589d8b4c-a7f4-45d2-ac57-419f02de0b81",
|
||
|
"observed-data--589d8b4d-4724-4bcf-ba92-479302de0b81",
|
||
|
"url--589d8b4d-4724-4bcf-ba92-479302de0b81",
|
||
|
"indicator--589d8b4e-a898-4636-ade4-419d02de0b81",
|
||
|
"indicator--589d8b4f-b374-4554-bbdc-494f02de0b81",
|
||
|
"observed-data--589d8b4f-5a68-4ab7-b7f4-467502de0b81",
|
||
|
"url--589d8b4f-5a68-4ab7-b7f4-467502de0b81",
|
||
|
"indicator--589d8b50-5a10-418a-bb7a-46c802de0b81",
|
||
|
"indicator--589d8b51-2bc4-4db8-a700-413f02de0b81",
|
||
|
"observed-data--589d8b52-393c-44c6-b8f2-473f02de0b81",
|
||
|
"url--589d8b52-393c-44c6-b8f2-473f02de0b81",
|
||
|
"indicator--589d8b53-91f4-45fa-9a21-448602de0b81",
|
||
|
"indicator--589d8b53-fb78-4492-a9ce-48d802de0b81",
|
||
|
"observed-data--589d8b54-55c4-4995-a656-4c7802de0b81",
|
||
|
"url--589d8b54-55c4-4995-a656-4c7802de0b81",
|
||
|
"indicator--589d8b55-9bbc-4f13-a90a-4b5002de0b81",
|
||
|
"indicator--589d8b56-1054-4679-8be5-479f02de0b81",
|
||
|
"observed-data--589d8b57-0914-4e84-b00a-407a02de0b81",
|
||
|
"url--589d8b57-0914-4e84-b00a-407a02de0b81",
|
||
|
"indicator--589d8b58-43b0-42bd-b8aa-44bb02de0b81",
|
||
|
"indicator--589d8b58-b648-47b8-8408-4b3d02de0b81",
|
||
|
"observed-data--589d8b59-5294-4bdb-903e-490202de0b81",
|
||
|
"url--589d8b59-5294-4bdb-903e-490202de0b81",
|
||
|
"indicator--589d8b5a-b58c-4dfe-9032-47ab02de0b81",
|
||
|
"indicator--589d8b5b-2b24-46a4-a51d-471e02de0b81",
|
||
|
"observed-data--589d8b5c-a6c4-4504-b5c8-4af102de0b81",
|
||
|
"url--589d8b5c-a6c4-4504-b5c8-4af102de0b81",
|
||
|
"indicator--589d8b5d-3758-4ed0-b8de-4fc102de0b81",
|
||
|
"indicator--589d8b5e-7550-44a4-87ff-46cf02de0b81",
|
||
|
"observed-data--589d8b5e-f25c-4fd8-a7e8-49a802de0b81",
|
||
|
"url--589d8b5e-f25c-4fd8-a7e8-49a802de0b81",
|
||
|
"indicator--589d8b5f-6198-43fd-a10e-471802de0b81",
|
||
|
"indicator--589d8b60-f6c0-40d8-86e7-416802de0b81",
|
||
|
"observed-data--589d8b61-6660-4cd0-8a44-498702de0b81",
|
||
|
"url--589d8b61-6660-4cd0-8a44-498702de0b81",
|
||
|
"indicator--589d8b62-5368-404b-8f2b-484902de0b81",
|
||
|
"indicator--589d8b63-0af0-4e28-8645-465f02de0b81",
|
||
|
"observed-data--589d8b63-0a24-4980-a0fa-45b602de0b81",
|
||
|
"url--589d8b63-0a24-4980-a0fa-45b602de0b81",
|
||
|
"indicator--589d8b64-36f0-4f93-b645-419002de0b81",
|
||
|
"indicator--589d8b65-abf0-4ff7-8864-471d02de0b81",
|
||
|
"observed-data--589d8b66-1748-47d5-b68a-456202de0b81",
|
||
|
"url--589d8b66-1748-47d5-b68a-456202de0b81",
|
||
|
"observed-data--589d929e-5bac-4221-8d0d-4da402de0b81",
|
||
|
"url--589d929e-5bac-4221-8d0d-4da402de0b81",
|
||
|
"observed-data--589d92a0-9f28-4003-8495-47a402de0b81",
|
||
|
"url--589d92a0-9f28-4003-8495-47a402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:threat-actor=\"Shell Crew\"",
|
||
|
"misp-galaxy:tool=\"StreamEx\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8270-df64-437d-a96b-4a0f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8270-df64-437d-a96b-4a0f950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"admiralty-scale:source-reliability=\"b\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8270-df64-437d-a96b-4a0f950d210f",
|
||
|
"value": "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589d86ac-67f0-4796-aba9-4374950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Cylance SPEAR\u00e2\u201e\u00a2 has identified a newer family of samples deployed by Shell Crew that has flown under AV\u00e2\u20ac\u2122s radar for more than a year and a half. Simple programmatic techniques continue to be effective in evading signature-based detection. \r\n\r\nShell Crew, first named by RSA in this paper, has been incredibly proficient over time and breached numerous high-value targets. The backdoor provided an alternative foothold in several observed instances for the group and employed a few tricks like using the Intel SSE extended instruction set to avoid emulation and obscure analysis. \r\n\r\nMost of the variants Cylance identified were 64-bit; however, a couple of earlier 32-bit variants were created in May 2015."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d86bd-00f4-40c6-8b96-4915950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[rule StreamEx\r\n{\r\nstrings:\r\n$a = \"0r+8DQY97XGB5iZ4Vf3KsEt61HLoTOuIqJPp2AlncRCgSxUWyebhMdmzvFjNwka=\"\r\n$b = {34 ?? 88 04 11 48 63 C3 48 FF C1 48 3D D8 03 00 00}\r\n$bb = {81 86 ?? ?? 00 10 34 ?? 88 86 ?? ?? 00 10 46 81 FE D8 03 00 00}\r\n$c = \"greendll\"\r\n$d = \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36\" wide\r\n$f = {26 5E 25 24 23 91 91 91 91}\r\n$g = \"D:\\\\pdb\\\\ht_d6.pdb\" \r\n\r\ncondition:\r\n$a or $b or $bb or ($c and $d) or $f or $g\r\n} 116_Shell-Crew-Malware_f_SML]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589d86d7-b4fc-449e-8674-4d5b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pdb\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_type": "pdb",
|
||
|
"x_misp_value": "D:\\pdb\\ht_d6.pdb"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8703-4ea8-433e-8b1d-49fb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.214.143.44']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8704-3678-4703-92ac-4e8b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.148.71.127']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8705-2278-44a2-b75e-47de950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '106.185.52.7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8706-92cc-497b-8fe8-4246950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.151.218.149']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8707-3718-4a8b-bbb4-4533950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.161.80.22']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8707-c7c8-4d54-9a66-49dd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.153.5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8708-9e60-47d3-8bab-4755950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '119.57.196.30']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8709-899c-4e25-bb54-4054950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '122.10.9.154']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d870a-a47c-45df-8fdf-44eb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '158.69.34.129']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d870a-b2d4-404a-a4f7-4c87950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '167.160.16.242']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d870b-f57c-4f02-89f3-4285950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '173.231.49.141']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d870c-448c-4285-9b90-44de950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.57.26']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d870d-edd4-4448-9713-469a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.57.27']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d870e-7348-487b-9ec7-4804950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.57.30']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d870e-537c-4ef8-a62f-4b49950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '211.58.38.100']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d870f-33e8-4aee-83da-4dc5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '220.73.222.120']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8710-09f0-4852-915e-49a6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '220.73.222.86']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8711-4104-4dc5-ace6-439a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '221.139.50.134']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8711-af10-4cd4-98e0-4802950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '31.210.102.210']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8712-f348-47da-908c-4bda950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '43.249.81.209']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8713-b7b0-4ebd-9b02-4b75950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '43.249.81.210']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8714-fbf8-410c-b62c-46ae950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.115.138.215']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8714-d52c-4596-9e73-49c4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '88.208.228.56']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8715-f9c4-4e52-afc6-4df0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '92.242.144.2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8964-a938-4ae4-ae7d-43fa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'seo777.f3322.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8965-7a60-40da-8273-4b6f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'sexy.f3322.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8966-7b64-47a9-a3ae-46d8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'allmnz.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8967-754c-4e88-8795-4c42950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'incsteelkor.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89a8-9348-45fb-8317-4879950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'backup.microsoftappstore.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89a9-ccc0-498f-9c25-4de5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'dataserver.cmonkey3.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89aa-cb58-49e4-bf9b-49a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'google-helps.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89ab-bae0-46b0-a117-49a0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'kpupdate.amz80.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89ab-e468-4846-8f9a-45b7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'mail-help.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89ac-77d8-4110-8bc1-4442950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'mail-issue.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89ad-e734-4e07-8ef2-4fdb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'microsoftupdating.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89ae-d4d8-4cdd-836f-4229950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'microsoftwww.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89af-8a24-4dd7-8773-445d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'ns1.ccccc.work']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89af-9534-4e81-b70f-47f1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'ns1.superman0x58.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b0-7b60-49d8-b49a-4254950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'ns1.xssr.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b1-7f9c-4e5a-8713-4fc1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'ns2.ccccc.work']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b2-4c60-4592-a144-4be4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'ns2.superman0x58.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b3-43bc-4638-9730-484b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'ns2.xssr.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b4-91fc-48b1-953e-4ccf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'qr1.3jd90dsj3df.website']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b4-a2a0-4ece-b121-45bb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'r4.microsoftupdating.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b5-910c-447e-9339-48b9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'rouji.xssr.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b6-3be0-472e-91cd-416e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 't2z0n9.microsoftappstore.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b7-7e60-49ff-8e47-460b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'temp.mail-issue.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b7-c2a4-48cb-bc62-4ca6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'time-service.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b8-e5cc-42c4-bec9-4366950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'update.microsoftwww.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89b9-193c-46e5-b72b-47a5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'updatecz.mykorean.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89ba-2ccc-4775-9024-4da9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'uriupdate.newsbs.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89bb-f894-4bc8-8f15-41a0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'wwgooglewww.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89bb-6a88-4d66-80fa-4deb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'www.microsoftwww.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89bc-de04-474a-ae40-4700950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'wwwgooglewww.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89bd-6750-4fa5-8ded-442e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"pattern": "[domain-name:value = 'zy.xssr.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89e2-edb8-4599-a03c-4ddd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "Compromised website",
|
||
|
"pattern": "[domain-name:value = 'www.aceactor.co.kr']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89f8-9c18-490e-b950-4977950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers",
|
||
|
"pattern": "[file:hashes.SHA256 = '0f1623511432bac0d8f2a87169952df0b341d90ea1e4218a851b8cdb2b691e2d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89f9-c3e4-4bc4-91fc-40b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers",
|
||
|
"pattern": "[file:hashes.SHA256 = '60599a679efb167cc43746e5d58bb8f74b6fe57cb028950fde79bd9fd0e6b48b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89fa-35a4-4e9c-9dce-44c5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers",
|
||
|
"pattern": "[file:hashes.SHA256 = '6c80e57f4957d17c80c0fc5e5809e72ac157a70339163579b7e2f3c0d631dd6b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d89fa-f570-44da-a363-47ad950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers",
|
||
|
"pattern": "[file:hashes.SHA256 = '8171f3ca246c56d85bdac23ab09ffdaea09410165bf32ed72ef279d2ddaf745b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a10-aaa0-42bf-b16a-4009950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = '369dc64903c52f052ebe547511977f5d677614855da31c416fe13d8eb8ed1015']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a10-bbcc-4873-8bb8-4634950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = '8269c8183fb5e50acf08dea65d8a3d99f406f7febd61dc361622f21b58570396']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a11-85a8-454b-b8fa-46ae950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = 'bfe4da21398a2ac19b04174a7754acc1c2d1725dac7e0651544ff46df9f9005d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a12-7b88-45a4-b271-4b7c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = 'fd0c9c28781de60ed70f32b9e138ab7d95201a5f08a4bc0230b24493597022d7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a20-96d0-4c91-9e81-46a7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = '04f69ebca26ee0ab2fc896f803102fdbb0700726074048755c55c891a9243423']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a20-8fc8-4890-bd57-429d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = '37a2ede8de56fe85b4baf4220046dd2923d66ea7d906a5c009751f9f630aec0b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a21-7f64-4a0c-bb61-4473950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = '434df165b56c70ff5479ebd3f8d65c1585076c16a19e20bdee750c9f0119e836']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a22-b05c-4677-b565-43c3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = '50712f13f0ed2cabc264ec62581857468b2670e3a4226d76369c9367648b9ff0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a23-9b98-4fc3-98b6-4301950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = '5747de930d6f2dd456765aada5f31b4c2149388625399ae8d0c025cc8509880b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a23-4a78-46e3-b28c-4048950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = '82a7f8c488cf287908f8f80b458bf19410f16ee0df0d8f2eb9f923efc3e0a2fa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a24-2d74-4478-93fc-43ac950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a20d81fcbdcfe6183eaaba489219c44942da3e5fc86ce383568b63b22e6981dc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a25-23d4-45ca-9763-48c1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd26f914eb9f58f9efeba3ae5362cf605a371f881183da201a8528f9c9b65b5ad']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8a26-a1ec-49a6-a80e-400c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e5590c6eca821160d02c75025bf9ee30de418269471ae21bff422933fbb46720']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b3d-db10-4dac-a7f6-42a902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers - Xchecked via VT: 0f1623511432bac0d8f2a87169952df0b341d90ea1e4218a851b8cdb2b691e2d",
|
||
|
"pattern": "[file:hashes.SHA1 = '5d9e9616ca8a8034258655758eb19f8930f8fbfe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b3e-1238-4f08-9dc0-41aa02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers - Xchecked via VT: 0f1623511432bac0d8f2a87169952df0b341d90ea1e4218a851b8cdb2b691e2d",
|
||
|
"pattern": "[file:hashes.MD5 = '6081723ac9d35de3a6eb9b8fcd474bae']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b3f-3914-4d79-9d9b-45de02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b3f-3914-4d79-9d9b-45de02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b3f-3914-4d79-9d9b-45de02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/0f1623511432bac0d8f2a87169952df0b341d90ea1e4218a851b8cdb2b691e2d/analysis/1465809113/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b40-3644-4bcf-b7b7-49ac02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers - Xchecked via VT: 60599a679efb167cc43746e5d58bb8f74b6fe57cb028950fde79bd9fd0e6b48b",
|
||
|
"pattern": "[file:hashes.SHA1 = '91c62ae0edb2edf9237d68f1a85acee211e9f1ca']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b41-6428-4bb7-804b-4a6502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers - Xchecked via VT: 60599a679efb167cc43746e5d58bb8f74b6fe57cb028950fde79bd9fd0e6b48b",
|
||
|
"pattern": "[file:hashes.MD5 = '956a719b0812990b12b648cb03868a67']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b41-9a64-49fe-9f06-4efe02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b41-9a64-49fe-9f06-4efe02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b41-9a64-49fe-9f06-4efe02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/60599a679efb167cc43746e5d58bb8f74b6fe57cb028950fde79bd9fd0e6b48b/analysis/1482127685/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b42-b504-49ac-bd74-4e8a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers - Xchecked via VT: 6c80e57f4957d17c80c0fc5e5809e72ac157a70339163579b7e2f3c0d631dd6b",
|
||
|
"pattern": "[file:hashes.SHA1 = '1ef6150a2a20667ca3d790b0f2772c495f340902']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b43-ad84-401e-819d-4df202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers - Xchecked via VT: 6c80e57f4957d17c80c0fc5e5809e72ac157a70339163579b7e2f3c0d631dd6b",
|
||
|
"pattern": "[file:hashes.MD5 = '01f5afdac12d5265ac73372496440312']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b44-8020-41fb-820a-42d102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b44-8020-41fb-820a-42d102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b44-8020-41fb-820a-42d102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/6c80e57f4957d17c80c0fc5e5809e72ac157a70339163579b7e2f3c0d631dd6b/analysis/1486667967/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b44-4448-421d-90ec-447602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers - Xchecked via VT: 8171f3ca246c56d85bdac23ab09ffdaea09410165bf32ed72ef279d2ddaf745b",
|
||
|
"pattern": "[file:hashes.SHA1 = 'efada2e9ad08a37c250a7595099fc95d3483982a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b45-bccc-4673-9880-4fd402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx Droppers - Xchecked via VT: 8171f3ca246c56d85bdac23ab09ffdaea09410165bf32ed72ef279d2ddaf745b",
|
||
|
"pattern": "[file:hashes.MD5 = '0c15030995abd0fb361c0c4f31f8ff3b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b46-3424-4971-ad66-4e5102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b46-3424-4971-ad66-4e5102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b46-3424-4971-ad66-4e5102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/8171f3ca246c56d85bdac23ab09ffdaea09410165bf32ed72ef279d2ddaf745b/analysis/1459968445/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b47-c244-412d-9885-48d102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors - Xchecked via VT: 369dc64903c52f052ebe547511977f5d677614855da31c416fe13d8eb8ed1015",
|
||
|
"pattern": "[file:hashes.SHA1 = '26f2fdfef16407781fbec0ba09f6347f0aacde43']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b47-8e80-42c6-a364-417102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors - Xchecked via VT: 369dc64903c52f052ebe547511977f5d677614855da31c416fe13d8eb8ed1015",
|
||
|
"pattern": "[file:hashes.MD5 = 'a7ea075b7b3ae7a795df520db52242db']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b48-53d4-4dc6-830a-4cd902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b48-53d4-4dc6-830a-4cd902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b48-53d4-4dc6-830a-4cd902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/369dc64903c52f052ebe547511977f5d677614855da31c416fe13d8eb8ed1015/analysis/1476869912/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b49-5230-4a3b-83f5-44fb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors - Xchecked via VT: 8269c8183fb5e50acf08dea65d8a3d99f406f7febd61dc361622f21b58570396",
|
||
|
"pattern": "[file:hashes.SHA1 = '0ff6213496d4b1859a5ae332368a3f0a1c508373']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b4a-a9d8-4b0d-9e6a-494d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors - Xchecked via VT: 8269c8183fb5e50acf08dea65d8a3d99f406f7febd61dc361622f21b58570396",
|
||
|
"pattern": "[file:hashes.MD5 = 'c9732aab519274f6c0c5d7e0ecf909a7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b4b-2d64-4d52-9c30-43ef02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b4b-2d64-4d52-9c30-43ef02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b4b-2d64-4d52-9c30-43ef02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/8269c8183fb5e50acf08dea65d8a3d99f406f7febd61dc361622f21b58570396/analysis/1482732652/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b4b-941c-4ed4-a8c9-400402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors - Xchecked via VT: bfe4da21398a2ac19b04174a7754acc1c2d1725dac7e0651544ff46df9f9005d",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f99523c35acce33b3be591dff08e14ea585267c6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b4c-a7f4-45d2-ac57-419f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors - Xchecked via VT: bfe4da21398a2ac19b04174a7754acc1c2d1725dac7e0651544ff46df9f9005d",
|
||
|
"pattern": "[file:hashes.MD5 = 'db5a5de95b1badcdbb518b77e947f2ab']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b4d-4724-4bcf-ba92-479302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b4d-4724-4bcf-ba92-479302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b4d-4724-4bcf-ba92-479302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/bfe4da21398a2ac19b04174a7754acc1c2d1725dac7e0651544ff46df9f9005d/analysis/1475875168/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b4e-a898-4636-ade4-419d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors - Xchecked via VT: fd0c9c28781de60ed70f32b9e138ab7d95201a5f08a4bc0230b24493597022d7",
|
||
|
"pattern": "[file:hashes.SHA1 = '1d1d37b9a1c35f8e352abe33af5164e61fb61f29']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b4f-b374-4554-bbdc-494f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 32-bit Backdoors - Xchecked via VT: fd0c9c28781de60ed70f32b9e138ab7d95201a5f08a4bc0230b24493597022d7",
|
||
|
"pattern": "[file:hashes.MD5 = 'c0ad63a680fbdc75d54b270cbedb4739']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b4f-5a68-4ab7-b7f4-467502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b4f-5a68-4ab7-b7f4-467502de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b4f-5a68-4ab7-b7f4-467502de0b81",
|
||
|
"value": "https://www.virustotal.com/file/fd0c9c28781de60ed70f32b9e138ab7d95201a5f08a4bc0230b24493597022d7/analysis/1475793989/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b50-5a10-418a-bb7a-46c802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 04f69ebca26ee0ab2fc896f803102fdbb0700726074048755c55c891a9243423",
|
||
|
"pattern": "[file:hashes.SHA1 = 'e2a9b047b771987c2656afa16c4aadf01d042aa6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b51-2bc4-4db8-a700-413f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 04f69ebca26ee0ab2fc896f803102fdbb0700726074048755c55c891a9243423",
|
||
|
"pattern": "[file:hashes.MD5 = 'eafe79709f6cb5e4334a549bb278f123']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b52-393c-44c6-b8f2-473f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b52-393c-44c6-b8f2-473f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b52-393c-44c6-b8f2-473f02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/04f69ebca26ee0ab2fc896f803102fdbb0700726074048755c55c891a9243423/analysis/1486664916/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b53-91f4-45fa-9a21-448602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 37a2ede8de56fe85b4baf4220046dd2923d66ea7d906a5c009751f9f630aec0b",
|
||
|
"pattern": "[file:hashes.SHA1 = '7c67a29928cb62fca61c830e90a965dafef40cd0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b53-fb78-4492-a9ce-48d802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 37a2ede8de56fe85b4baf4220046dd2923d66ea7d906a5c009751f9f630aec0b",
|
||
|
"pattern": "[file:hashes.MD5 = 'f34276afaa1071f4c9610b451b5862b6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b54-55c4-4995-a656-4c7802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b54-55c4-4995-a656-4c7802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b54-55c4-4995-a656-4c7802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/37a2ede8de56fe85b4baf4220046dd2923d66ea7d906a5c009751f9f630aec0b/analysis/1437552747/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b55-9bbc-4f13-a90a-4b5002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 434df165b56c70ff5479ebd3f8d65c1585076c16a19e20bdee750c9f0119e836",
|
||
|
"pattern": "[file:hashes.SHA1 = '5994a7027f5753cf025d5ec1e9a2d6374f587795']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b56-1054-4679-8be5-479f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 434df165b56c70ff5479ebd3f8d65c1585076c16a19e20bdee750c9f0119e836",
|
||
|
"pattern": "[file:hashes.MD5 = '8f8f1819f8844157e80b9f3aba3f6bcf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b57-0914-4e84-b00a-407a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b57-0914-4e84-b00a-407a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b57-0914-4e84-b00a-407a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/434df165b56c70ff5479ebd3f8d65c1585076c16a19e20bdee750c9f0119e836/analysis/1438116372/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b58-43b0-42bd-b8aa-44bb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 50712f13f0ed2cabc264ec62581857468b2670e3a4226d76369c9367648b9ff0",
|
||
|
"pattern": "[file:hashes.SHA1 = 'a29e65c644c827a8f0be61f8a5a58d6e2feeacf5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b58-b648-47b8-8408-4b3d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 50712f13f0ed2cabc264ec62581857468b2670e3a4226d76369c9367648b9ff0",
|
||
|
"pattern": "[file:hashes.MD5 = 'e13a072c13c546179be752c4aca9efa6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b59-5294-4bdb-903e-490202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b59-5294-4bdb-903e-490202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b59-5294-4bdb-903e-490202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/50712f13f0ed2cabc264ec62581857468b2670e3a4226d76369c9367648b9ff0/analysis/1485840922/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b5a-b58c-4dfe-9032-47ab02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 5747de930d6f2dd456765aada5f31b4c2149388625399ae8d0c025cc8509880b",
|
||
|
"pattern": "[file:hashes.SHA1 = '21d9298202fc35dbf2861838a9bbf6709d5bdae8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b5b-2b24-46a4-a51d-471e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 5747de930d6f2dd456765aada5f31b4c2149388625399ae8d0c025cc8509880b",
|
||
|
"pattern": "[file:hashes.MD5 = 'c78d2b6c855db963dd01d4659f8ca8ea']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b5c-a6c4-4504-b5c8-4af102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b5c-a6c4-4504-b5c8-4af102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b5c-a6c4-4504-b5c8-4af102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5747de930d6f2dd456765aada5f31b4c2149388625399ae8d0c025cc8509880b/analysis/1466392954/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b5d-3758-4ed0-b8de-4fc102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 82a7f8c488cf287908f8f80b458bf19410f16ee0df0d8f2eb9f923efc3e0a2fa",
|
||
|
"pattern": "[file:hashes.SHA1 = '8bc0bfa58d13a3c5c043823439047f4bbf78211e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b5e-7550-44a4-87ff-46cf02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: 82a7f8c488cf287908f8f80b458bf19410f16ee0df0d8f2eb9f923efc3e0a2fa",
|
||
|
"pattern": "[file:hashes.MD5 = 'd95706b6a189358e7a748112cb644250']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b5e-f25c-4fd8-a7e8-49a802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b5e-f25c-4fd8-a7e8-49a802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b5e-f25c-4fd8-a7e8-49a802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/82a7f8c488cf287908f8f80b458bf19410f16ee0df0d8f2eb9f923efc3e0a2fa/analysis/1486719218/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b5f-6198-43fd-a10e-471802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: a20d81fcbdcfe6183eaaba489219c44942da3e5fc86ce383568b63b22e6981dc",
|
||
|
"pattern": "[file:hashes.SHA1 = '04e107941935f17c7fd51d493752732d813d4b0f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b60-f6c0-40d8-86e7-416802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: a20d81fcbdcfe6183eaaba489219c44942da3e5fc86ce383568b63b22e6981dc",
|
||
|
"pattern": "[file:hashes.MD5 = '7889a9a86d8b8145794e4b0e30d4d8ff']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b61-6660-4cd0-8a44-498702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b61-6660-4cd0-8a44-498702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b61-6660-4cd0-8a44-498702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a20d81fcbdcfe6183eaaba489219c44942da3e5fc86ce383568b63b22e6981dc/analysis/1485788774/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b62-5368-404b-8f2b-484902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: d26f914eb9f58f9efeba3ae5362cf605a371f881183da201a8528f9c9b65b5ad",
|
||
|
"pattern": "[file:hashes.SHA1 = '87c11159c993c410b06a5be5c6748d6db0c54109']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b63-0af0-4e28-8645-465f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: d26f914eb9f58f9efeba3ae5362cf605a371f881183da201a8528f9c9b65b5ad",
|
||
|
"pattern": "[file:hashes.MD5 = '4b32f28adc3675401ba548dcaed7058b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b63-0a24-4980-a0fa-45b602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b63-0a24-4980-a0fa-45b602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b63-0a24-4980-a0fa-45b602de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d26f914eb9f58f9efeba3ae5362cf605a371f881183da201a8528f9c9b65b5ad/analysis/1486716680/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b64-36f0-4f93-b645-419002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: e5590c6eca821160d02c75025bf9ee30de418269471ae21bff422933fbb46720",
|
||
|
"pattern": "[file:hashes.SHA1 = '17f668e899a3523bf88f633bbffcab0df63344be']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589d8b65-abf0-4ff7-8864-471d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"description": "StreamEx 64-Bit Backdoors - Xchecked via VT: e5590c6eca821160d02c75025bf9ee30de418269471ae21bff422933fbb46720",
|
||
|
"pattern": "[file:hashes.MD5 = '311d93ce6860777da29a46b83c1b06ec']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-10T10:14:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d8b66-1748-47d5-b68a-456202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:32.000Z",
|
||
|
"modified": "2017-02-10T10:14:32.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:32Z",
|
||
|
"last_observed": "2017-02-10T10:14:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d8b66-1748-47d5-b68a-456202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d8b66-1748-47d5-b68a-456202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e5590c6eca821160d02c75025bf9ee30de418269471ae21bff422933fbb46720/analysis/1475794860/"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d929e-5bac-4221-8d0d-4da402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:54.000Z",
|
||
|
"modified": "2017-02-10T10:14:54.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:54Z",
|
||
|
"last_observed": "2017-02-10T10:14:54Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d929e-5bac-4221-8d0d-4da402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d929e-5bac-4221-8d0d-4da402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5747de930d6f2dd456765aada5f31b4c2149388625399ae8d0c025cc8509880b/analysis/1486720042/"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589d92a0-9f28-4003-8495-47a402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-10T10:14:56.000Z",
|
||
|
"modified": "2017-02-10T10:14:56.000Z",
|
||
|
"first_observed": "2017-02-10T10:14:56Z",
|
||
|
"last_observed": "2017-02-10T10:14:56Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--589d92a0-9f28-4003-8495-47a402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"ms-caro-malware:malware-type=\"Backdoor\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--589d92a0-9f28-4003-8495-47a402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e5590c6eca821160d02c75025bf9ee30de418269471ae21bff422933fbb46720/analysis/1486721124/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|